Q&A: We Must Protect Bionic Bodies From Hacking, Says Kevin Fu

It’s time for manufacturers to get serious about cybersecurity for implanted medical devices

human os icon

As patients welcome neurostimulators, medical microbots, and other hardware into their bodies, they’re welcoming potential security flaws too. Kevin Fu, an associate professor of electrical engineering and computer science at the University of Michigan, says the medical device industry needs to get serious about cybersecurity now to ensure that life-saving technologies remain safe and trusted in the future.

IEEE Spectrum: Are medical device manufacturers considering security early enough in the design process?

Kevin Fu: Yes and no. Some manufacturers show up to meetings about improving medical device security and participate in good faith. The real problem is that some manufacturers still aren’t showing up.

Yet you and others have shown how medical devices can be compromised.

I don’t see any maliciousness. If you’re a manufacturer and some hacker comes and says the sky is falling, you’d probably laugh it off. The sensationalism has a negative impact. It distracts from the serious engineering.

The U.S. Food and Drug Administration issued the first cybersecurity guidelines for medical devices. What’s in them?

They’re the equivalent of hand washing in medicine—they’re the basics. Cybersecurity hand washing means you enumerate the risks, put in place technical controls to mitigate the risks you’ve identified, and make sure you have the ability to determine if those controls are working effectively. To security professionals this isn’t surprising, but to a biomedical engineer it really is groundbreaking.

What’s the biggest security threat to medical devices today?

The main risk is conventional malware that accidentally breaks into a medical device. That is not your sinister hacking plot. For example, the FDA got a report that a pharmaceutical compounder [a machine that makes liquid drugs] had Conficker, a rather old worm. It turns out the compounder was running Windows XP Embedded, a 10-year-old operating system. It was completely susceptible. This is classic hand washing: Imagine you haven’t washed your hands for 10 years and then you decide to pick your nose.

This article originally appeared in print as “Will Bionic Bodies Get Hacked?”