Christopher Gates, Director of Product Security, Velentium09.25.23
This article is a little late for addressing the topic of your children’s return to school this year, but fortunately, this article is not about your kids. Instead, it is about your business and career.
In the most recent FDA cybersecurity guidance (“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff”—April 2022), the agency has taken a novel approach in several respects. Namely, FDA is asking for “background information” in several places, where terms such as “justify” and “rationale” are being required to lend credence to decisions made by the manufacturer, including (among others):
One of the more interesting requirements, however, is on page 23, line 856, where it states testing reports should include several elements, including the “Independence and technical expertise of testers.”
The “independence” part is usually not hard to achieve, using dedicated staff (i.e., not development engineers) or external third parties, but the part that reads “technical expertise of testers” is going to be difficult to achieve for the vast majority of manufacturers.
A mistake I frequently see is manufacturers believing IT cybersecurity and embedded medical device cybersecurity are the same thing, even going so far as to try to use IT infrastructure security standards (such as the ISO 27001 family) for medical device development. If you are lucky enough to have an IT cybersecurity expert in your organization, congratulations! However, that does not automatically mean the person has the right set of skills necessary for medical device security testing.
While IT cybersecurity talent is in short supply—with an NIST estimated global shortage of IT cybersecurity professionals at 3.4 million1—medical device embedded cybersecurity talent is even harder to staff, with professionals being almost impossible to hire. And should you happen upon one, they are going to expect an inordinately high salary.
Medical device developers are required to possess a large amount of industry-specific knowledge necessary to develop new medical devices, while at the same time, wield very specific technical skills required to perform the development tasks. So, how are you going to locate an embedded cybersecurity professional with a union of all of these skill sets?
Universities are the traditional solution to training, but the university structure is based on research and rigor, which is taking a long approach and means they have a difficult time keeping pedagogy current with more emerging fields, such as cybersecurity. Also, due to the highly inflated salaries of cybersecurity experts, college professors are more inclined to take a high-paying job than a low-paying job teaching cybersecurity classes. Moreover, there are just not that many “brick and mortar” medical device teaching programs, and even those would require students to be geographically co-located with these institutions (in Michigan, Boston, and elsewhere) for at least several semesters. The industry needs these experts now; we don’t have the luxury of waiting for four years.
We believe the best answer is in “upskilling” your existing workforce, especially your development staff.2
While available metrics for medical device cybersecurity experts are difficult to obtain, we can get an idea of the scope of the problem by reviewing numbers related to IT cybersecurity and how upskilling can add significant improvements to employee retention as well as being the most cost-effective approach compared to the $35,000 cost of hiring a new developer.3 A report published by Pluralsight details some of the advantages of upskilling.4 According to the Pluralsight report:
“Among technology skills, cybersecurity is most often in the top three skills demanded by technology leaders. Overall, if employees had a weekly sprint for learning, 59% of executives would want them to learn cybersecurity skills, while 44% preferred data-science skills, and 42% selected cloud skill sets.”
While there are many IT cybersecurity training programs available, none of these address the unique technical concerns relevant to medical device manufacturers or the worldwide cybersecurity regulations and customer expectations their devices must meet.
While there are workshops and short courses in specific topics, such as those put on by the Archimedes Center for Health Care and Medical Device Cybersecurity and TÜV SÜD, we are only aware of one comprehensive cybersecurity training program designed specifically for medical device developers. This program is delivered via student-paced videos and inline quizzes, gives students access to direct messaging with the instructors, and features a weekly live teleconference where students can ask questions. Due to the student-paced nature of this type of training, it can be performed with only minor interruptions to the student’s normal work day, allowing for an easy progression from “developer” to “secure developer.”
Lastly, students passing this masterclass on medical device cybersecurity will receive a certificate of completion, thus providing an artifact for submission to the FDA justifying the “technical expertise” of your cybersecurity staff. This masterclass is less than 25% of what it would cost to hire a new employee, not even counting their added salary.
I should mention, in the interest of full transparency and disclosure, that my employer is the company responsible for this medical device cybersecurity training. We have great aspirations for this training program and hope it will make an even bigger impact in the medical device manufacturing industry than our book on medical device cybersecurity.
Your kids have already gone “back to school.” Isn’t it time you do as well?
References
Christopher Gates is the director of Product Security at Velentium. He has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.
