Kevin Fu, Northeastern University
Vehicles, medical devices, and other cyber-physical systems increasingly rely on sensors to make safety-critical decisions in real time. In my lab, we study how attackers can exploit the physics of sensors and analog interfaces to manipulate computation at the most fundamental level. But this talk isn’t about that research.
Instead, I’ll focus on lessons from nearly two decades of medical device security research, and this can teach us about securing the next generation of vehicles. Medical devices, such as pacemakers and infusion pumps, share surprising similarities with modern automotive systems. Both involve long product lifecycles, real-time embedded software, RF communication, complex supply chains, and safety. Both also operate in regulatory environments that often struggle to keep pace with technical innovation. However, only medical device security is written into U.S. statute (i.e., law rather than just regulatory policy).
The medical device industry has faced repeated challenges such as coordinated vulnerability disclosures, government-mandated recalls, supply chain risk management, and pressure to align safety engineering with modern security practices. The FDA’s evolving regulatory framework, along with increasing transparency around postmarket cybersecurity, offers valuable lessons in how to build trust and resilience into safety-critical systems.
This talk will examine how the healthcare sector approaches threat modeling, security engineering, postmarket risk management, and incident response, including both successes and missteps. It will also explore how regulators, researchers, and industry engineers collaborated, often in error but never in doubt, to improve security outcomes in deployed systems. My aim is to share practical insights for those designing or securing automotive platforms so we can avoid repeating the same mistakes and accelerate the maturity of vehicle cybersecurity before the industry finds itself in crisis.
Professor Kevin Fu is a global leader at the intersection of healthcare, cybersecurity, electronics, and medical device innovation. He is a Professor at Northeastern University in Boston with joint appointments in Electrical & Computer Engineering, the Khoury College of Computer Sciences, and Bioengineering. He also serves as Director of the Archimedes Center for Healthcare and Medical Device Cybersecurity.
Professor Fu’s research vision is a world where science-based security is built in by design to all embedded systems, including medical devices, health care delivery, autonomous transportation, manufacturing, and the Internet of Things. His research lab focuses on analog cybersecurity, understanding and defending against threats to the physics of computation and sensing.
He has delivered over 100 invited talks to audiences worldwide on topics such as medical device security, embedded systems, and the physics of cybersecurity. Since his pioneering research on pacemaker and defibrillator vulnerabilities more than 17 years ago, he has helped shape the field of medical device cybersecurity. He advises medical device manufacturers, pharmaceutical companies, and startups on secure system design to seek FDA clearance or approval---and how to avoid FDA recalls for cybersecurity deficiencies.
Professor Fu previously served as the first Acting Director of Medical Device Security at U.S. Food and Drug Administration. He has advised the White House, Congress, NIST, and private-sector leaders on strengthening cybersecurity for critical infrastructure and healthcare technologies. He also leads national efforts in developing interdisciplinary medical device cybersecurity curricula in partnership with academic, clinical, and industry stakeholders.
Professor Fu was recognized as an ACM Fellow, IEEE Fellow, AAAS Fellow, and Sloan Research Fellow, and NSF CAREER Award recipient. He received the MIT Technology Review TR35 Innovator of the Year, Fed100 Award, and the IEEE Security and Privacy Test of Time Award, and earned best paper awards from USENIX Security, IEEE S&P, and ACM SIGCOMM. He chairs the USENIX Security Test of Time Awards Selection Committee. Prof. Fu received his BS, MEng, and PhD from MIT.
