Security in Medical Devices

Industry: Medical | Level: Strategic | Source: BleepingComputer

Since February 2022, Cybellum has researched medical device cybersecurity, gathering feedback from 150 decision-makers responsible for product security or cybersecurity compliance within the medical device industry. The decision-makers polled for the research are representatives from the United States, United Kingdom, Canada, Mexico, France, Japan, Germany, Switzerland, Netherlands, France, and South Korea. The greatest challenge faced with device security is identified as "managing a growing set of tools and technologies." There's a correlation between tools and technology as the challenge increases with a the larger the company. Ownership is cited to be an issue as well, with 75% of respondents revealing no "no dedicated senior management who takes responsibility for device cybersecurity." Managing product security, as well as continuous product management, are top challenges for organizations. Top priorities for product security are found to be the implementation of governance practice and the integration of security earlier during development stages. Security risk is acknowledged by respondents, as 99% of respondents indicated their respective organizations are increasing device security budget for 2022, with driving factors cited as "security incident involving another medical device manufacturer (43%), a desire to leverage device security as a competitive edge and business enabler (43%), and a concern over potential damage to their brand (42%)." In terms of readiness 99% of respondents deem their organization to be at least "somewhat" competent to handle a security incident with a curious 33% of respondents noting a 100% confident rating. A complete confidence rating is contradicted in additional questions posed as the majority of companies testing devices with Dynamic Application Security Testing (DAST) and binary code analysis only once a month or less, and only 35% indicated continual testing. Additionally, in polling for exposed areas of device software security, 34% indicated incident response.