In the last decade, cybersecurity has gone from a regulatory afterthought to a concern that is front and center for Congress, FDA, and governing bodies globally with significant legislation and guidance documents being issued in an effort to stem the rising tide of healthcare cyberattacks. Here we continue our dialogue with Kevin Fu, who was FDA’s first medtech cyber czar, about what the device industry needs to know about new policy proposals to remain vigilant against this global threat.
We have gotten so accustomed to hearing about cybersecurity threats in all aspects of society that it is easy to forget that, for the device industry, it was just 10 years ago that the FDA first assigned staff to begin working on the cyber threat in medtech. Since that time, the threat has grown exponentially in all fields with healthcare among the leading areas being targeted. Threats have shifted from lone-wolf hackers to sophisticated state actors using ransomware against all levels within the healthcare delivery system from large and small hospitals to doctors’ offices and, of course, product companies. Today cyber protections are a critical component of FDA product submissions with the agency having denied 510(k) applications that either fail to include such protections or in which the protections included are deemed inadequate.
To provide a sense of the scope of the cyber problem in healthcare, a recent National Public Radio (NPR) piece by Farah Yousry from NPR’s health reporting partnership with Side Effects Public Media and KFF Health News, pointed out that cyberattacks on US healthcare facilities more than doubled between 2016 and 2022. The article also noted that ransom payments by hospitals are the highest paid by any industry, averaging $10 million per incident. The result, according to an executive at a rural Indiana hospital that was the target of a cyberattack: “We are investing so much in cybersecurity right now that I don’t know how small hospitals will be able to afford [to operate] much longer.”
That article was posted on LinkedIn (where you can read the piece in its entirety) by Kevin Fu, PhD, who is back with us for this interview, having previously sat down with Market Pathways both for an article and as a keynote speaker at our San Francisco Innovation Summit in 2022. (See “FDA Targets Cybersecurity: An Interview with Kevin Fu, the First Device Cyber Czar,” Market Pathways, March 24, 2021.)