Security gaps in software and regulation compliance were identified.
Software consultant Cybellum published its report, titled “Medical Device Cybersecurity: Trends and Predictions 2022.”1
The survey asked 150 senior leaders and security experts from medical device manufacturers around the world, about their main challenges and how they plan to address them in 2022, and beyond.
“Medical device cybersecurity is getting more attention than ever before,” due to federal orders, highly publicized vulnerabilities and a growing number of cyberattacks, the report said.
“We embarked on this survey to gain a more comprehensive understanding of the main challenges facing product security teams at medical device manufacturers, as part of our effort to help to better secure the devices,” David Leichner, Cybellum chief marketing officer, said in a press release.
“Some of our findings were quite surprising and highlight serious gaps that exist both in processes for securing medical devices and in regulation compliance,” Leichner said. “We believe that medical device manufacturers, their suppliers, compliance professionals, and even product security professionals from other industries, can all benefit from reading the results and key findings from this survey.”
The report noted key areas include compliance readiness and software bills of materials (SBOMs), a record of components used in building software analogous to a list of ingredients on packaged food. President Joe Biden’s May 2021 executive order2 on cybersecurity noted using SBOMs to analyze software vulnerabilities “are crucial in managing risk.”
Lack of ownership
Respondents’ top security challenge is managing a growing set of tools and technologies, partly explained by the lack of high-level ownership.
“It’s clear to see why companies are missing governance and oversight when in most companies there is not dedicated senior owner of this area of business,” the survey said.
Almost 50% of respondents increased their cybersecurity budget by more than 25% in 2022.
A full 99% reported increasing device security budgets in the past year. The average increase from 2021 to 2022 was 29%.
“We expect to see the budget for cybersecurity continue to increase as the attack surface of medical devices expands.”
More than 55% of medical device manufacturers do not have a product security incident response team in place.
The survey found 61% of companies do not take a proactive approach to post-production device security—a “surprising” finding.
“This is a very dangerous situation for medical device companies who want to keep their product and patients safe and reduce risk to their business and brand,” the report said.