FDA names its first medical device cybersecurity director

The FDA has appointed its first medical device cybersecurity chief to help guide the agency’s regulatory strategies as more devices become interconnected—and potentially more vulnerable to digital attacks and breaches.

Kevin Fu, an associate professor and research fellow at the University of Michigan, was named to the post. He will serve a one-year term as an expert-in-residence at the agency’s Center for Devices and Radiological Health (CDRH) as well as at its nascent Digital Health Center of Excellence, which launched last fall.

“As stewards of patient safety, we must engage and convene the very best experts in cybersecurity, computer science and security engineering to ensure we keep pace with the speed of innovation,” said the FDA’s Suzanne Schwartz, M.D., director of the Office of Strategic Partnerships and Technology Innovation at CDRH. 

“[Fu’s] academic background and real-world experience paired with sound FDA regulatory approaches make a potent combination to further advance medical device cybersecurity along with innovation and patient safety in a holistic manner,” Schwartz said.

For over a decade, Fu’s research has focused on embedded security, or the act of designing individual devices with built-in measures that protect them from unauthorized attempts to access commands or steal patient data. 

His early work included evaluating the vulnerabilities of wireless implantable cardiac defibrillators and demonstrating that a store-bought radio and software could access early device versions and intercept communications.

Fu helped found the University of Michigan’s Archimedes Center for Medical Device Security, where he serves as chief scientist, and previously sat on the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board. He and his doctoral students also co-founded healthcare cybersecurity startup Virta Labs.

At the FDA, he will help build out CDRH’s cybersecurity programs, public-private partnerships and premarket vulnerability assessments as connected devices now span everything from insulin pumps to implants to hospitalwide networks subject to ransomware attacks.

Source