The U.S. Food and Drug Administration (FDA) named University of Michigan Associate Professor Kevin Fu Acting Director of Medical Device Security in its Center for Devices and Radiological Health. This is a newly created 12-month post in which Fu will “work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.” Fu stated that his primary activities will include

  • Envisioning a strategic roadmap for the future state of medical device cybersecurity.
  • Assessing opportunities to fully integrate cybersecurity principles through the lens of the center’s total product life cycle model.
  • Training and mentoring CDRH staff for premarket and postmarket technical review of medical device cybersecurity.
  • Engaging multiple stakeholders across the medical device and cybersecurity ecosystems.
  • Fostering medtech cybersecurity collaborations across the federal government, including the National Institute of Standards and Technology, National Science Foundation, National Security Agency, Department of Health and Human Services, National Telecommunications and Information Administration, Cybersecurity and Infrastructure Security Agency, Department of Veterans Affairs, Department of Defense, Federal Trade Commission and others.

Fu also noted that “the FDA is working closely with federal partners — HHS and CISA — on sector incident and emergency response. The FDA’s 2021 efforts for the cybersecurity focal point program will further increase the review consistency of premarket submissions.”

The creation of this new post is the latest in the FDA’s ongoing efforts to promote cybersecurity in medical devices. As we previously reported, the FDA has published draft guidance for medical device manufacturers outlining steps that can be taken in the premarket process to better protect medical devices from cybersecurity threats. We expect this focus to continue especially as we see a rise in ransomware attacks and other hacking activity.

The FDA’s increasing focus on cybersecurity is yet another reason relevant employers and medical device manufacturers should continue to assess and address potential data security risks.