A survey conducted for Cybellum collected responses from 150 senior decision-makers

75% of respondents said they have no dedicated senior management taking responsibility for device cybersecurity. Photo: Wix

With medical devices becoming software-driven machines and the rapid pace at which cybersecurity risk evolves due to new vulnerabilities, Cybellum, an Israeli-based company providing services in the Medical Cyber field, released its Medical Device Cybersecurity: Trends and Predictions 2022 Survey Report this week.

The survey collected responses from 150 senior decision-makers of medical device manufacturers from the United States, Germany, the Netherlands, Belgium, the UK, Switzerland, Japan, Mexico, France, South Korea, and Canada. The experts were asked about their main challenges and how they plan to address them in 2022.

The report shows that companies are struggling with fragmented tools and technologies – especially the bigger players. The top challenge in 2022 is managing a growing set of tools and technologies. The larger the company, the greater this challenge. While small companies show agility, larger companies experience more of a struggle.

This may in part be explained by the lack of high-level ownership, with 75% of respondents noting they have no dedicated senior management taking responsibility for device cybersecurity.

Moreover, 55% of medical device manufacturers do not have a dedicated response team (PSIRT) in place. Almost 90% admitted they need to improve on key areas, such as SBOM analysis and compliance readiness.

Across the board, one clear challenge rises to the top - the struggle to continuously manage and integrate product security throughout the product life cycle, from design through post-production. Respondents highlight continuous management as the second greatest challenge for today’s security teams.

Another aspect of this report was highlighted by Dark reading website: Only 27% of respondents said their company generates and maintains a software bill-of-materials for its products. Such documents list all the software components that go into a product, vital to tracking unexpected dependencies and hidden vulnerabilities, as the Log4j debacle underscored. The May 2021 executive order from US President Joe Biden called out SBOMs as important to cybersecurity. The level of mainstream awareness and implementation is what makes this low adoption rate a surprise.

When respondents were asked about their compliance posture, on average just 46% say they consider themselves to be compliant. The top level of compliance is with FDA premarket regulations (54%). Currently, 78% say they do only what’s absolutely necessary to remain compliant. However, progress is clearly on the roadmap for many companies, as improving the success rate of compliance submissions is marked as the third-highest priority for today’s organizations.

"We embarked on this survey to gain a more comprehensive understanding of the main challenges facing product security teams at medical device manufacturers, as part of our effort to help to better secure the devices," said David Leichner, CMO at Cybellum.

"Some of our findings were quite surprising and highlight serious gaps that exist both in processes for securing medical devices and in regulation compliance”.