Feb 9, 2021

The US Food and Drug Administration (FDA) has appointed Kevin Fu, an associate professor at the University of Michigan, Acting Director of Medical Device Cybersecurity. This role is a new one created within the Center for Devices and Radiological Health (CDRH), specifically located in the Office of Strategic Partnerships and Technology Innovation. Fu’s position, which also includes an appointment to the CDRH’s Digital Health Center of Excellence (DHCoE), is slated to turn over after one year.

Kevin Fu is a hardware security researcher and a long-time advocate of medical device cybersecurity who has already worked extensively with the federal government, providing testimony and briefings to Congress and various agencies and advisory bodies. “Part of my role at FDA will be to help different constituencies work better together,” he commented on the appointment. “Security is not the problem. Security is a solution to enable consumer confidence in innovative products.”

Medical device cybersecurity is a growing priority to FDA and other governing bodies

Fu’s appointment reflects the FDA’s increased interest in medical device cybersecurity in recent years, demonstrated in its response to the so-called “URGENT/11” set of vulnerabilities identified in third-party communications software utilized by some network-connected devices. The agency has paid special attention recently to cybersecurity considerations for software as a medical device (SaMD) products, laying out the first steps in a new certification framework and publishing an action plan for regulating SaMD that uses artificial intelligence or machine learning.

UL has been active in policies and standards supporting medical device cybersecurity, releasing a joint report with the US Department of Veterans Affairs on mitigating risks to network-connected devices. It has also released the UL 2900 family of standards, which the International Medical Device Regulators Forum (IMDRF) recommended compliance with in a 2020 guidance document.

Learn more about US FDA medical device and SaMD cybersecurity regulations at Emergo by UL:

  • SaMD secure development lifecycle management support
  • US FDA 510(k) consulting for medical device, IVD, and software companies
  • Cyber regulatory support for medical devices and software
  • Webinar: Mapping cybersecurity standards to FDA guidance


  • Timothy Herr