U-Michigan professor appointed to FDA medical device security post

A Q&A with Kevin Fu, who will help protect software that saves lives at the FDA’s Center for Devices and Radiological Health.

There’s a good chance that your life will at some point depend on a piece of computer software. Lines of code drive pacemakers, insulin pumps, hospital imaging machines and just about every other electronic medical device that’s manufactured today. But where there’s software, there are hackers. And a steady stream of hospital ransomware attacks and other malicious activities have shown that medical devices are not immune to attack. University of Michigan computer science researcher Kevin Fu is joining the U.S. Food and Drug Administration in their ongoing efforts to ensure the safety and effectiveness of medical devices.

Fu has been named acting director of medical device cybersecurity in the FDA’s Center for Devices and Radiological Health. In the newly created 12-month post that began January 1, he’ll work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.

Fu, an associate professor of electrical engineering and computer science and the Dwight E. Harken Memorial Lecturer, is the founder of the Archimedes Center for Medical Device Security. He has long been both a leading researcher and an outspoken advocate for medical device security. As an acting director, he’ll retain his U-M appointment. 

Electronics have been part of medical devices for years now. Has something changed that calls for additional security today? 

Today’s medical devices rely on software and the cloud to a much greater extent than they did even a few years ago. Virtually all medical devices depend on software, which wears out much faster than mechanical components. Updating legacy medical device software is a huge challenge.

The other big game changer is that today, there are many more adversaries that are mounting attacks. A decade ago, it was very theoretical. But now you have hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day.

So we need to be vigilant in making sure that all of our medical devices have a basic level of security built in. Medical devices must remain safe and effective despite cybersecurity risks.

What is the industry doing to address the threats?

There are many manufacturers working hard to design medical devices with established computer security engineering principles, but I’d say it’s more the exception than the rule. A lot of medical device manufacturers have a difficult time grappling with computer security risks.

Manufacturer C-suites need to better understand and appreciate the value of cybersecurity early in the design of medical devices. There are so many different constituencies needed in the early design stage. You have legal experts, engineers, patients, clinicians, and often, there simply isn’t a software security expert at the table. Yet today, medical devices rely on extremely complicated software systems that do not necessarily follow the fundamental principles of information security and privacy we teach at U-M. 

When security experts are brought in late in the game, the design vulnerabilities are already baked into the devices. In my opinion, medical devices today need meaningful cybersecurity beginning with requirements and design. Otherwise—do not pass go, do not collect $200. You can’t simply sprinkle magic security pixie dust after designing a device.

I have a strong track record of helping different constituencies in the medical device manufacturing community work together to mitigate computer security problems. In my Security and Privacy Research Group Lab, we publish research in top journals. We work alongside clinicians, biomedical engineers and IT professionals in hospitals.We find novel security flaws and we innovate creative technical defenses. We create companies. I served on federal advisory committees and advise government scientists and policy makers. I created programs for diversity, equity and inclusion. I intend to leverage these experiences in my new role at FDA.

Do you think digital security experts need to be thinking differently about how their field fits into the big picture?

They absolutely do, and a lot of the responsibility for making that happen lies with educators like me. Whether for manufacturers of the Internet of Things or medical devices, we’re not providing the necessary level of security engineering training that companies need. Today’s graduates are often very good at finding vulnerabilities, but they also need university-level, interdisciplinary training in how to engineer embedded systems to withstand an adversary.

The world needs five-year academic programs that combine biomedical engineering, software engineering and public policy to culminate with a master’s degree. Within software engineering, students must master advanced topics such as principles of protecting computer systems. Academic programs to produce future experts must be rigorous and world-class, and the foundation must be more than a part-time certificate program.

We also need to teach students by example how to work effectively with experts outside the computer science field. For instance, I bring my graduate students into live surgeries so they learn how software directly affects patient care.

How can we do a better job of teaching students to work across disciplines?

One thing I’d like to implement post-COVID is a program of interdisciplinary brick-and-mortar teams that brings together students and clinicians from different fields and even different universities with Internet of Things cybersecurity represented at the table. Several universities have interesting programs to bring together engineers and physicians to innovate new medical devices. 

We can learn a lot from the approaches at the Frankel Innovation Initiative at U-M, the Earl Bakken Medical Devices Center at the University of Minnesota, the Johns Hopkins Center for Bioengineering Innovation and Design, the Biodesign Innovation Fellowships at the Stanford Byers Center and the Medical Electronic Device Realization Center at MIT. The programs often integrate engineers, medical device experts, physicians and others in year-long immersive experiences. Because software cybersecurity is so fundamental for medical device safety, a successful academic medical device innovation program must introduce teams to the basic principles of software security engineering.  

Right now, though, I’m focused on medical device safety. I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.