Originally published on BeepingComputer, May 25, 2022
As medical devices become more connected and reliant on software, their codebase grows both in size and complexity, and they are increasingly reliant on third-party and open source software components. This forces security pros to address today’s rapidly evolving threat landscape.
In the hopes of helping security professionals better address cybersecurity and regulation, we conducted the 2022 Medical Device Cybersecurity: Trends and Predictions Survey Report, speaking to 150 senior decision makers who oversee product security or cybersecurity compliance in the medical device industry, to learn about their biggest challenges and how they plan to address them.
Remarkably, 99% of our respondents say that they are at least somewhat confident that they could manage a cyber attack — with a third of respondents calling themselves 100% confident. In addition, only 5% said that they believe their competitors are better prepared than their own business.
With the help of the data gathered in our research, we’re putting that declaration under the microscope, and asking — in today’s complex device development and delivery cycle, is it really possible to be 100% secure?
We used the data to look at different characteristics of cybersecurity readiness to learn where MDMs currently stand.
Putting 99% confidence in the spotlight
First, let’s look at the question of cybersecurity readiness from a risk exposure standpoint.
When asked which were their most exposed areas in device software security, 34% of respondents said that incident response is their largest gap. Without incident response — a business still has a way to go in its journey to achieve cybersecurity readiness. In addition, just 13% of companies said they have nothing to improve, far less than the 33% who estimated they are 100% ready.
Next, it’s essential to consider compliance, which is often assumed to be a “getting to zero” for security readiness. It’s notable that 37% of device security pros say compliance readiness is actually their most exposed area. While being compliant doesn’t automatically mean you are secure, it’s tough to be secure without being compliant first.
The regulation which respondents are the most compliant with is FDA’s Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, and yet this is just 54% of companies, with 46% admitting they are not yet compliant.
As medical regulation around cybersecurity catches up with today’s complex device software ecosystem and new and emerging threats, it is likely that organizations will have a better benchmark with which to determine their security posture.
Cybersecurity testing tools: from design to post-production
At present 53% of medical device companies do not use binary code analysis to validate the security of their code or find risks in the supply chain. 46% are setting their security requirements in the design phase, while the remainder have no process in place for shifting left on security earlier in the process of development.
Survey results revealed that almost two-thirds of companies rely on a monthly testing schedule for their device firmware. Often, companies are using DAST and binary code analysis less frequently than that.
As organizations continue to integrate continuous testing in all stages of the device life cycle – from design and development to post-production, they will be able to remain vigilant in the face of emerging threats, and move towards greater cybersecurity readiness.
Start with vigilance, and readiness will follow
Currently, we can see that organizations are at different stages of testing and validation, they rely on a number of different tools and processes, and are still getting to grips with new regulations and evolving requirements.
Medical device security is an emerging field, with cybersecurity regulations only just starting to be updated and enforced. It will certainly be interesting to revisit these respondents two, five, or 10 years down the line and see what challenges they have overcome after the initial stages of their cybersecurity readiness journey.
The truth is, no matter the confidence levels, to always be 100% cyber secure is impossible, as both device software ecosystems and the cybersecurity landscape are constantly evolving. You may think you’re 100% secure for a moment, before a new vulnerability is discovered. The important thing is to be 100% vigilant.
With 99% of organizations seeing their budget growing in this area in 2022, teams building cybersecurity strategies need to make sure their cybersecurity practices are continuous and not periodical or reactive. Automating cybersecurity processes across the device development lifecycle can enable pros to address new risks, as they arise.
Want to learn more about today’s MDM cybersecurity trends? Download the 2022 State of Medical Device Security Survey Report.