Fragmented tool landscape biggest cybersecurity challenge to medical device makers

Continuous monitoring of security throughout the medical device product lifecycle also poses problems.

The top cybersecurity challenge faced by medical device makers is managing a growing set of tools and technologies, according to the results of a global survey released Wednesday by software risk assessment company Cybellum.

The survey, conducted by Global Surveyz, an independent survey company, polled 150 senior decision makers from North America, Europe and Asia. It shows that while device security is in its infancy, it is managed by many fragmented tools. "Siloed and fragmented processes and tools are much less efficient and effective and limit the ability to assess the business impact of device security on the organization as a whole," the report says.

It also finds that continuously managing product security is a huge challenge to device makers. Nearly half the survey respondents (43%) identify continuous management as the second greatest challenge facing security teams. In response to that challenge, 37% of the participants say they're making "shift left" a priority in their development lifecycles.

Medical devices can be hacked like computers

"If you shift left in the development process, the earlier you can detect vulnerabilities, the less it will cost you as a company," Cybellum CMO David Leichner explains in an interview. "Monitoring has to be continuous. You can't just check the device in the design phase. You have to check it as your developers integrate its components and software, to make sure no threats are introduced, and you have to be able to check it when it's in the market."

Trying to manage complex security challenges can be difficult if you don't have a cybersecurity mindset, Leichner adds. "These devices are computers. They can be hacked like computers. Until that becomes the mindset as these device makers, you won't have real security in the medical device industry."

Bare compliance minimum not enough for device security

The researchers also note that respondents seem to be ambivalent about cybersecurity. Eighty-three percent of the survey respondents (83%) say device security can give them a competitive edge in the market. Yet, 80% find it a necessary evil imposed by regulators. "Part of the reason for those opposing views has to do with the fact that, while there has been a lot of recalls for vulnerabilities, we haven't seen a hack of medical devices that has caused major, major damage," Leichner says. "It's expected that will happen."

In addition, more than three quarters of the participants (78%) say they do the minimum to achieve compliance. That may help explain why, on average, only half of companies are meeting their compliance obligations, the report notes.

Compliance standards usually regulate the minimal efforts needed for security, Leichner says, so if companies are doing the bare minimum perhaps they are not taking device security seriously enough, and instead are hyper-focused on getting products to market quickly.