Fu Addresses US Congressional Hearing on Cybersecurity Risks in Medical Devices

ECE Professor Kevin Fu raised concerns about the vulnerability of medical equipment to cybersecurity attacks when he spoke at a U.S. House Committee on Energy and Commerce subcommittee hearing. Fu served as the first director of medical device security at the Food and Drug Administration from 2021-2022.
This article originally appeared on Northeastern Global News. It was published by Cesareo Contreras. Main photo: Northeastern professor Kevin Fu spoke in front of Congress to speak about cybersecurity risks of legacy medical devices (Aaron M. Sprecher via AP).
Hackers could access medical equipment and pose a threat to lives, Northeastern cybersecurity expert tells Congress
Much of the medical equipment in use today—from patient monitors to infusion pumps—can be targets for hackers, according to Kevin Fu, a Northeastern professor of electrical and computer engineering and medical cybersecurity expert.
And the threats to human lives are very real, Fu says.
“A bad actor who discovers a vulnerability could disable patient monitors during surgeries, spoof vital signs in intensive care units, or hijack infusion pumps to administer incorrect dosages,” Fu said this week in a hearing with U.S. lawmakers centered on cybersecurity vulnerabilities of medical devices.
With over 30 years of experience working in health care and cybersecurity, and as the first director of medical device security at the Food and Drug Administration from 2021 to 2022, Fu was in Washington to provide expert testimony in front of a subcommittee of the House Committee on Energy and Commerce.
The Subcommittee on Oversight and Investigations held the hearing to gain deeper insights into “legacy medical devices,” which are commonly understood to be pieces of medical equipment that are decades old, outdated and more susceptible to cyberattacks.
Think of an old MRI machine that may be running old software like Windows XP, Fu explains. While these systems pose major risks, they can still be found in many health care facilities.
Fu shared his expertise into how the government could do a better job at addressing those risks. This includes beefing up the FDA’s cybersecurity to “better manage post-market vulnerabilities and emerging threats,” encouraging device makers to share software bills of materials (SBOMs) and establish national-scale testing facilities.
During the nearly three-hour hearing, Fu fielded questions from the representatives, touching on the possibilities of backdoors in medical devices, job cuts at the Department of Health and Human Services, and the importance of subject-matter expertise in medical device reviews.
Here are a few highlights from the hearing:
Could backdoors be placed in medical devices coming from other countries?
One area the committee was interested in studying is the possibility of “backdoors” being installed by medical device manufacturers in other countries that hackers could exploit.
Fu highlighted that there have been instances of nation-state-backed ransomware attacks that have brought down cancer radiation therapy devices, so the concerns are justified. Many medical devices are also connected to the cloud, making them more capable of being exploited through the web.
“A government entity might be purchasing a medical device and they might not even realize there’s technology from country X or Y on the inside, and the manufacturer might not know as well,” Fu said.
Read full story at Northeastern Global News