Kevin Fu fills new leadership position at FDA’s Center for Devices and Radiological Health, overseeing medical device security

Associate Professor Kevin Fu has been appointed as an expert in residence, in the capacity of Acting Director of Medical Device Cybersecurity at the U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH). This new leadership position is in CDRH’s Office of Strategic Partnership & Technology Innovation. In his role, Fu will further advance FDA’s strategic direction to strengthen the cybersecurity of the medical device ecosystem.

The CDRH regulates over 6,500 different medical device product categories with $68 billion in imports and $59 billion in exports. These medical devices must remain safe and effective for patient care throughout their use in the face of emerging cybersecurity risks. These risks pose challenges to the availability and integrity of software-based diagnostics and therapeutics.

Fu’s role also includes an appointment with the Digital Health Center of Excellence (DHCoE). Launched in September 2020 within the CDRH, the DHCoE aims to empower stakeholders to advance health care by fostering responsible and high-quality digital health innovation. At the end of a one-year term, Fu will return to his regular duties at the University of Michigan.

“Embracing innovation for medical devices requires first rate science across a number of disciplines. As stewards of patient safety, we must engage and convene the very best experts in cybersecurity, computer science and security engineering to ensure we keep pace with the speed of innovation,” says Suzanne Schwartz, MD, MBA, Director of the Office of Strategic Partnerships and Technology Innovation at CDRH.  “Kevin Fu is a global leader in medical device security and will bring unparalleled abilities as a visionary leader, expert, educator, researcher, and advocate for a safer device ecosystem that serves patients and providers. His academic background and real-world experience paired with sound FDA regulatory approaches make a potent combination to further advance medical device cybersecurity along with innovation and patient safety in a holistic manner.”

Medical devices from insulin pumps to implantable cardiac pacemakers are becoming more interconnected, which can lead to safer, more effective technologies. However, like computers and the networks they operate in, these devices can be vulnerable to security breaches, and exploitation of a device vulnerability could threaten the health and safety of patients. To protect against, detect, and respond to vulnerabilities and exploits, the FDA has taken steps to promote a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices.

“Because of his cybersecurity background and experience with the security of medical devices, Kevin Fu will be an outstanding addition to the FDA,” says ACM Turing Award recipient Ronald Rivest, professor at the Massachusetts Institute of Technology. “Our medical system relies heavily on the security of a multitude of digital devices and distributed systems; Kevin will help the U.S. provide more dependable medical care.”

Fu has long been an outspoken advocate and leading researcher in medical device security, founding the Archimedes Center for Healthcare and Device Security and serving in a number of advisory roles to industry and the US government. Through Archimedes, Fu has trained hundreds of engineers at medical device manufacturers about principles of security engineering. This new FDA position will help address emerging cybersecurity vulnerabilities in medical devices which are now commonplace. Fu’s experience will help strengthen CDRH cybersecurity programs, vulnerability assessments, and continue to foster public-private partnerships and outreach efforts.

“Today’s medical devices rely on software and the cloud to a much greater extent than they did even a few years ago,” Fu said in a Q&A with the College of Engineering. “Software wears out much faster than mechanical components in medical devices.”

Cyber threats have significantly evolved from when Fu began his medical device research 15 years ago, he says. A hospital being shut down by ransomware has become commonplace. There were more than 80 publicly reported ransomware attacks on health care providers in 2020. And new security vulnerabilities are identified in software in medical devices almost every day. A challenge is determining which vulnerabilities have clinically relevant implications.

Fu explains, “In my graduate class on medical device security, students begin by analyzing the root causes of the radiation deaths and injuries from the Therac-25 linear accelerator for cancer therapy and diagnostics. My educational modules on security engineering are now integrated in training for medical device manufacturers and hospitals across the world.”

Fu’s background and expertise will help bolster CDRH’s understanding of cybersecurity to enable a more comprehensive approach to premarket submissions reviews. In turn, this may help industry incorporate cybersecurity elements in their designs to develop medical devices less vulnerable to cybersecurity issues.

