Security vulnerabilities in software and regulatory compliance have been identified.
Nearly 90% of cybersecurity experts at medical device manufacturers agreed they needed to improve in key areas, and managing the growth of technology is a top security challenge, according to a new survey.
Software consultant Cybellum has released its report, titled “Medical Device Cybersecurity: Trends and Predictions 2022”.1
The survey asked 150 senior executives and security experts from medical device manufacturers around the world about their top challenges and how they plan to address them in 2022 and beyond.
“Medical device cybersecurity is garnering more attention than ever,” due to federal orders, high-profile vulnerabilities, and a growing number of cyberattacks, the report said.
“We embarked on this survey to gain a more comprehensive understanding of the key challenges facing product security teams at medical device manufacturers, as part of our efforts to help better secure devices,” said David Leichner, chief marketing officer of Cybellum, in a press release. Press release.
“Some of our findings were quite surprising and highlight serious gaps that exist in both processes for securing medical devices and regulatory compliance,” Leichner said. “We believe that medical device manufacturers, their suppliers, compliance professionals, and even product safety professionals from other industries, can all benefit from reading the results and key findings of this survey.”
The report notes that key areas include compliance readiness and software bills of materials (SBOM), a record of components used in the creation of software analogous to a list of ingredients on packaged foods. Executive Order of President Joe Biden May 20212 on cybersecurity noted that the use of SBOMs to analyze software vulnerabilities “is crucial in risk management”.
Lack of ownership
Respondents’ top security challenge is managing a growing set of tools and technologies, which is partly due to the lack of high-level ownership.
The survey found that 25% of companies have a dedicated chief, vice president, or chief security officer to act as the longest-serving medical device security owner. But 75% of respondents do not.
“It is clear to see why companies lack governance and oversight when in most companies there is no primary owner dedicated to this area of business,” the survey says.
Nearly 50% of respondents have increased their cybersecurity budget by more than 25% in 2022.
99% of them said they had increased their device security budgets in the past year. The average increase from 2021 to 2022 was 29%.
“We expect the cybersecurity budget to continue to grow as the medical device attack surface expands.”
More than 55% of medical device manufacturers do not have a product security incident response team in place.
The survey found that 61% of companies do not take a proactive approach to post-production device security, a “surprising” result.
“This is a very dangerous situation for medical device companies who want to keep their products and patients safe and reduce risk to their business and brand,” the report said.
- Safety of medical devices: trends and forecasts. Cybellum. Published April 2022. Accessed April 25, 2022. https://security.cybellum.com/state-of-medical-device-cybersecurity-2022
- Executive order on improving the nation’s cybersecurity. The White House. May 12, 2021. Accessed April 25, 2022. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/