This is a Health-ISAC Navigator whitepaper by Cybellum.
Medical Device Cybersecurity: Trends and Predictions – Survey Report April 2022
Introduction and Key Findings
Introduction and Methodology Medical device cybersecurity is getting more attention than ever before. There are several reasons for this. New regulations, the SBOM initiative, and President’s Biden’s executive order and subsequent request from Congress for a 14% increase in budget for supply chain and cybersecurity initiatives are a big part of this. Also, the industry is aware of highly publicized vulnerabilities such as Log4j, and reports of a growing number of cybersecurity attacks in hospitals and on manufacturing lines (many of which are not publicized and stay hidden behind closed doors). Whatever the reason, there is no doubt securing medical devices is now taking center stage.
The challenge is, as with any emerging area of cybersecurity, the more that medical device manufacturers work to improve their cybersecurity capabilities, the more gaps they realize they have. There is now an abundance of tools, standards, and processes for product and device security teams to utilize, each with their own requirements, challenges, and potential blind spots.
With medical devices becoming software-driven machines, and the rapid pace at which cybersecurity risk evolves due to new vulnerabilities, complex supply chains, new suppliers, and new product lines – it has become seemingly impossible to keep the entire product portfolio secure and compliant at all times.
People’s lives depend upon these critical processes, and so as part of the effort to help secure this landscape, we wanted to understand these gaps in depth, to help find a better approach moving forward. We undertook this survey to uncover how mature medical device cybersecurity processes really are, and to pinpoint the main challenges for today’s medical device organizations.
Methodology
To get greater insight into the state of device security for today’s medical device companies we commissioned a global survey of 150 senior decision makers from the United States, Germany, The Netherlands, Belgium, The UK, Switzerland, Japan, Mexico, France, South Korea and Canada. The survey was completed by Global Surveyz, an independent survey company. All respondents oversee product security or cybersecurity compliance in companies who are part of the medical device industry. The respondents were recruited through a global B2B research panel, invited via email to complete the survey, with all responses collected during February 2022. The average amount of time spent on the survey was 6 minutes and 30 seconds. The answers to the majority of the non-numerical questions were randomized, in order to prevent order bias in the answers.
Key Findings
1. Companies are struggling with fragmented tools and technologies – especially the bigger players
The top device security challenge in 2022 is managing a growing set of tools and technologies. The larger the company, the greater this challenge becomes, with a jump of 42% when we segment respondents by those that have a headcount of above and below 5k employees. While small companies show agility, larger companies experience more of a struggle. This may in part be explained by the lack of high-level ownership, with 75% of respondents noting that they have no dedicated senior management who takes responsibility for device cybersecurity.
2. Continuously managing product security is a huge challenge
Across the board one clear challenge rises to the top, the struggle to continuously manage and integrate product security throughout the product lifecycle – from design through post-production. Respondents highlight continuous management as the second greatest challenge for today’s security teams, at 43%. 37% are making it a priority to “shift left” and integrate security earlier in the design/development stages, while 31% are looking to create a device-specific incident response team.
3. Over half of today’s medical device companies are non-compliant
When respondents were asked about their compliance posture, on average just 46% say they consider themselves to be compliant. The top level of compliance is with FDA premarket regulations (54%). Currently, 78% say they do only what’s absolutely necessary to remain compliant. However, progress is clearly on the roadmap for many companies, as improving the success rate of compliance submissions is marked as the third-highest priority for today’s organizations.
4. 83% of medical device companies see device security as a competitive edge
Most respondents understand the critical nature of device security, with 79% highlighting it as important to minimize business risk, 73% believing it protects brand reputation, and 71% understanding the impact on securing Intellectual Property. However, while 83% recognize device security as a competitive advantage, an overwhelming 80% see device security as a “necessary evil” imposed by regulators, and 79% believe quick time to market is more important than security overall.
5. Budgets are increasing as companies become proactive about device security
99% of companies have increased their device security budget this year. The top priorities for this budget are establishing an overarching device security governance practice (37%), shifting left on security (37%), and improving the success of compliance submissions. These results show that medical device companies intend to be more proactive about security, which is important considering that currently 39% say they are only reactive about device security, and not proactive.
6. Organizations feel ready for a cyber-attack – but the facts say otherwise
Almost all respondents believe they are at least partially ready for a cyber-attack, and 75% believe they are better prepared than the competition. Despite this self-confidence, the truth is that 65% of companies test their device firmware at most once a month, and more than a third (34%) say that incident response is an exposed area for them in device security. And if your incident response isn’t up to scratch – you’re not prepared.