New FDA Med Device Cybersecurity Director

Interesting to see that the FDA has created a new acting Director of Medical Device Cybersecurity position, Kevin Fu.

U-M professor appointed to FDA medical device security post | University of Michigan News (umich.edu)

(Apologies for all of those fellow Buckeye fans out there for linking to a UofM website.)

Per FDA- "He’ll work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats."

Some quotes from Kevin. I could not agree more.

"There are many manufacturers working hard to design medical devices with established computer security engineering principles, but I’d say it’s more the exception than the rule. A lot of medical device manufacturers have a difficult time grappling with computer security risks.

Manufacturer C-suites need to better understand and appreciate the value of cybersecurity early in the design of medical devices. There are so many different constituencies needed in the early design stage. You have legal experts, engineers, patients, clinicians, and often, there simply isn’t a software security expert at the table. Yet today, medical devices rely on extremely complicated software systems that do not necessarily follow the fundamental principles of information security and privacy we teach at U-M.

When security experts are brought in late in the game, the design vulnerabilities are already baked into the devices. In my opinion, medical devices today need meaningful cybersecurity beginning with requirements and design. Otherwise—do not pass go, do not collect $200. You can’t simply sprinkle magic security pixie dust after designing a device."