Q&A: We Must Protect Bionic Bodies From Hacking, Says Kevin Fu

It’s time for manufacturers to get serious about cybersecurity for implanted medical devices

2 min read
Illustration of Kevin Fu.
Illustration: Jacob Thomas

human os icon

illustration of Kevin FuIllustration: Jacob Thomas

As patients welcome neurostimulators, medical microbots, and other hardware into their bodies, they’re welcoming potential security flaws too. Kevin Fu, an associate professor of electrical engineering and computer science at the University of Michigan, says the medical device industry needs to get serious about cybersecurity now to ensure that life-saving technologies remain safe and trusted in the future.

IEEE Spectrum: Are medical device manufacturers considering security early enough in the design process?

Kevin Fu: Yes and no. Some manufacturers show up to meetings about improving medical device security and participate in good faith. The real problem is that some manufacturers still aren’t showing up.

Yet you and others have shown how medical devices can be compromised.

I don’t see any maliciousness. If you’re a manufacturer and some hacker comes and says the sky is falling, you’d probably laugh it off. The sensationalism has a negative impact. It distracts from the serious engineering.

The U.S. Food and Drug Administration issued the first cybersecurity guidelines for medical devices. What’s in them?

They’re the equivalent of hand washing in medicine—they’re the basics. Cybersecurity hand washing means you enumerate the risks, put in place technical controls to mitigate the risks you’ve identified, and make sure you have the ability to determine if those controls are working effectively. To security professionals this isn’t surprising, but to a biomedical engineer it really is groundbreaking.

What’s the biggest security threat to medical devices today?

The main risk is conventional malware that accidentally breaks into a medical device. That is not your sinister hacking plot. For example, the FDA got a report that a pharmaceutical compounder [a machine that makes liquid drugs] had Conficker, a rather old worm. It turns out the compounder was running Windows XP Embedded, a 10-year-old operating system. It was completely susceptible. This is classic hand washing: Imagine you haven’t washed your hands for 10 years and then you decide to pick your nose.

This article originally appeared in print as “Will Bionic Bodies Get Hacked?”

This article is for IEEE members only. Join IEEE to access our full archive.

Join the world’s largest professional organization devoted to engineering and applied sciences and get access to all of Spectrum’s articles, podcasts, and special reports. Learn more →

If you're already an IEEE member, please sign in to continue reading.

Membership includes:

  • Get unlimited access to IEEE Spectrum content
  • Follow your favorite topics to create a personalized feed of IEEE Spectrum content
  • Save Spectrum articles to read later
  • Network with other technology professionals
  • Establish a professional profile
  • Create a group to share and collaborate on projects
  • Discover IEEE events and activities
  • Join and participate in discussions