By Connor Walsh
Kevin Fu is associate professor of EECS at the University of Michigan where he directs the Security and Privacy Research Group (SPQR.eecs.umich.edu). During 2021, Fu is also Acting Director of Medical Device Cybersecurity at FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity, Digital Health Center of Excellence (DHCoE). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. (https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf). The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators and international health care safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.
Kevin was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing. He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org). He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food and Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT. He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.
TechNation cybersecurity columnist Connor Walsh recently interviewed Fu. The following is a question-and-answer session from the interview.
Q: As a previous member of the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board, the importance of applying mitigating security controls to vulnerabilities is nothing new to you. However, many medical device manufacturers and clinicians may find that some common security controls limit their products. How do you plan on balancing these controls with patient care?
Fu: It can be challenging to deploy IT-centric security products on OT-centric medical devices. The best security engineering approaches begin with a sound threat model and application of fundamental security engineering principles (open design principle, principle of least privilege, etc. from the 1975 IEEE publication by Saltzer and Schroeder). Such techniques cited in the AAMI TIR57 are product and technology agnostic. Moving forward to balance controls with patient care, FDA believes that medical device security approaches should not disrupt clinical workflow. A security control shouldn’t interfere with the delivery of patient care. Medical device security is a patient safety matter.
Q: What are some ideas you have with improving the way medical device manufacturers “bake in” cybersecurity into their products, from development to sustainment?
Fu: For manufacturers to better build in security to medical device products, I strongly believe in back to basics. Remember, security is a property, not a product, just like safety. You cannot easily purchase a magic pixie dust to bolt on security after the fact, and many of the most frustrating security controls are bolt-on-style technologies that are attempting to make up for security deficiencies in a design. For instance, firewalls and anti-virus are often depended upon when a product does not have built-in end-to-end security. Private networks are inherently hostile by design.
Q: The patching process of medical devices, especially with the increase in zero-day vulnerabilities, has increasingly become more of an issue. How do you plan on holding medical device manufacturers accountable with preparing their systems for both routine and zero-day patching?
Fu: FDA expects manufacturers to provide regular software updates to keep medical devices safe and effective. FDA has and will enforce these cybersecurity expectations by issuing safety communications or recalls as appropriate. Zero-day vulnerabilities are an especially challenging problem, which is why a back-to-basics approach to security engineering is so important. Timeless security engineering principles such as defense in depth and the principle of least privilege help to reduce the risk of zero days posing a clinically relevant risk. For instance, a firewall with a future zero-day vulnerability is a reasonably foreseeable risk. There are hundreds of security vulnerabilities in firewalls. Therefore, a medical device ought to be designed to remain safe and effective even if a zero-day vulnerability impacts a third-party component in the software stack or hardware supply chain.
Q: There are many professional organizations that are willing and ready to help improve medical device cybersecurity. What thought, if any, have you given into tapping into some of these groups for help in forming new policies?
Fu: There are many professional organizations for cybersecurity, and many professional organizations for medical device design. The former tends to focus on technical controls, and the latter tends to focus on risk management. Medical devices need a balance of both. Personally, I think the organizations that focus on how to implement the eight key security engineering principles of Saltzer and Schroeder from IEEE 1975 should be the top “back to basics” engineering priority for building in security to medical device design. Organizations with a history of applying these principles to medical devices can be a real boost to the community.
Q: What certifications or continuing education do you recommend for someone looking to dive deeper into learning the importance of medical device cybersecurity?
Fu: I would like to see universities stepping up to provide masters programs in operational technology (OT) security to create the next wave of medical device security engineering talent for manufacturers, regulators and health delivery organizations. While these academic programs are beginning to form, short courses akin to certifications can help introduce the key security engineering concepts for medical device design. For instance, the BioHacking Village at DEFCON attracts newcomers to the field of medical device security and introduces them to the challenges. FDA also tasked MITRE and MDIC to pilot a threat modeling bootcamp for manufacturers. I’d like to see the private sector finding ways to build threat modeling education into their core in a self-sustaining manner.
Connor Walsh, CISSP, is a supervisory clinical engineer for the VA Boston Healthcare System.
The views expressed here are those of the author and do not necessarily represent or reflect the views of TechNation or MD Publishing.
