Kevin Fu has long been an advocate of tightening up the cyber security of medical devices. An associate professor in the electrical engineering and computer sciences department at the University of Michigan, he taught the first college-level course on medical device security in January 2013.
So what does he think about FDA’s newly released guidance on medical device cyber security?
“The guidance codifies much of the technical consensus drawn from cyber security experts, medical device engineers, and health care providers,” he told MD+DI via e-mail. “I think the guidance strikes a good balance in being actionable without being overly prescriptive.”
Fu says FDA’s recommendations will bring much-needed consistency on the issue of cyber security and will help the industry make its devices more secure. But he also says it doesn’t go as far as it should.
“The guidance will help stop the bleeding,” he writes. “However, the guidance falls short on system engineering. Historically, medical devices were simple, standalone components. Now they are complex interacting systems. Security problems tend to come from unexpected emergent properties when different devices interact, and this context begins to fall outside of FDA's Congressional remit.”
Fu also has concerns about some of the content of the guidance.
“Some of the guidance on passwords may lead to a false sense of security,” he warns. “It's a constantly evolving science, and I think passwords are fundamentally flawed.”
|For more on medical device cyber security, attend the keynote presentation by Zimmer's chief information security officer Olayinka James at MD&M Minneapolis on October 29, 2014.|
[main image courtesy of CHANPIPAT/FREEDIGITALPHOTOS.NET]