New FDA cybersecurity guidelines are out. Join the webinar to learn more.
New FDA cybersecurity guidelines are out. Join the webinar to learn more.

Understanding the Maturity Levels of Medical Device Security Programs

Understanding the Maturity Levels of Medical Device Security Programs

The information and data below is taken from Cybellum‘s 2023 Medical Device Security Survey. To view the full report, click here: 2023 Medical Device Security Survey

——-

The landscape of healthcare security is undergoing a transformative shift with medical devices becoming increasingly software-driven. This evolution introduces new challenges, from expanding attack surfaces to intricate supply chains. In this critical phase, medical device manufacturers (MDMs) grapple with the imperative of strengthening their device security programs. Our survey delves into the current state of MDMs’ device security, revealing insights into the maturity levels of their security programs, such as the difference in budget changes between teams with Level 1 v Level 3 maturity.

Defining medical device security program maturity levels

In order to better understand how MDMs are approaching device security, we categorized medical device security programs into three maturity levels, defined as follows:

Level 1 – Firefighting

The first level of medical device security program is the most immature, characterized by:

  • Unorganized processes.
  • Manual security scans performed at the end of development.
  • Major compliance gaps.
  • No threat or device monitoring post-production.
  • Success relies on individual efforts, not repeatable.
  • Time-to-Market suffers.

Level 2 – Passive Defense

Level 2 is the middle level of medical device security program maturity with the following characteristics:

  • Partially defined processes with few dedicated resources.
  • Basic security practices implemented periodically.
  • Basic tools used with manual work.
  • Improved compliance, but inconsistencies.
  • Time-to-Market at risk, security gaps post-production.

Level 3 – FDA Ready Continuous Product Security

The final and most mature level of medical device security program maturity is characterized by:

  • Resources available at the executive and practitioner level.
  • Dedicated, highly automated processes for security and compliance.
  • Covers the entire product portfolio from design to post-production.
  • Efficient time-to-market with minimal risk.

Medical device security maturity findings

Maturity level pie chart- MDM
Product security maturity level across the medical device ecosystem

Our survey found that 19% of participants’ company’s security programs are at Level 1, 49% at Level 2, and only 32% at the highest level, Level 3. This indicates that the clear majority of respondents (68%) report their programs are below the desired maturity level. 

Notably, 23.1% of smaller companies with fewer than 5,000 employees are at Level 1 compared to 7.1% of larger organizations with over 5,000 employees. This is in line with the recognition that larger companies benefiting from greater resources are more inclined to achieve a heightened level of maturity in their device security programs, aligning with the expectations set forth by regulatory bodies like the FDA.

Organizational ownership for medical device security

The landscape of medical device security program maturity is shaped by the roles that MDMs assign to steer security initiatives. These differ from company to company depending on their unique needs and structure. Regardless of who is tasked with championing product security, it should be a dedicated position and not a responsibility that can be added to other roles.

Top MDM Concerns- 2023 Survey
Organizational ownership for medical device security

Our survey found that 28% of respondents’ companies assign responsibility for medical device security to the Chief/VP/Head of Product Security, 19% to the Chief/VP/Head of Compliance or GRC, and 17% to the Chief Information Security Officer.

These findings represent some notable changes from the findings of our 2022 survey. There was a subtle uptick in the Chief/VP/Head of Product Security and Chief/VP/Head of Compliance or GRC owning medical device security, from 25% to 28% and 14% to 19%, respectively. Most significantly, ownership by the CTO dropped from 25% to 12%.

We note that, despite positive strides in attitudes towards medical device security, 72% of surveyed MDMs still lack a dedicated function for product security. This glaring statistic underscores the overarching immaturity of product security programs in a significant majority of organizations.

Budget challenges for medical device security

Our survey found that 50% of respondents increased their device security budgets in 2023, while the rest maintained the same level of investment as in 2022. Interestingly, companies at more advanced medical device program maturity Levels 2 and 3 were more likely to increase their budgets than those at the more immature Level 1 (53% versus 32.1%). This may indicate that financial investments play a crucial role in achieving robust security postures.

Signifying a strategic commitment to building resilient security programs, organizations that invest in building more mature product security programs are better positioned to:

  • Invest in advanced technologies: Higher budgets enable the adoption of cutting-edge technologies that enhance security capabilities, from advanced threat detection to proactive incident response.
  • Employ dedicated resources: Financial reinforcement allows for the recruitment and retention of skilled professionals dedicated to medical device security, fostering expertise and experience within the organization.
  • Conduct comprehensive training: Training initiatives, crucial for keeping security teams abreast of evolving threats , can be more robustly implemented with increased budgets.
  • Support automation efforts: Budgetary support facilitates the integration of automation into security processes, streamlining operations and reducing manual intervention.

Confidence in postmarket incident response

A substantial 70% of survey respondents expressed confidence in their capacity to effectively mitigate post-market cyber risks in medical devices in a timely manner. When examining these results by respondents’ company’s medical device program maturity, we found that 3.6% of Level 1 companies expressed confidence as opposed to 77% of Level 2 companies and an impressive 100% of Level 3 companies. 

The data underscores a clear, compelling, and unsurprising trend: higher maturity levels in device security programs correlate with increased confidence in post-market incident response capabilities. The journey from firefighting mode (Level 1) to proactive and continuous security measures (Level 3) is mirrored in the ascending levels of confidence expressed by organizations.

Regulatory compliance

MDM Product Security Maturity Breakdown- Survey 2023
Complying with the FDA's postmarket cybersecurity guidance in 2023 by product security maturity level.

62% of surveyed companies reported complying with the FDA Postmarket Cybersecurity Management regulation. Again, we found that medical device program maturity had an impact on this finding. 73% of Level 3 maturity reported complying with this standard as opposed to 54% of Level 1 companies and 56% of Level 2 companies. 

The data underscores a clear correlation between maturity levels and compliance, with Level 3 companies leading the charge. As organizations mature in their security programs, there is a corresponding evolution in their commitment to meeting and exceeding medical device regulatory standards.

Maturity and more

Understanding the maturity levels of medical device security programs is pivotal in navigating the evolving landscape. From ownership structures to budget considerations and regulatory compliance, maturity plays a central role. As MDMs strive to fortify their security initiatives, our survey provides crucial insights. For a comprehensive understanding, download the full report.

 

Download the full report here.