The Medical Device Innovation Consortium is urging vendors to be more proactive in securing their devices. (U.S. Army)

A recently released medical device cybersecurity benchmark developed by the Medical Device Innovation Consortium and Booz Allen aims to support manufacturers with assessing their current security posture against needed standards, while urging these vendors to take a more proactive stance in developing their products for the healthcare sector.

A reactive security posture may work for other sectors, “there’s simply too much at stake for medical device manufacturers to not strive for a ‘left of boom’ approach to cyber in which robust cybersecurity protocols are in place before a cyberattack occurs,” the researchers wrote.

The benchmark includes a report generated from a survey of 44 questions to 17 device manufacturers, who provided insight into their current security processes based on the Capability Maturity Model Integration (CMMI) framework, which assesses product and service maturity.

The scale used ranges from 0, or not initiated, to 5, or “optimized.” The average composite score was a notable 1.51, or between “initiated” and “managed”), and only 35% of the vendors fell within the range of 1.5 – 1.99. Just 24% scored above this range. 

Equal proportions of manufacturers scored between 1.0-1.49 and 2.0-2.49, and “slightly fewer scoring between 0.5 and 0.99.” The highest average score was tied to organization structure with a score of 1.68, with both risk management and complaint handling receiving an average score of 1.47.

The manufacturers that scored highest in risk management maturity were larger companies, in terms of employees and revenue. But the researchers “found no correlation between the MDMs receiving low scores for risk management and reported size or revenue.”

Perhaps more notable, then, is that the report does show that the majority of device manufacturers don’t conduct routine third-party risk assessments.

The report shows that, again, there was “no clear correlation between higher maturity for third-party risk assessment and an MDM’s reported size or revenue, suggesting that this represents a key area for threat reduction and risk management across the industry.”

Overall, the findings indicate that “cybersecurity maturity varies significantly between MDMs,” and as a whole, the industry “has a low level of cybersecurity maturity, especially concerning design control.” 

Specific recommendations depend on budgets, priorities, and demographics of the manufacturer, but there’s an overwhelming need for most vendors to improve organizational leadership on security policies and procedures for products, establishing end-of-life dates for devices, and remediating medium to severe vulnerabilities within 60 days.

The researchers recognized the data’s limitations, based on the surveyed data and sample size, but the responses shine a light into the current state of cyber within the industry — and the vast room for improvement.

Further, MDIC and Booz Allen stressed that the report is meant to “stimulate dialogue as the medical technology community seeks to adapt to the ever-evolving threat landscape.” Industry leaders are asked to share questions and feedback.

SC Media has often reported on the need for these types of measures, as medical devices simply weren’t designed with security in mind. The Food and Drug Administration has signaled it’s working to bolster approval processes to include cybersecurity processes, but the legislative proposal to include those processes was left out of the recent FDA appropriations bill.

As it stands, the onus for designing devices with security in mind remains a voluntary action.

Since April 2021, MDIC has been collaborating with Booz Allen on this industry benchmark report that assesses the cybersecurity maturity of the medical technology industry. They chose the Healthcare Sector Coordinating Council’s Joint Security Plan as a metric, as a foundational element of the tool.

The recently issued report is designed to outline the current state of cybersecurity within the medical tech community, while providing actionable insights for developing and improving those security practices. The report will become a companion tool for other Booz Allen reports aimed at device manufacturers to highlight where vendors stand against the maturity benchmark.