In the most recent FDA cybersecurity guidance (“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff”—April 2022), the agency has taken a novel approach in several respects. Namely, FDA is asking for “background information” in several places, where terms such as “justify” and “rationale” are being required to lend credence to decisions made by the manufacturer, including (among others):
- The approach used for threat modeling
- The determination to mitigate or not to mitigate specific identified vulnerabilities
- Selection of a secure development framework
One of the more interesting requirements, however, is on page 23, line 856, where it states testing reports should include several elements, including the “Independence and technical expertise of testers.”
The “independence” part is usually not hard to achieve, using dedicated staff (i.e., not development engineers) or external third parties, but the part that reads “technical expertise of testers” is going to be difficult to achieve for the vast majority of manufacturers.
A mistake I frequently see is manufacturers believing IT cybersecurity and embedded medical device cybersecurity are the same thing, even going so far as to try to use IT infrastructure security standards (such as the ISO 27001 family) for medical device development. If you are lucky enough to have an IT cybersecurity expert in your organization, congratulations! However, that does not automatically mean the person has the right set of skills necessary for medical device security testing.
While IT cybersecurity talent is in short supply—with an NIST estimated global shortage of IT cybersecurity professionals at 3.4 million1—medical device embedded cybersecurity talent is even harder to staff, with professionals being almost impossible to hire. And should you happen upon one, they are going to expect an inordinately high salary.
Medical device developers are required to possess a large amount of industry-specific knowledge necessary to develop new medical devices, while at the same time, wield very specific technical skills required to perform the development tasks. So, how are you going to locate an embedded cybersecurity professional with a union of all of these skill sets?
Universities are the traditional solution to training, but the university structure is based on research and rigor, which is taking a long approach and means they have a difficult time keeping pedagogy current with more emerging fields, such as cybersecurity. Also, due to the highly inflated salaries of cybersecurity experts, college professors are more inclined to take a high-paying job than a low-paying job teaching cybersecurity classes. Moreover, there are just not that many “brick and mortar” medical device teaching programs, and even those would require students to be geographically co-located with these institutions (in Michigan, Boston, and elsewhere) for at least several semesters. The industry needs these experts now; we don’t have the luxury of waiting for four years.
We believe the best answer is in “upskilling” your existing workforce, especially your development staff.2
While available metrics for medical device cybersecurity experts are difficult to obtain, we can get an idea of the scope of the problem by reviewing numbers related to IT cybersecurity and how upskilling can add significant improvements to employee retention as well as being the most cost-effective approach compared to the $35,000 cost of hiring a new developer.3 A report published by Pluralsight details some of the advantages of upskilling.4 According to the Pluralsight report:
“Among technology skills, cybersecurity is most often in the top three skills demanded by technology leaders. Overall, if employees had a weekly sprint for learning, 59% of executives would want them to learn cybersecurity skills, while 44% preferred data-science skills, and 42% selected cloud skill sets.”
While there are many IT cybersecurity training programs available, none of these address the unique technical concerns relevant to medical device manufacturers or the worldwide cybersecurity regulations and customer expectations their devices must meet.
While there are workshops and short courses in specific topics, such as those put on by the Archimedes Center for Health Care and Medical Device Cybersecurity and TÜV SÜD, we are only aware of one comprehensive cybersecurity training program designed specifically for medical device developers. This program is delivered via student-paced videos and inline quizzes, gives students access to direct messaging with the instructors, and features a weekly live teleconference where students can ask questions. Due to the student-paced nature of this type of training, it can be performed with only minor interruptions to the student’s normal work day, allowing for an easy progression from “developer” to “secure developer.”
Lastly, students passing this masterclass on medical device cybersecurity will receive a certificate of completion, thus providing an artifact for submission to the FDA justifying the “technical expertise” of your cybersecurity staff. This masterclass is less than 25% of what it would cost to hire a new employee, not even counting their added salary.
I should mention, in the interest of full transparency and disclosure, that my employer is the company responsible for this medical device cybersecurity training. We have great aspirations for this training program and hope it will make an even bigger impact in the medical device manufacturing industry than our book on medical device cybersecurity.
Your kids have already gone “back to school.” Isn’t it time you do as well?
References
Christopher Gates is the director of Product Security at Velentium. He has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.