More precise and pervasive cybersecurity threat modeling during manufacturers’ development of medical devices – and also during the regulatory product review process – is critical for risk mitigation, says Kevin Fu, new acting director of medical device cybersecurity at the Food and Drug Administration.
“Cybersecurity is a foreseeable risk, so it shouldn’t be a surprise that we see vulnerabilities in software and hardware that are components to medical devices,” he says in an interview with Information Security Media Group. “The big challenge is how to become less reactive and more proactive.”
The FDA believes threat modeling can play a critical role in addressing risks posed by new devices, Fu adds.
“We believe that having better, more scientific threat modeling in premarket submissions for [device] clearance or approval will greatly improve the quality of cybersecurity feedback in the submission process, making the products more secure.”
To help achieve that, the FDA recently had MITRE and the Medical Device Innovation Consortium develop and host “boot camps” to help medical device makers learn how to conduct threat modeling and incorporate it in their manufacturing processes, Fu says.
The FDA also is strongly advocating that device manufacturers give healthcare provider customers a software bill of materials, or SBOM – a “software ingredient list” for each of their products.
“The FDA has been talking quite a bit about the importance of SBOMs to understand what software is in the inside of a medical device so that you can have a better handle on the risks,” he says. “And when a security vulnerability comes out later, you’re better able to know if you are affected.”
In the interview (see audio link below photo), Fu also discusses:
- How the FDA is stepping up assessment of cybersecurity during the medical device premarket and postmarket review processes;
- The FDA’s plans to issue revised draft guidance related to premarket medical device cybersecurity;
- Why and how legacy medical devices will always present cybersecurity challenges;
Fu was recently named acting director of medical device cybersecurity at the FDA’s Center for Devices and Radiological Health and program director for cybersecurity at the Digital Health Center of Excellence – both new one-year positions. He’s helping the FDA create a strategic road map for the future of medical device cybersecurity. Fu is on leave as an associate professor at the University of Michigan, where he directs the security and privacy research group and founded the university’s Archimedes Center for Healthcare and Device Security. He is co-founder of healthcare cybersecurity vendor Virta Labs.