- FDA has named Kevin Fu, a University of Michigan associate professor, to serve a one-year term as acting director of medical device cybersecurity at the agency's Center for Devices and Radiological Health.
- The longtime security advocate and researcher will serve as an "expert in residence" and the FDA's first medical device cyber chief in CDRH's Office of Strategic Partnerships and Technology Innovation. His role also includes an appointment with the Digital Health Center of Excellence, which was launched in September to better coordinate policy and regulatory approaches tailored for the fast-growing technologies.
- Cybersecurity experts applauded the appointment. Chris Gates, director of product security at medical device engineering firm Velentium, said Fu can help FDA make significant progress on the regulatory front in 2021 with release of the second draft of the premarket cybersecurity guidance, and potentially a new draft of postmarket cyber guidance.
FDA in 2018 released its Medical Device Safety Action Plan and draft guidance on cybersecurity considerations for premarket submissions. However, since then, the agency has made little progress on the cyber regulatory front, especially last year as FDA's medical device priorities were disrupted by the COVID-19 pandemic.
Making matters worse, cyber experts contend the chaos of the coronavirus public health crisis has created the perfect storm for hackers to exploit medical device vulnerabilities, which are potentially easy targets for cybercriminals who see them as entry points into hospital networks.
However, cyber experts see Fu's appointment as FDA's first medical device cybersecurity chief as an indication that the agency is looking to make cyber a priority in 2021.
Velentium's Gates described Fu as an academic who "gets" cybersecurity while bringing an innate ability to easily communicate complex cyber topics to lay audiences.
"I can't think of a better person to fill this role. Not only does he understand all aspects of medical device cybersecurity, but his background spans both small embedded 'resource constrained' devices as well as PC-based devices," Gates said.
With Fu's appointment, Gates sees 2021 as being a potentially major year for FDA cybersecurity initiatives that stalled last year during the pandemic.
Looking ahead, 2021 will be more of a reset as the center looks to both manage coronavirus response-oriented work and move forward with projects unrelated to COVID-19, Jeff Shuren, director of CDRH, said in December.
Suzanne Schwartz, director of CDRH's Office of Strategic Partnerships and Technology Innovation, said in a written statement Monday that Fu's academic background and real-world experience combined with "sound" FDA regulatory approaches will "make a potent combination to further advance medical device cybersecurity along with innovation and patient safety in a holistic manner."
While cyber experts and law enforcement have been raising the red flag for years about the security vulnerabilities of networked medical devices, Nick Yuran, CEO of cybersecurity consultancy Harbor Labs, contends that as the computing and networking technologies in devices have grown increasingly more sophisticated, FDA regulatory policy has become critically important to address these vulnerabilities.
"Creating this new position and bringing someone of Kevin Fu's caliber into the FDA is testimony to the expanding importance regulators are placing on medical device security," Yuran said.