The U.S. Food and Drug Administration (FDA) announced that the newly created post of Acting Director of Medical Device Security has been filled by Kevin Fu, a University of Michigan associate professor and founder of the Archimedes Center for Medical Device Security. Fu, who was appointed for a one-year term, is expected to “work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”1 The creation of the position reflects the FDA's ongoing efforts to ensure the safety and effectiveness of medical devices such as insulin pumps, pacemakers and hospital imaging machines. These devices, which increasingly rely on software and the cloud to operate, are particularly vulnerable to threat actors targeting hospitals and other medical providers with ransomware and other attacks. Such attacks have been on the rise, particularly given the shift to telehealth and remote operation of medical devices in the wake of COVID-19.
Medical device manufacturers can anticipate updated draft guidance on best practices in 2021. The FDA released previous guidance in October 2018.2 Fu has also outlined his anticipated primary activities as the Acting Director of Medical Device Security during 2021:
- Envisioning a strategic roadmap for the future state of medical device cybersecurity.
- Assessing opportunities to fully integrate cybersecurity principles through the lens of the center's total product life cycle model.
- Training and mentoring the FDA's Center for Devices and Radiological Health staff for premarket and postmarket technical review of medical device cybersecurity.
- Engaging multiple stakeholders across the medical device and cybersecurity ecosystems.
- Fostering medtech cybersecurity collaborations across the federal government, including the National Institute of Standards and Technology (NIST), National Science Foundation (NSF), National Security Agency (NSA), Department of Health and Human Services (HHS), National Telecommunications and Information Administration (NTIA), Cybersecurity and Infrastructure Security Agency (CISA), Department of Veterans Affairs (DVA), Department of Defense (DOD), Federal Trade Commission (FTC) and others. 3
Fu has separately urged that entities should involve security experts from the beginning of the design process for a new device and has encouraged companies to bring legacy medtech devices up to speed with the latest cybersecurity protections. Fu noted that the FDA will be working closely with the HHS and CISA on sector incident and emergency response.
Originally Published by Akin Gump, March 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.