Kevin Fu, head of the Archimedes Center for Medical Device Security at the University of Michigan
An uptick in cybercrimes has spurred the U.S. Food and Drug Administration to put the medical device industry on notice.
Medical devices that fail to satisfy the agency's newly drafted cybersecurity guidelines may soon be blocked from approval once the guidelines are finalized later in the year, according to the agency.
If finalized, this directive may have far-reaching consequences for medical manufacturers and how they design their products in the future.
Health IT experts say it's about time. Years ago in a laboratory experiment, Kevin Fu, head of the Archimedes Center for Medical Device Security at the University of Michigan, demonstrated how he could hack into a combination heart defibrillator and pacemaker to induce potentially fatal electric jolts.
There's no need to panic just yet — such a threat is currently only theoretical. But experts say these vulnerabilities demonstrate how far behind the medical industry is on cybersecurity measures that have long been standard in the consumer electronic space.
DOTmed Business News tracked Fu down so we could get his thoughts on the FDA directive, potential worst-case scenarios, device security, and projections for the future.
DMBN: First off, I know it's difficult to quantify the number of security breaches that happen, but can you point to any source that says these incidents are increasing?
KF: I was one of the first people to submit a report through the Medwatch 3500 process on an AED external defibrillator — it was the only one they received that year. Now I'm told they're receiving reports a couple of times a month.
And just recently there was just one person who discovered they were able to obtain the administrative passwords of over 50 medical devices, giving them complete control over each device including its function, its software and its behavior.
DMBN: What sort of cyber attacks have happened in the past?
KF: All the incidents I'm aware of are malware that accidentally get into a medical device. For instance, in my lab we have a pharmaceutical compounder, a device that creates nutrients taken intravenously. And it happens to run Windows XP, a piece of software that is ten years old and riddled with security vulnerabilities, yet it's still being deployed. Think of our outdated home PC software that got hit with malware — we've probably replaced them ten years ago. But guess what? They're still in hospitals.
DMBN: Do you think malware will eventually evolve to intentionally target medical devices?