Beyond keeping on top of evolving threats, Fu’s goal at the FDA is to give security experts a seat at the table with the many different parties involved in medical device development, manufacturing, and use. These include medical experts, legal experts, engineers, and patients. But Fu says that digital security experts bring important viewpoints to the conversation.

“When security experts are brought in, it can be very difficult for them to communicate across so many different fields,” he says. “Part of my role at FDA will be to help different constituencies work better together. Security is not the problem. Security is a solution to enable consumer confidence in innovative products.”

Fu’s dual career as an advocate for medical device security and hardware security researcher has uniquely positioned him to address these audiences and bridge the communication gap between medicine and computer science. One of the few computer scientists to regularly brief leaders in the White House and Congress, Fu appreciates the need to concisely and accurately inform busy decision makers in government.

Previously, Fu’s public service activities have included:

• Testifying regularly in US House and Senate hearings on matters of cybersecurity and medical devices.
• Serving on the NIST Information Security and Privacy Advisory Board (a Federal Advisory Committee).
• Presentations at the White House Office of Science and Technology Policy (OSTP) on national policy and national defense.
• Congressional visits on behalf of U-M’s Senior Director of Federal Relations for Research, under U-M’s Vice President for Research, and the Computing Community Consortium Council.
• Briefings to Congressional Caucus meetings and House/Senate committee staff on behalf of national computing groups.
• Briefing the NSF Director and several US Senators on the importance of NSF’s support for game changing national outcomes across all cybersecurity research.
• Service to numerous federal agencies and national organizations, including GAO, HHS OIG, FTC, FCC, DOE, DOS, FDA, NIST, NSA, LEAs, White House OSTP, PCAST/PITAC, the National Academy of Engineering, and the National Academy of Medicine.

Research and teaching done by Fu and his lab has spanned the diverse challenges facing hardware and cyber-physical security. Recently, his lab has published a number of high-profile projects demonstrating physics-based vulnerabilities in sensor design. His work on defibrillator security, among the first of its kind, was recognized with the IEEE Security and Privacy Test of Time Award for its lasting impact as well as several high profile TV show dramatizations of pacemaker security. 

Fu’s recent Michigan research focuses on characterizing analog threats to sensors, including the Light Commands project that uses lasers to beam inaudible commands into microphones of voice controlled assistants, acoustic and ultrasonic attacks to control MEMS sensors, and radio waves tricking sensors into seeing false temperatures in medical and IoT devices.

Fu has taught thousands of students over his 16 years as a professor including EECS 388 Computer Security, EECS 280 Introduction to Programming, EECS 496 Professionalism, EECS 475 Introduction to Cryptography, EECS 498 Medical Device Security, EECS 588 Graduate Security, CS201 Architecture and Assembly Language, and the CS291 RFID Lab among other courses. In 2014, Fu created the initial “Explore Graduate Studies in Computer Science and Engineering” program at Michigan to foster diversity, equity, and inclusion thanks to a $10M National Science Foundation Frontiers Award for Trustworthy Health and Wellness. He traveled to several four-year colleges serving underrepresented populations to hold research writing clinics helping computer science students produce more effective statements of purpose for their graduate school applications.

Fu’s work has also been recognized by the federal government and many other bodies. In 2013, the US federal government recognized him with a Fed100 Award. In 2014, he was chosen for a Young Scientist Award by the World Economic Forum. In 2017, the AAMI medical device standards body selected Prof. Fu to receive its annual Dr. Dwight Harken Memorial Lecturer Award. Fu is a Fellow of the IEEE for his contributions to embedded and medical device security, a recipient of a Sloan Research Fellowship, an NSF CAREER award, and best paper awards from USENIX Security, IEEE S&P, and ACM SIGCOMM. He is a Senior Member of the Association for Computing Machinery. Fu and his PhD students co-founded the healthcare cybersecurity startup Virta Labs to help hospitals manage cybersecurity risks to medical devices on clinical networks. He was chosen as MIT Technology Review’s TR35 Innovator of the Year in 2009. Fu earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.