The Food & Drug Administration has appointed University of Michigan computer science researcher Kevin Fu to serve as the agency's Acting Director of Medical Device Cybersecurity. The newly created position in the FDA’s Center for Devices and Radiological Health, is currently a 12-month post, beginning Jan. 1.
Medical device security is a challenge for healthcare organizations and for manufacturers making those devices. There are many people involved in designing medical devices--legal experts, engineers, patients, and clinicians--but software security experts are typically not at the table, Fu said recently, noting that design vulnerabilities are already baked in by the time security experts are brought in. While there are manufacturers designing medical devices with established computer security engineering principles, those organizations are "more the exception than the rule," Fu said. As acting director, Fu will lead the FDA’s efforts to ensure the safety and effectiveness of medical devices such as pacemakers, insulin pumps, and other devices.
[We] need to be vigilant in making sure that all of our medical devices have a basic level of security built in," Fu said. "Medical devices must remain safe and effective despite cybersecurity risks.
The attack surface for healthcare organizations are broader, as cloud-based applications, cloud platforms, and the Internet of Things are increasingly being used in the medical setting, such as maintaining patient records, collecting diagnostic information, and delivering care (dispensing medication). Many of the devices are based on legacy platforms, and virtually all medical devices depend on software. Researchers are identifying more vulnerabilities in the software these applications and devices. Updating software is critical to ensuring the devices continue to function safely.
One of Fu’s primary roles would be working with manufacturers to implement controls that would help protect medical devices from digital security threats. The National Institute of Standards and Technology (NIST) opened the comment period for four draft publications defining cybersecurity requirements for the Internet of Things (comment period has been extended to Feb. 26) in December. The FDA's move comes at the right time because manufacturers need to figure out how to incorporate security principles into their design and build processes, said Curtis Simpson, CISO of IoT security company Armis. The FDA now has a person dedicated to medical devices security who would be able to work with public and private sector organizations to figure out how to implement NIST requirements and validate the security controls.
"I was worried how we were going to execute" these NIST rules, but the FDA “hired someone who lives and breathes” medical device security, Simpson said.
An associate professor of electrical engineering and computer science at the University of Michigan and a Dwight E. Harken Memorial Lecturer, Fu is also the founder and chief scientist of the Archimedes Center for Medical Device Security. Fu co-authored the 2008 paper on security vulnerabilities in implantable cardiac defibrillators (ICDs) that highlighted the possibility of malicious attacks on connected medical devices. Fu understands both the challenges manufacturers face as they build in security controls and figure out ways to update the software as well as the difficulties healthcare organizations have trying to recertify devices every time something changed, Simpson said.
The FDA will be updating its premarket cybersecurity guidance and guidance on the content of premarket submissions for software contained in medical devices. The FDA also now has the technical expertise to increase the level of scrutiny to premarket product evaluations and facility inspections.
[Medical devices today need meaningful cybersecurity beginning with requirements and design," Fu said. "Otherwise—do not pass go, do not collect $200. You can’t simply sprinkle magic security pixie dust after designing a device.
Previously, healthcare organizations replaced devices when the mechanical components stopped working. The growing use of software in these devices means the devices would need regular maintenance and repair even when the hardware is still working. Healthcare organizations have to incorporate patching as part of managing medical equipment.
Having someone in charge of medical device security would have a "domino effect," Simpson said. With the NIST guidelines published, and the FDA working with manufacturers on how to implement the rules, there will be a minimum set of requirements that will be in place. The FDA evaluates devices before they are approved to be sold. Manufacturers are not going to have two processes and maintain two sets of requirements—one to develop devices that the government will buy (as part of its role delivering healthcare, such as through the Veterans Health Administration) and one for private healthcare organizations to buy. The private sector will benefit from the FDA and NIST moving forward with defining and setting a baseline for what medical devices need to have in order to be safe and secure.
Even just getting to the point where there is a common patching protocol and an agreement on the minimum requirements that needs to be present in medical devices would be "panacea," Simpson said.