Testifying in front of a subcommittee of the House Committee on Energy and Commerce, Northeastern professor Kevin Fu shared his expertise on medical device security.
Much of the medical equipment in use today — from patient monitors to infusion pumps — can be targets for hackers, according to Kevin Fu, a Northeastern professor of electrical and computer engineering and medical cybersecurity expert.
And the threats to human lives are very real, Fu says.
“A bad actor who discovers a vulnerability could disable patient monitors during surgeries, spoof vital signs in intensive care units, or hijack infusion pumps to administer incorrect dosages,” Fu said this week in a hearing with U.S. lawmakers centered on cybersecurity vulnerabilities of medical devices.
With over 30 years of experience working in health care and cybersecurity, and as the first director of medical device security at the Food and Drug Administration from 2021 to 2022, Fu was in Washington to provide expert testimony in front of a subcommittee of the House Committee on Energy and Commerce.
The Subcommittee on Oversight and Investigations held the hearing to gain deeper insights into “legacy medical devices,” which are commonly understood to be pieces of medical equipment that are decades old, outdated and more susceptible to cyberattacks.
Think of an old MRI machine that may be running old software like Windows XP, Fu explains. While these systems pose major risks, they can still be found in many health care facilities.
Fu shared his expertise into how the government could do a better job at addressing those risks. This includes beefing up the FDA’s cybersecurity to “better manage post-market vulnerabilities and emerging threats,” encouraging device makers to share software bills of materials (SBOMs) and establish national-scale testing facilities.
During the nearly three-hour hearing, Fu fielded questions from the representatives, touching on the possibilities of backdoors in medical devices, job cuts at the Department of Health and Human Services, and the importance of subject-matter expertise in medical device reviews.
Here are a few highlights from the hearing:
One area the committee was interested in studying is the possibility of “backdoors” being installed by medical device manufacturers in other countries that hackers could exploit.
Fu highlighted that there have been instances of nation-state-backed ransomware attacks that have brought down cancer radiation therapy devices, so the concerns are justified. Many medical devices are also connected to the cloud, making them more capable of being exploited through the web.
“A government entity might be purchasing a medical device and they might not even realize there’s technology from country X or Y on the inside, and the manufacturer might not know as well,” Fu said.
Given the job cuts being made at the Department of Health and Human Services, representatives asked Fu to explain the role cybersecurity experts play in the review of medical devices, and how cuts to the FDA could impact that work.
Fu said cybersecurity experts in the FDA help ensure the proper controls are put in place and ensure there is consistency in the review process.
“It’s really important to have that rigor to ensure the controls are in place to manage those cybersecurity risks but also to be consistent. That’s very important for the manufacturers to ensure consistency across product lines,” he said.
These types of jobs require significant and specialized experience that can be hard to come by, so any cuts can be devastating and recruitment later on may be challenging.
“Cybersecurity and medical devices — you won’t find too many people who study this in school or even to do it in the industry,” he said. “The people I have met and worked with at the FDA during my time were highly dedicated public servants and by and large they did it because they felt it was good for the country. No one is going into public service for a great salary.”
Fu was asked to speak on his experience working with outside experts in his role at the FDA in reviewing the safety of medical devices.
Fu said something he valued about the FDA was that they would host stakeholders’ meetings and public forums to get input — whether that would be input from patients or large gatherings of medical manufacturers sharing feedback on the review and manufacturing processes.
While his team was generally small and composed of employees with specific expertise, they made sure to use public events to hear from other voices.
America’s dominance in biomedical research has been key in helping drive innovation and improve patient outcomes, but there are concerns that the federal government may soon reduce investments in it, the representatives expressed.
Fu said this enterprise is foundational and has been key in spurring advancements in engineering, science and technology. Speaking to the importance of the National Institute of Health in providing funding for biomedical research and medical devices, Fu highlighted its impact and how essential it has become.
“NIH research is extremely important for the fundamental beginning of science, and for lack of a better term, the de-risking before it becomes a business and for understanding what therapies and diagnoses are going to be effective,” he said. “You’ll find a lot of collaboration that the safe and effective drugs and devices will eventually reach the market, but it takes a huge amount of effort to sort the effective from the less effective.”