The landscape of healthcare security is undergoing a transformative shift with medical devices becoming increasingly software-driven. This evolution introduces new challenges, from expanding attack surfaces to intricate supply chains. In this critical phase, medical device manufacturers (MDMs) grapple with the imperative of strengthening their device security programs. Our survey delves into the current state of MDMs’ device security, revealing insights into the maturity levels of their security programs, such as the difference in budget changes between teams with Level 1 v Level 3 maturity.
Defining medical device security program maturity levels
In order to better understand how MDMs are approaching device security, we categorized medical device security programs into three maturity levels, defined as follows:
Level 1 – Firefighting
The first level of medical device security program is the most immature, characterized by:
- Unorganized processes.
- Manual security scans performed at the end of development.
- Major compliance gaps.
- No threat or device monitoring post-production.
- Success relies on individual efforts, not repeatable.
- Time-to-Market suffers.
Level 2 – Passive Defense
Level 2 is the middle level of medical device security program maturity with the following characteristics:
- Partially defined processes with few dedicated resources.
- Basic security practices implemented periodically.
- Basic tools used with manual work.
- Improved compliance, but inconsistencies.
- Time-to-Market at risk, security gaps post-production.
Level 3 – FDA Ready Continuous Product Security
The final and most mature level of medical device security program maturity is characterized by:
- Resources available at the executive and practitioner level.
- Dedicated, highly automated processes for security and compliance.
- Covers the entire product portfolio from design to post-production.
- Efficient time-to-market with minimal risk.
Medical device security maturity findings
Our survey found that 19% of participants’ company’s security programs are at Level 1, 49% at Level 2, and only 32% at the highest level, Level 3. This indicates that the clear majority of respondents (68%) report their programs are below the desired maturity level.
Notably, 23.1% of smaller companies with fewer than 5,000 employees are at Level 1 compared to 7.1% of larger organizations with over 5,000 employees. This is in line with the recognition that larger companies benefiting from greater resources are more inclined to achieve a heightened level of maturity in their device security programs, aligning with the expectations set forth by regulatory bodies like the FDA.
The landscape of medical device security program maturity is shaped by the roles that MDMs assign to steer security initiatives. These differ from company to company depending on their unique needs and structure. Regardless of who is tasked with championing product security, it should be a dedicated position and not a responsibility that can be added to other roles.
Our survey found that 28% of respondents’ companies assign responsibility for medical device security to the Chief/VP/Head of Product Security, 19% to the Chief/VP/Head of Compliance or GRC, and 17% to the Chief Information Security Officer.
These findings represent some notable changes from the findings of our 2022 survey. There was a subtle uptick in the Chief/VP/Head of Product Security and Chief/VP/Head of Compliance or GRC owning medical device security, from 25% to 28% and 14% to 19%, respectively. Most significantly, ownership by the CTO dropped from 25% to 12%.
We note that, despite positive strides in attitudes towards medical device security, 72% of surveyed MDMs still lack a dedicated function for product security. This glaring statistic underscores the overarching immaturity of product security programs in a significant majority of organizations.
Our survey found that 50% of respondents increased their device security budgets in 2023, while the rest maintained the same level of investment as in 2022. Interestingly, companies at more advanced medical device program maturity Levels 2 and 3 were more likely to increase their budgets than those at the more immature Level 1 (53% versus 32.1%). This may indicate that financial investments play a crucial role in achieving robust security postures.
Signifying a strategic commitment to building resilient security programs, organizations that invest in building more mature product security programs are better positioned to:
- Invest in advanced technologies: Higher budgets enable the adoption of cutting-edge technologies that enhance security capabilities, from advanced threat detection to proactive incident response.
- Employ dedicated resources: Financial reinforcement allows for the recruitment and retention of skilled professionals dedicated to medical device security, fostering expertise and experience within the organization.
- Conduct comprehensive training: Training initiatives, crucial for keeping security teams abreast of evolving threats , can be more robustly implemented with increased budgets.
- Support automation efforts: Budgetary support facilitates the integration of automation into security processes, streamlining operations and reducing manual intervention.
Confidence in postmarket incident response
A substantial 70% of survey respondents expressed confidence in their capacity to effectively mitigate post-market cyber risks in medical devices in a timely manner. When examining these results by respondents’ company’s medical device program maturity, we found that 3.6% of Level 1 companies expressed confidence as opposed to 77% of Level 2 companies and an impressive 100% of Level 3 companies.
The data underscores a clear, compelling, and unsurprising trend: higher maturity levels in device security programs correlate with increased confidence in post-market incident response capabilities. The journey from firefighting mode (Level 1) to proactive and continuous security measures (Level 3) is mirrored in the ascending levels of confidence expressed by organizations.
62% of surveyed companies reported complying with the FDA Postmarket Cybersecurity Management regulation. Again, we found that medical device program maturity had an impact on this finding. 73% of Level 3 maturity reported complying with this standard as opposed to 54% of Level 1 companies and 56% of Level 2 companies.
The data underscores a clear correlation between maturity levels and compliance, with Level 3 companies leading the charge. As organizations mature in their security programs, there is a corresponding evolution in their commitment to meeting and exceeding regulatory standards.
Maturity and more
Understanding the maturity levels of medical device security programs is pivotal in navigating the evolving landscape. From ownership structures to budget considerations and regulatory compliance, maturity plays a central role. As MDMs strive to fortify their security initiatives, our survey provides crucial insights. For a comprehensive understanding, download the full report.