In this excerpt from Market Pathways' wide-ranging conversation with Kevin Fu, the first Acting Director of Medtech Cybersecurity for FDA/CDRH, Fu lays out his priorities for his one-year term and looks back to his role in raising awareness of device cybersecurity threats.
Market Pathways: Let’s talk about your new position at FDA as the Acting Director of Medtech Cybersecurity within CDRH. Industry executives were generally encouraged that the agency created this position and gave you the job. At the same time, that optimism is somewhat tempered by the fact that this is a one-year position with an acting title. Will this become a permanent position either for you or for someone else? And walk us through the specific responsibilities and goals you have for this job.
Kevin Fu: My position is scheduled for one year, that is correct. The FDA does intend to fill the position with a permanent person at some point, so I don’t think you’re going to be seeing this disappear after one year. But certainly, I’m focused on this particular calendar year, getting things set up in a healthy manner, effectively guiding an aircraft carrier in the right direction for long-term prosperity.
Let me start by identifying my priorities for the year. I have five major priority areas, but the ones that are probably of most interest to your readership would be some of the activities I’m doing with training and mentoring of CDRH staff on pre- and postmarket reviewing for submissions. One of my goals is to help bring even more consistency to the reviewing process when it comes to computer security in medical device submissions. As part of that, I’m exposing the reviewers to a lot of the concepts from the science and engineering of computer security. I’ve taught computer security since around 2001, teaching thousands of students, and I’m trying to integrate that to the best of my abilities in exposing those concepts and ideas internally to the people at FDA. That’s probably one thing that the manufacturers will benefit from the most, seeing increased consistency with respect to computer security in the submission process.
You're also going to see me quite visible externally in messaging FDA expectations for computer security—FDA has denied 510(k) applications solely for deficiencies in cybersecurity. What I would really like to see are submissions reaching a level where they have followed the premarket guidance for having meaningful computer security built into their devices from the get-go.
Many in the public, and I think even some in the industry, had their eyes really opened to the cybersecurity threat to medical devices by the infamous Homeland TV series episode in 2012, where they externally hacked the vice president’s pacemaker. That seems to coincide with the timeframe of your work at MIT and the launch of the Archimedes Center. Is that timing purely coincidental or does it represent an awakening or evolution in the medtech industry’s growing awareness of the cybersecurity threat?
First of all, on that show you mentioned, it’s interesting how the problem got dramatized. The New York Times interviewed the producers of Homeland, and the producers said they used our research paper to write their plot. So if you search The New York Times, you’ll find an old article explaining how they took our research paper and turned it into a show.
But regarding the last 10 years, I would say the biggest evolution is the willingness to speak more openly about the problems. You can think of the stages of grief. In the beginning, when I was a junior professor, I sensed quite a bit of denial in the industry. A summary of a typical interaction 10 years ago would have been, ‘We don’t need to worry about computer security.’ Today it’s considered table stakes. It’s not optional. In fact, FDA quite publicly has noted that 510(k) applications have been not cleared specifically because of the cybersecurity issue. So it’s out in the open. It’s quite public.
I would say there's a lot of variation. You will find some companies investing quite a bit in computer security, but I think we have a long way to go to get more uniform properties of cybersecurity. And that's important because cybersecurity is part of safety, and you can't have a safe medical device if it doesn’t have the appropriate cybersecurity properties.
Trial MyStrategist.com and unlock 7-days of exclusive subscriber-only access to the medical device industry's most trusted strategic publications: MedTech Strategist & Market Pathways. For more information on our demographics and current readership click here.