Cybersecurity improvement needed for medical device manufacturers

Almost 90% of cybersecurity experts of medical device manufacturers admitted they need to improve on key areas, and managing growth of technology is a top security challenge, according to a new survey.

Software consultant Cybellum published its “Medical Device Cybersecurity: Trends and Predictions 2022.”

The survey asked 150 senior leaders and security experts from medical device manufacturers around the world, about their main challenges and how they plan to address them in 2022, and beyond.

“Medical device cybersecurity is getting more attention than ever before,” due to federal orders, highly publicized vulnerabilities and a growing number of cyberattacks, the report said.

"We embarked on this survey to gain a more comprehensive understanding of the main challenges facing product security teams at medical device manufacturers, as part of our effort to help to better secure the devices," David Leichner, Cybellum chief marketing officer, said in a press release.

"Some of our findings were quite surprising and highlight serious gaps that exist both in processes for securing medical devices and in regulation compliance,” Leichner said. “We believe that medical device manufacturers, their suppliers, compliance professionals, and even product security professionals from other industries, can all benefit from reading the results and key findings from this survey."

Key areas

The report noted key areas include compliance readiness and software bills of materials (SBOMs), a record of components used in building software analogous to a list of ingredients on packaged food. President Joe Biden’s May 2021 executive order on cybersecurity noted using SBOMs to analyze software vulnerabilities “are crucial in managing risk.”

Lack of ownership

Respondents' top security challenge is managing a growing set of tools and technologies, partly explained by the lack of high-level ownership.

The survey reported 25% of companies have a dedicated chief, vice president or head of security to serve as the most senior owner of medical device security. But 75% of respondents don't.

“It’s clear to see why companies are missing governance and oversight when in most companies there is not dedicated senior owner of this area of business,” the survey said.

Budget

Almost 50% of respondents increased their cybersecurity budget by more than 25% in 2022.

A full 99% reported increasing device security budgets in the past year. The average increase from 2021 to 2022 was 29%.

“We expect to see the budget for cybersecurity continue to increase as the attack surface of medical devices expands.”

Response team

More than 55% of medical device manufacturers do not have a product security incident response team in place.

The survey found 61% of companies do not take a proactive approach to post-production device security – a “surprising” finding.

“This is a very dangerous situation for medical device companies who want to keep their product and patients safe and reduce risk to their business and brand,” the report said.