FDA Hones in on Medical Device Security
Cybersecurity leaders discuss how the agency is implementing new cyber controls to protect medical device integrity.

The Food and Drug Administration is taking a closer look at medical device cybersecurity and countermeasures following supply chain challenges and attacks presented by the COVID-19 pandemic.
“The idea is to be as prepared as possible for the next event. We want to help shorten the time it takes to develop these medical countermeasure devices so that they are available when needed,” said FDA Senior Science Health Advisor Heather Agler during FDA’s Science Forum last week.
Cybersecurity threats to the health care sector could make medical devices and hospital networks inoperable, thereby disrupting the delivery of patient care. Therefore having medical countermeasure devices in place is critical, Agler said.
FDA is tackling this via threat modeling, which helps identify, analyze and evaluate potential security risks. Threat modeling enables FDA to avoid “gut judgements” on cyber posture and move toward a verifiable security control, said Kevin Fu, acting director for medical device cybersecurity at FDA’s Center for Devices and Radiological Health.
“It’s the cousin to hazard analysis. The idea is that it’s very difficult to make scientific claims about medical device security if a manufacturer doesn’t provide a reasonable and reputable threat model specific to the device,” Fu said.
Fu outlined three insufficient threat model claims for medical devices: using obscure programming language, relying on past history of never being attacked and placing products on a secure hospital network.
“A good threat model for any device begins with a simple statement: ‘We will begin by assuming an adversary controls the network the medical device connects to.’ This is a good start to enabling a medical device to stay safe and effective despite anticipated risks of computer security,” Fu said.
FDA is also creating software bills of material (SBOM) through the International Medical Device Regulators Forum to help synchronize guidelines and standards internationally.
“This is all about how to get a total product lifecycle to include cybersecurity and bring more consistency across the borders for more certainty for the manufacturing community,” Fu said.
SBOMs are growing in importance at the agency, particularly following Biden’s executive order on cybersecurity.
“An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software,” the executive order said. “Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.”
FDA is also working on a Joint Security Plan, which serves as a total product lifecycle reference guide for developing, deploying and supporting cyber-secure technology solutions in the health care environment.
Throughout 2021, CDRH will develop a strategic roadmap for future medical device security, partner with stakeholders and foster collaborations across industry and government to enhance security as attackers continue to evolve.
“One area I’m hoping to make a good dent in is helping to integrate cybersecurity principles through CDRH’s total product life cycle, and help with training and mentoring,” Fu said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
DOI Must Modernize Energy to Win AI Race, Secretary Says
Doug Burgum links AI innovation to energy reform as DOI advances digital infrastructure and wildfire response under Trump’s tech agenda.
2m read -
Army Combines Commands to Propel Innovation Under New Transformation Plan
Lt. Gen. Miles Brown outlines a new transformation strategy after the AFC–TRADOC merger to integrate new technologies within 18 months.
4m read -
NIST to Release New AI Cybersecurity Guidance as Federal Use Expands
NIST plans to release AI cybersecurity guidance within the year to support safe adoption as federal agencies expand use cases.
4m read -
CIA Adds Fourth Pillar to AI Strategy, CAIO Says
Lakshmi Raman says the new pillar marks a strategic shift toward embedding AI more deeply into the CIA’s day-to-day mission execution.
3m read -
FEHRM CTO Targets Two-Year Cloud Migration for Federal EHR
Lance Scott touts new EHR tech advancements, including cloud migration, expanded data exchange and AI integration to improve care delivery.
4m read -
AI Enables Coast Guard’s Workforce to Transform Operations
The Coast Guard’s Deputy CIO Brian Campo delves into the ways AI is pushing the service to rethink its core services, workforce and operations.
14m watch -
New Army Acquisition Plan Cites Autonomy, Predictive Analytics
Officials outline how the Army Transformation Initiative signals a broader shift toward efficiency with tech and acquisition reform.
4m read -
DOL Turns to Workforce Development to Maintain AI Superiority
DOL is bridging the AI skills gap through partnerships and upskilling to ensure future AI workforce readiness.
10m watch -
Trump’s Executive Order Spurs Federal Push for AI Literacy
Agencies are ramping up AI literacy efforts across the federal workforce and education systems after Trump's executive order on AI education.
5m read -
AWS Summit: A DOE National Lab Uses GenAI to Boost Efficiency
Lawrence Livermore National Lab launches a new generative AI tool to drive operational efficiency at the National Ignition Facility.
9m listen -
VHA’s AI Chief Led NIH’s New AI RFI
The agency's AI chief Gil Alterovitz helped develop a plan that hints at how NIH is charting the future of AI and biomedical research.
5m read -
DOE National Labs Launch New AI Tools for Operational Efficiency
The Energy Department's National Laboratories are using AI to increase operational efficiency and drive research efforts forward.
3m read