Many medical device manufacturers skimp on safety practices
Cybersecurity issues are literally life or death in the medical device industry. As early as 2013, then-Vice President Dick Cheney asked his doctor to turn off his pacemaker’s wireless connectivity as a precaution, as reported by the BMJ. The 2017-2019 WannaCry attacks and other incidents show it wasn’t just paranoia – and this year’s Access:7 vulnerability underscores the continuing threat to connected devices, including medical systems. Although such events have raised awareness of security threats in the healthcare system, “the more medical device manufacturers strive to improve their cybersecurity capabilities, the more they realize they have gaps.”
That’s according to a report published this week by Cybellum. The report, titled “Medical Device Cybersecurity: Trends and Predictions,” gathered responses from 150 security and compliance decision makers in the medical device industry around the world.
The highlighted bar in the chart above shows that only 27% of respondents said their company generates and maintains a software bill of materials (SBOM) for its products. These documents list all of the software components that go into a product, critical to tracking unexpected dependencies and hidden vulnerabilities, as highlighted in the Log4j debacle. U.S. President Joe Biden’s May 2021 Executive Order identifies SBOMs as important for cybersecurity. The level of widespread awareness and implementation is what makes this low adoption rate a surprise. This is an area to watch for next year’s results.
The most implemented security measures in Cybellum’s survey are analyzing binary code (47%) and defining security requirements during the design phase (46%). Binary analysis can reveal patterns of security vulnerabilities and audit known vulnerable software elements. Addressing security issues earlier, i.e. “moving to the left”, means developers can find and fix issues before they are deeply embedded and difficult to untangle. The good news is that nearly half of security decision makers at medical device companies report using at least one of these techniques; the other side of the coin is that more than half do not use them.
Other techniques that medical device companies use to secure their products include static code analysis of source code (SAST), performed by 41% of respondents; threat intelligence, 39%; continuous security testing throughout the device life cycle, 38%; training developers in secure coding, 27%; penetration/fuzzing testing, 16%; and Dynamic Application Security Testing (DAST), 14%.
The Cybellum report notes that “Looking at data segmented by business type, SBOM is more popular with OEMs (34%), compared to medical device component suppliers (20%). The ultimate responsibility for safety and device safety lands on the OEM, which might explain why they’re making it a priority.Of course, both audiences still have a long way to go.
For more information, download Cybellum’s report.