Why FDA's New Cyber Device Regs Are a 'Watershed Moment'Kevin Fu of Northeastern University on How the Regulations Will Ensure Uniformity
The FDA's new cybersecurity policy is a "watershed moment" for the industry, said Kevin Fu, a [professor and the director of the Archimedes Center for Health Care and Medical Device Cybersecurity at Northeastern University. The agency will soon begin rejecting manufacturers' new medical device submissions that lack detailed cybersecurity measures, which will help ensure uniformity, Fu said.
"It's no longer FDA guidance, which is typically nonbinding. This is now federal law, which is very different," he said in an interview with Information Security Media Group on Tuesday during the 2023 Healthcare Information Management and Systems Society Global Health Conference and Exhibition in Chicago.
Under the omnibus spending bill signed into law in December, Congress gave the FDA expanded authority over medical device cybersecurity. The agency says starting Oct. 1, it will reject new cyber device submissions that don't detail security measures (see: FDA Will Begin Rejecting Medical Devices Over Cyber Soon).
While the authority pertains to new product submissions, the requirements aim to improve the cybersecurity of these devices as they age and develop potential vulnerabilities.
"Congress gave the FDA no option, saying, 'FDA, you are now required to regulate medical device cybersecurity engineering premarket as well as postmarket.' The new law has some very specific technical language in it, so this is very significant," says Fu, who served as a medical device cybersecurity adviser to the FDA during the height of the COVID-19 pandemic.
"Many of the leading companies have been working on these, but I think this will accelerate the uniformity of better cybersecurity."
In this interview with Information Security Media Group (click audio link below photo), Fu also discusses:
- How the FDA's new medical device cybersecurity requirements might help lift cybersecurity standards for medical devices sold in other parts of the world;
- Other important cybersecurity issues he is watching involving medical device and healthcare technologies;
- His work at Northeastern University in Boston educating and mentoring the next generation of medical device cybersecurity professionals.
Fu is a professor of electrical and computer engineering at Northeastern University and founder and director of its Archimedes Center for Health Care and Medical Device Cybersecurity. He also recently served as acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health and program director for cybersecurity at the Digital Health Center of Excellence. Prior to that, Fu was an associate professor at the University of Michigan, where he also founded that university's center for healthcare and device security. He is co-founder of healthcare cybersecurity vendor Virta Labs.