Velentium’s director of product security, Christopher Gates explains how companies can get to grips with the FDA’s new and stricter medical device cybersecurity guidelines and the need for more experts and practitioners who are skilled in this area.
Andrew Angelov Shutterstock
2174954001
Cybersecurity in the medical setting
In the modern era of interconnected healthcare systems, medical devices have become an indispensable part of patient care. From pacemakers to insulin pumps, these devices have revolutionised the way we diagnose, treat, and manage medical conditions to improve outcomes and the quality of life for patients. However, this rapid technological advancement has introduced a significant challenge that demands immediate attention, namely the shortfall of skilled workers in medical device cybersecurity.
As the world moves towards a more interconnected and digitised healthcare ecosystem, the importance of securing medical devices against cyber threats cannot be overstated. Cyberattacks targeting medical devices can have severe consequences, ranging from compromising patient data and privacy to directly impacting a patient’s life. Alongside these potential risks, the shortage of skilled cybersecurity engineers within medical device manufacturing companies has emerged as a pressing concern. Medical device manufacturing companies are facing an alarming gap in their workforce as they struggle to find proficient cybersecurity professionals who can design and implement these secure medical devices.
Finding skilled cybersecurity engineers who possess the expertise to handle this complex landscape is no easy task. The shortfall of such professionals is a result of multiple factors that intersect to create a perfect storm: a rapidly evolving threat landscape, the specialisation required in both medical and cybersecurity domains, and the competitive tech industry's ability to attract top talent.
One key factor driving the shortage is the ever-evolving nature of cyber threats. As medical devices become more sophisticated, cybercriminals adapt their tactics to exploit vulnerabilities. This dynamic environment necessitates cybersecurity engineers to be constantly up to date on the latest threat intelligence, attack vectors, and mitigation strategies. This demand for constant learning can be daunting to engineers preventing them from seeking training in security. Moreover, traditional education systems have so far been unable to keep up with the pace of change, leaving a gap between industry needs for trained talent and available expertise.
Adding to the difficulty, medical device cybersecurity requires a unique blend of skills that spans both the medical and cybersecurity domains. Engineers must understand the intricate workings of medical devices, their software and hardware components, and the regulations that govern their design and use cases. At the same time, they must be well-versed in securing protocols, encryption techniques, regulatory cybersecurity requirements, network security, and hacking practices. This multidisciplinary expertise is not easily found, as it requires individuals who are able to bridge the gap between two traditionally distinctly different fields of knowledge.
Medical devices are unique in their vulnerabilities and possible mitigations. Compared to traditional computers and software, medical devices often have a long lifecycle that extends for years, possibly even decades. This extended lifespan poses a challenge as it becomes increasingly difficult to keep devices updated with the latest security measures to counter evolving threats. Furthermore, the nature of medical devices themselves, ranging from implantable devices to large diagnostic equipment, means that there is no one-size-fits-all cybersecurity solution. Some devices have all the processing power, onboard memory, and electrical power they need to incorporate security solutions similar to what you might see on a PC or network firewall. But miniaturised, battery-operated, and/or implantable devices, such as pacemakers or insulin pumps? Not so much. They require a totally different set of solutions.
Medical device development engineers might excel in creating innovative devices to improve patient care, but they probably don’t have the depth of knowledge required to safeguard these devices against malicious cyber-attacks. Conversely, cybersecurity experts might struggle to comprehend the nuances of medical device functionality, potentially resulting in flawed security implementations. You wouldn’t want to implement a credential-based access system that locked out a doctor, or her patient, from healthcare management because someone mistyped their password!
Medical device cybersecurity requires interdisciplinary knowledge that is not typically found in conventional IT cybersecurity training.
To mitigate the shortfall of skilled cybersecurity engineers in medical device development, a multi-faceted approach is required.
Upskilling and reskilling initiatives
Medical device manufacturers can invest in upskilling their existing workforce, transforming engineers with medical backgrounds into cybersecurity professionals. By designing or buying access to specialised cybersecurity curriculathat encompass intricacies particular to medical devices, training programs can produce graduates who are better equipped to address this challenge. This also creates the best possible solution for companies, as this hybrid engineer now can incorporate cybersecurity into the design and development efforts.
Diversity and inclusion
Promoting diversity and inclusion within the field can lead to a wider talent pool. Encouraging individuals from different backgrounds, including women and underrepresented minorities, to pursue careers in medical device cybersecurity can infuse fresh perspectives and ideas into the industry. In the mid-term, this could help alleviate some of the shortfall pressure.
Public awareness
Raising awareness about the importance of medical device cybersecurity can attract talented individuals to this field. Highlighting the critical role cybersecurity engineers play in safeguarding public health can make this career path more appealing. This has the added benefit of creating an “allure” as the engineer is making a difference while helping humanity.
Incentives and recognition
Offering competitive compensation packages, professional development opportunities, and recognition for contributions to medical device cybersecurity can also incentivise individuals to choose this career.
Conclusion
In conclusion, the shortfall of skilled workers in medical device cybersecurity poses a critical challenge to the healthcare industry. The FDA’s recent mandate from Congress to enforce cybersecurity in medical devices is only going to exacerbate the need for manufacturers to employ skilled cybersecurity engineers. Medical device manufacturers must proactively address this shortage by investing in medical device cybersecurity training programs with their existing engineering staff, actively promoting a more diverse and inclusive workforce to broaden the available talent pool, raising awareness of the critical role medtech plays in saving, sustaining, and improving human lives, and finding creative ways to offer competitive compensation and benefits to existing and/or trainable talent. Only through such a multipronged effort by manufacturers are we going to be able to protect the public today and tomorrow.