This sound is generated automatically. Please let us know if you have feedback.
Long before he joined the Food and Drug Administration, Kevin Foe was alerting officials to the need to improve the safety of medical devices. Fu recently served as the Food and Drug Administration’s first acting director of medical device cybersecurity, where he helped build draft guidance outlining how manufacturers should address security in pre-market offerings, and how they should maintain these devices throughout the life of a product.
After leaving the agency in May, Fu returned to the University of Michigan as an assistant professor of electrical engineering and computer science. His focus is now on helping universities integrate security into biomedical engineering programs, and building the cybersecurity workforce that medical device companies and regulators will need in the future.
From his perspective as a professor, he spoke about staffing needs, changing cybersecurity threats and how medical device companies can prepare.
This interview has been edited for length and clarity.
MEDTECH DIVE: What is your overall vision for cybersecurity?
Kevin Fu: How can we take advantage of good engineering and organizational science to build security in medical devices rather than enhance security after the fact? The reason for this is safety and efficacy. It is almost impossible to have a secure and efficient device without proper cyber security in this day and age.
In your previous role, did medical device companies take cybersecurity into consideration in their applications?
It’s like a classroom, you have your first class students and then you get C and D students. I don’t think there is any single correct generalization. I think you will find some leaders, you will find some followers and you will still find some deniers, but this group is getting smaller by the day.
Part of that is realizing that this is not a default. This is not a theoretical problem anymore. Twenty years ago, when a few of us, including myself, were working on this, it was very theoretical, and we were a little ahead of our time.
Today, you see internal health systems down due to cybersecurity issues, and radiotherapy devices unavailable for weeks due to cybersecurity threats.
I’ve seen kind of reckless terms and also, wow, that’s a really nice risk-mitigating approach. The difference is that you can sense when the manufacturer puts some quality time into security engineering requirements and threat modeling.
For companies that are struggling now, my message to them is that there is hope for improvement, but you have to choose to improve.
How many people have some knowledge of both cybersecurity and medical devices?
There are medical device security experts for IT and then there are OT [Operational Technology] Cyber security experts for medical devices. Existing education systems are designed fairly well to produce IT security experts. On the other side of the house, I think it needs some heavy national investment in terms of setting up new educational programs to help not only manufacturers, but also regulators and healthcare delivery organizations to access this specially trained talent.
I would say it’s kind of a difference between a motorist and a motorist. We currently have a shortfall, in my view, of security designers, and it takes a lot of time and investment on the student’s part to learn these skills. For this reason, you see manufacturers as well as regulators doing in-house training, where they take someone who is a safety expert or expert in medical device design, and then teach them security engineering.
Does the FDA have enough budget and staff to conduct an adequate cybersecurity review?
At the end of the day, budgets matter, because that translates to headcount, which translates to speed, and how quickly the agency responds.
So in pre-market it is very important to have staff available to interact with things like Q-Sub [pre-submissions] and 510(k) reviews. Then there is the post-market aspect where there is an incident, and you need insiders who are familiar with managing the risk of a security incident to coordinate with too many stakeholders.
FDA, they are fortunate to have some great people on their cybersecurity team. However, for the most part, all cybersecurity experts are partial. They all have other really important duties. There are very few people who are completely devoted in terms of the time allowed to cybersecurity. So I think it’s really important to fund the FDA’s OT cybersecurity activities, because if there are two simultaneous cybersecurity incidents in the future, and there is no budget for the cybersecurity personnel already in place, it will create some real challenges.
We have seen a lot of ransomware attacks on hospitals in the past few years. Do you see any attacks specifically targeting medical devices?
If you were one of the organized crime units that used ransomware, what would you do? You go where the money is. And there are known weaknesses in IT systems, so unfortunately they are too ripe for selection. This is not to say that no one is going after a particular medical device, but I haven’t seen that.
We don’t know what the future holds. So we need our systems to be secure and smart, even if threats change, because they do. Ten years ago, we weren’t talking about ransomware. We were talking about hacking ordinary malware into a computer virus.
If we make, design and market a medical device today, some of those devices will be in active use for 10 or 20 years, so they have to be smart enough to adapt to a changing threat landscape.
I’ve talked about device security design starting with the threat model. How does this work?
Let me start by defining what it isn’t. It’s not just about buying a safety product. It’s about making your assumptions about threats clear, so that when you later try to prove that your medical device is safe, effective, and has adequate cyber security, you can associate it with something coherent and repeatable.
If a company says something like, “Well, we were never attacked, so we don’t have to worry about security,” and they put that in the Threat Forms section of their 510(k) or [Premarket Approval application], this would likely be a desktop refusal. This is not a threat model – this is just faith.
You’ve also seen examples of threat models for networked medical devices, which are very common, and you might see a comment like, “We’re asking the hospital to put this medical device on a secure hospital network.” At first glance, you might think this seems reasonable. But if you look at the bottom, it doesn’t actually make sense. There is no such thing as a secure hospital network. that’s the problem.In my opinion, the threat model will always start with it [the assumption] That opponent can control the network. They can drop your internet packets, they can modify your internet packets, they can restart your internet packets, they can see all your traffic. And so I always advise designing your system to be both secure and efficient, even if the adversary is connected to your network.
There have been some indications in the past among hospitals and manufacturers that it is their responsibility to keep the device safe. Is this changing?
Security is a shared responsibility. No one party is 100% exempt from liability. However, at the end of the day, the entity that will design the security system is the manufacturer.
And the draft directive is pretty clear, it expects the hardware to be inspectable and upgradable. I would say the contention now is to make sure the devices are accessible.
Now, it is also true that there are different types of health systems. There will be some systems that don’t even have an IT department. And so it can be very difficult for a manufacturer to work with this diversity of capabilities.
At the end of the day, patches do have to be applied, but this is a tricky space that is still being worked out at the moment. For example, if a manufacturer provides a patch, who is responsible for making sure it is installed?
You know, if I have a water leak, and the plumber says, “I have to install this pipe,” you don’t just leave the pipe out the door and say, “Okay, have a nice day.” There must be some cooperation.
The House passed a piece of cybersecurity legislation, which requires the Food and Drug Administration to review the cybersecurity of medical devices. What do you think of the invoice?
In my opinion, the Patch Act is so important to improving the cybersecurity of medical devices, it’s very rare that I find legislation that I think is written in such a way that it is technology-neutral, smart, and useful. I certainly hope that the legislation will see the light of day.