FRIDAY Q&A: Former FDA director of cybersecurity for medical devices says more investment in staffing is needed

This sound is generated automatically. Please let us know if you have feedback.

Long before he joined the Food and Drug Administration, Kevin Foe was alerting officials to the need to improve the safety of medical devices. Fu recently served as the Food and Drug Administration’s first acting director of medical device cybersecurity, where he helped build draft guidance outlining how manufacturers should address security in pre-market offerings, and how they should maintain these devices throughout the life of a product.

After leaving the agency in May, Fu returned to the University of Michigan as an assistant professor of electrical engineering and computer science. His focus is now on helping universities integrate security into biomedical engineering programs, and building the cybersecurity workforce that medical device companies and regulators will need in the future.

From his perspective as a professor, he spoke about staffing needs, changing cybersecurity threats and how medical device companies can prepare.

This interview has been edited for length and clarity.

MEDTECH DIVE: What is your overall vision for cybersecurity?

Kevin Fu: How can we take advantage of good engineering and organizational science to build security in medical devices rather than enhance security after the fact? The reason for this is safety and efficacy. It is almost impossible to have a secure and efficient device without proper cyber security in this day and age.

In your previous role, did medical device companies take cybersecurity into consideration in their applications?

It’s like a classroom, you have your first class students and then you get C and D students. I don’t think there is any single correct generalization. I think you will find some leaders, you will find some followers and you will still find some deniers, but this group is getting smaller by the day.

Part of that is realizing that this is not a default. This is not a theoretical problem anymore. Twenty years ago, when a few of us, including myself, were working on this, it was very theoretical, and we were a little ahead of our time.

Today, you see internal health systems down due to cybersecurity issues, and radiotherapy devices unavailable for weeks due to cybersecurity threats.

I’ve seen kind of reckless terms and also, wow, that’s a really nice risk-mitigating approach. The difference is that you can sense when the manufacturer puts some quality time into security engineering requirements and threat modeling.

For companies that are struggling now, my message to them is that there is hope for improvement, but you have to choose to improve.

How many people have some knowledge of both cybersecurity and medical devices?

There are medical device security experts for IT and then there are OT [Operational Technology] Cyber ​​security experts for medical devices. Existing education systems are designed fairly well to produce IT security experts. On the other side of the house, I think it needs some heavy national investment in terms of setting up new educational programs to help not only manufacturers, but also regulators and healthcare delivery organizations to access this specially trained talent.

I would say it’s kind of a difference between a motorist and a motorist. We currently have a shortfall, in my view, of security designers, and it takes a lot of time and investment on the student’s part to learn these skills. For this reason, you see manufacturers as well as regulators doing in-house training, where they take someone who is a safety expert or expert in medical device design, and then teach them security engineering.

Does the FDA have enough budget and staff to conduct an adequate cybersecurity review?

At the end of the day, budgets matter, because that translates to headcount, which translates to speed, and how quickly the agency responds.

So in pre-market it is very important to have staff available to interact with things like Q-Sub [pre-submissions] and 510(k) reviews. Then there is the post-market aspect where there is an incident, and you need insiders who are familiar with managing the risk of a security incident to coordinate with too many stakeholders.

FDA, they are fortunate to have some great people on their cybersecurity team. However, for the most part, all cybersecurity experts are partial. They all have other really important duties. There are very few people who are completely devoted in terms of the time allowed to cybersecurity. So I think it’s really important to fund the FDA’s OT cybersecurity activities, because if there are two simultaneous cybersecurity incidents in the future, and there is no budget for the cybersecurity personnel already in place, it will create some real challenges.

%d bloggers like this: