The stakes for cybersecurity are literally life and death in the medical device industry. As far back as 2013, then-US Vice President Dick Cheney had his doctor turn off the wireless connectivity in his pacemaker as a precaution, as the BMJ reports. The WannaCry attacks in 2017 to 2019 and other incidents show that was not merely paranoia – and this year's Access:7 vulnerability underscores the continuing threat to connected devices, including medical systems. While such events have raised awareness in the healthcare system about security threats, "the more that medical device manufacturers work to improve their cybersecurity capabilities, the more gaps they realize they have."
That's according to a report published this week by Cybellum. The report, titled "Medical Device Cybersecurity: Trends and Predictions," collected responses from 150 security and compliance decision-makers in the medical device industry worldwide.
The highlighted bar in the above graph shows that only 27% of respondents said their company generates and maintains a software bill-of-materials (SBOM) for its products. Such documents list all of the software components that go into a product, vital to tracking unexpected dependencies and hidden vulnerabilities, as the Log4j debacle underscored. The May 2021 executive order from US President Joe Biden calls out SBOMs as important to cybersecurity. The level of mainstream awareness and implementation is what makes this low adoption rate a surprise. It's an area to watch for next year's results.
The most implemented security measures in Cybellum's survey are running binary code analysis (47%) and setting security requirements during the design phase (46%). Binary analysis can reveal patterns of security flaws and audit for known vulnerable software elements. Addressing security concerns earlier, aka "shifting left," means developers can find and fix problems before they get deeply embedded and difficult to disentangle. The good news is that almost half of security decision-makers at medical device companies say they're using at least one of those techniques; the flipside is that more than half do not use them.
Other techniques medical device companies are using to secure their products include source-code static code analysis (SAST), performed by 41% of respondents; threat intelligence, by 39%; continuous security testing across the device life cycle, by 38%; educating developers on secure coding, by 27%; pen-testing/fuzzing, by 16%; and dynamic application security testing (DAST), by 14%.
The Cybellum report notes that "looking at the data segmented by types of companies, SBOM is more popular with OEMs (34%), compared to suppliers of medical device components (20%). The ultimate responsibility for the safety and security of devices lands on the OEM, which could explain why they make it a priority. Of course, both audiences have a long way to go."
For more insights, download the report from Cybellum.