Natali_Mis/istock via Getty Imag
How benchmarking data can improve medical device security
Participation in benchmarking efforts can help medical device manufacturers better understand their security maturity and build more secure products in the future.
Medical device security is crucial to reducing risks and enabling patient care delivery across the healthcare sector. The FDA even requires that medical device manufacturers demonstrate that certain cybersecurity conditions have been met in premarket device submissions.
Regulators, manufacturers and healthcare organizations each play a role in ensuring that the medical devices that patients and providers interact with daily are secure. However, developing and maintaining medical device security standards remains a challenge.
The Medical Device Innovation Consortium (MDIC), a public-private partnership that brings together medical device manufacturers, regulators, providers and other key stakeholders, aims to provide clarity in this space. MDIC collects and disseminates benchmarking data to help manufacturers identify security blind spots and ultimately build more secure products going forward.
MDIC's efforts have come to life in the form of an annual medical device security maturity benchmarking assessment, conducted in partnership with the Health Sector Coordinating Council (HSCC) and Apraciti. It consists of a self-assessment that manufacturers can participate in at no cost. The assessment questions are based on the HSCC's Joint Security Plan (JSP), a product lifecycle reference guide to developing secure medical devices that was first issued in 2019.
However, the state of medical device security, from a regulatory perspective, has changed since the first report was published in 2022. Some cybersecurity regulations were not enacted when the JSP came out, but those regulations are now very important to healthcare stakeholders, like Medtronic.
Jithesh Veetil, senior program director of digital health and technology at MDIC and Chris Reed, senior director of cybersecurity policy at Medtronic, discussed persisting medical device security challenges and the ways in which benchmarking data has the potential to help medical device manufacturers improve their security programs.
Persistent medical device security challenges
The prevalence of legacy devices, a lack of visibility into device inventory and an increasingly complex cyberthreat landscape remain persisting medical device security challenges.
The FBI has issued warnings about security risks tied to legacy and unpatched medical devices, and challenges with managing risks posed by legacy devices have long been a reality for the medical device industry. Legacy devices themselves are not inherently bad from a security standpoint, but unsupported devices can pose risks.
In 2023, HSCC published guidance aimed at managing legacy medical device security risks, which it described as a "multi-faceted challenge."
"Healthcare organizations don't get reimbursed based on how new their equipment is. They get reimbursed on how many procedures they're doing or services they're offering," said Reed, who is on the cybersecurity executive committee that puts together MDIC's yearly report.
"So, sometimes the incentives in the system are just kind of broken, and we get cases where they're using devices that the manufacturers no longer really support."
Even so, Reed said that he has seen a lot of progress in the medical device security space. Reed pointed to the FDA's efforts to raise the bar for medical device security standards and provide comprehensive guidance on the subject as ways that the industry has made progress.
Aside from legacy devices, there are also challenges around communicating and measuring medical device security risks.
"One of the things I think is unique about security compared to other areas device companies are used to operating in -- and you'll see it even in the FDA's premarket guidance -- a lot of times risk in our industry is measured on past performance, like parts failing a manufacturing process, failing to seal something correctly, and all of a sudden it fails out in our monitoring," Reed said.
"Security is such a difficult thing because we're trying to predict future performance, like how they're going to resist new threats and new attacks. So, these are quite different practices we're trying to integrate into our quality systems at our companies and to get our leadership to understand."
Reed noted that the JSP, which MDIC's benchmarking assessment was built upon, has been a key mechanism in defining best practices in medical device security and, in turn, assessing how well organizations have been adhering to those practices.
The most recent MDIC benchmarking report, which consolidated anonymized responses from 27 medical device manufacturers, showed that manufacturers remain in an early-adoption state of employing the best practices laid out in the JSP.
Manufacturers know that there is room for improvement, but this benchmarking data provides an important view into industry-wide gaps and could be a key tool in informing future security actions for manufacturers.
Value of benchmarking data for medical device manufacturers
Having benchmarking data available can help security leaders build a case for additional security investments, hiring staff and purchasing new technologies, a 2023 report by Censinet and Ponemon Institute found.
Respondents reported valuing peer benchmarking data as a tool for establishing cybersecurity program goals and getting security buy-in from leadership teams.
Reed and Veetil suggested that benchmarking data, while not a fix for these persisting medical device security challenges, could provide manufacturers with information on the state of the industry that was previously not available.
"A lot of the industry is resource-strapped, particularly small and medium organizations," Veetil noted.
"Companies can utilize this free tool and get their posture and average scores in a very systematic way and use them to justify budgets."
Veetil said that all survey results are de-identified for the public report, and respondents will receive a personalized report shortly after completing the survey that gives them information on their organization's maturity score and posture relative to industry peers. The 2024 assessment is open for responses until Feb. 28, 2025.
"We use our scores to measure our progress and how we're doing, but also our scores contribute to how the industry is doing," Reed said of Medtronic's participation in the report.
"The scores help us in our leadership conversations about funding to say, 'Hey look, we're really behind on this and even compared to our peers and we really need to invest in this.' And so, we do use it to report up to our executive leadership about how we're doing and where we're focusing our resources to mature."
As manufacturers face increased demand to level up their security practices and deliver devices that are secure by design, benchmarking data can help manufacturers better understand their security gaps and address them accordingly
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
Dig Deeper on Cybersecurity strategies
-
![]()
Microsoft's Recall changes might be too little, too late
By: Arielle Waldman
-
![]()
MedCrypt, Kansas State University Launch Medical Device Security Research Project
By: Jill McKeon
-
![]()
Healthcare Is More Reactive Than Proactive When It Comes to Cybersecurity, KLAS, AHA, Censinet Find
By: Jill McKeon
-
![]()
6 SharePoint Syntex use cases
By: Christine Campbell
