Regulations, SBOM initiatives, threat landscape turn spotlight on medical device cybersecurity

Medical device cybersecurity is getting more attention than ever before, mainly driven by new regulations, the Software Bill of Materials (SBOM) initiative, U.S. President Joe Biden’s executive order, and subsequent request from Congress for a 14 percent increase in budget for supply chain and cybersecurity initiatives, Cybellum observed in a report released on Wednesday. In addition, vulnerabilities such as Log4j, and reports of a growing number of cybersecurity attacks in hospitals and on manufacturing lines have also highlighted the cybersecurity issues faced by the healthcare sector.

As securing medical devices take center stage, “the challenge is, as with any emerging area of cybersecurity, the more that medical device manufacturers work to improve their cybersecurity capabilities, the more gaps they realize they have,” Cybellum wrote in the report titled ‘Medical Device Cybersecurity: Trends and Predictions Survey Report’. “There is now an abundance of tools, standards, and processes for product and device security teams to utilize, each with their own requirements, challenges, and potential blind spots,” it added. 

With medical devices becoming software-driven machines, and the rapid pace at which cybersecurity risk evolves due to new vulnerabilities, complex supply chains, new suppliers, and new product lines – it has become seemingly impossible to keep the entire product portfolio secure and compliant at all times, the report added. 

The Cybellum medical device cybersecurity report is based on a global survey of 150 senior decision makers from the U.S., Germany, the Netherlands, Belgium, U.K., Switzerland, Japan, Mexico, France, South Korea and Canada. The survey was completed by Global Surveyz, an independent survey company.

The report found that companies are struggling with fragmented tools and technologies, especially the bigger players. “The top device security challenge in 2022 is managing a growing set of tools and technologies. The larger the company, the greater this challenge becomes, with a jump of 42% when we segment respondents by those that have a headcount of above and below 5k employees. While small companies show agility, larger companies experience more of a struggle. This may in part be explained by the lack of high-level ownership, with 75% of respondents noting that they have no dedicated senior management who takes responsibility for device cybersecurity,” it added.

Data also disclosed that continuously managing product security is a huge challenge. Across the board one clear challenge rises to the top, the struggle to continuously manage and integrate product security throughout the product lifecycle – from design through post-production, the medical device cybersecurity report said. “Respondents highlight continuous management as the second greatest challenge for today’s security teams, at 43%. 37% are making it a priority to ‘shift left’ and integrate security earlier in the design/development stages, while 31% are looking to create a device-specific incident response team,” the report added. 

One of the most shocking disclosures of the Cybellum report was that over half of the current medical device companies are non-compliant. “When respondents were asked about their compliance posture, on average just 46% say they consider themselves to be compliant. The top-level of compliance is with FDA premarket regulations (54%). Currently, 78% say they do only what’s absolutely necessary to remain compliant. However, progress is clearly on the roadmap for many companies, as improving the success rate of compliance submissions is marked as the third-highest priority for today’s organizations,” it added.

Last week, the U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) agency brought out a draft guidance that provides recommendations to the healthcare industry regarding cybersecurity device design, labeling, and the documentation that the agency recommends to be included in premarket submissions for devices with cybersecurity risks. 

The medical device cybersecurity report revealed that 83 percent of medical device companies see device security as a competitive edge. Most respondents understand the critical nature of device security, with 79 percent highlighting it as important to minimize business risk, 73 percent believing it protects brand reputation, and 71 percent understanding the impact on securing intellectual property. However, while 83 percent recognize device security as a competitive advantage, an overwhelming 80 percent see device security as a ‘necessary evil’ imposed by regulators, and 79 percent believe the quick time to market is more important than security overall, it added. 

Budgets are increasing as companies become proactive about device security, according to the Cybellum report, as 99 percent of companies have increased their device security budget this year. The top priorities for the budget are establishing an overarching device security governance practice recording 37 percent, shifting left on security registering 37 percent, and improving the success of compliance submissions. These results show that medical device companies intend to be more proactive about security, which is important considering that currently 39 percent say they are only reactive about device security, and not proactive, it added. 

The medical device cybersecurity report also noted that organizations feel ready for a cyber-attack – but the facts say otherwise. “Almost all respondents believe they are at least partially ready for a cyber-attack, and 75% believe they are better prepared than the competition. Despite this self-confidence, the truth is that 65% of companies test their device firmware at most once a month, and more than a third (34%) say that incident response is an exposed area for them in device security. And if your incident response isn’t up to scratch – you’re not prepared,” it added.

Cybersecurity firm Trellix disclosed last week that 74 percent of U.S. healthcare respondents have not fully implemented software supply chain risk management policies and processes. It also reported that while 38 percent of healthcare respondents favor U.S. government funding to help them improve sector cybersecurity, many critical infrastructure providers reported that they had not fully implemented sufficient supply chain risk management policies and processes. Nearly three-quarters, about 74 percent of healthcare providers admitted this had not been fully implemented, the report added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.