MDMs’ proactive response to cybersecurity

Cyber threats are constantly evolving, with each innovation opening new threats – something true for the medical technology industry as it is for any other, but with the added concern of patient safety. Therefore, it’s critical medical device manufacturers (MDMs) assume a proactive stance toward cybersecurity. To look at this, the Medical Device Innovation Consortium (MDIC) and Booz Allen signed a collaboration document with Booz Allen agreeing to provide services for an industry benchmark to assess cybersecurity maturity of the medical technology industry.

“Medical Device Cybersecurity Maturity Industry Benchmark Report,” released in October 2022, looks to provide the MDIC and Healthcare Sector Coordinating Council (HSCC) with insights to guide efforts to enhance cybersecurity practices in the industry and drive improvement in areas of weakness identified in the survey. Additionally, MDMs are encouraged to use findings to set targets to improve their own cybersecurity practices while raising the bar across industry.

With MDMs self-reporting cybersecurity practices across 44 questions in four categories, responses were scored according to the Capability Maturity Model Integration (CMMI) framework on a scale of 0 (not initiated) to 5 (optimized). Key results show average CMMI scores of:

• Organizational structure: 1.68
• Risk management: 1.47
• Design control: 1.42
• Complaint handling: 1.47

According to the report, MDMs have implemented steps in design control, but there’s plenty of room for them to do more. “While 70% of MDMs report a maturity level of Managed or above regarding security testing during the Design Control phase, roughly the same percent report a level of Initiated and below regarding specific, critical cybersecurity processes, including hardening standards, system patching, and vulnerability scanning during product development. Further, 71% of MDMs have not formalized security plans throughout the life cycle of a product, while 94% have yet to establish end of life dates for supporting third-party products and components.”

Overall results indicate cybersecurity maturity varies between MDMs and the industry as a whole has a low level of cybersecurity maturity, especially regarding Design Control. The report then offers recommendations for MDMs that’ll depend on budgets, priorities, and demographics, suggesting they look at the Design Control areas where most participants scored particularly low:

• Briefing organizational leadership on product security policies, procedures
• Assessing third parties for security
• Establishing end-of-life support dates that take into consideration supporting third-party components
• Remediating medium-to-critical severity vulnerabilities within the recommended 60-day window after discovery

The report aims to help MDMs shape device cybersecurity in the years to come, with the process needing to start now. How are you designing cybersecurity control into current products and what are you doing to address legacy devices already in the market?