MDIC Releases Medical Device Security Maturity Benchmarking Report

October 27, 2022 - Medical device security continues to be a top concern in the healthcare sector. The prevalence of legacy devices, the increasing interconnectedness of the sector, and the need for industry-wide standards in the medical device security space have presented numerous hurdles for the sector and could pose threats to patient safety.

To address these challenges and gain insight into the current state of the industry, the Medical Device Innovation Consortium (MDIC) released its first medical device security maturity benchmarking tool and report based on survey responses from 17 medical device manufacturers (MDMs).

In collaboration with Booz Allen Hamilton, MDIC leveraged the Health Sector Coordinating Council’s (HSCC) Joint Security Plan (JSP), a product lifecycle reference guide to developing, deploying, and supporting secure medical devices and health IT products and solutions, to develop 44 survey questions in four categories.

“There was no mutual understanding about shared responsibility between device manufacturers, hospital systems, and healthcare providers,” Greg Garcia, executive director for cybersecurity at HSCC explained in a June 2022 interview with HealthITSecurity regarding the survey.

“We quickly recognized that as a sector, we needed to be doing something about this rather than just staying in our corners.”

MDIC plans to publish the report annually, and MDMs can use the benchmarking tool as a resource to measure maturity in the future. Although the findings represent the maturity of just 17 MDMs, the report shed some light on the security postures and maturity of MDMs while sparking conversation and enabling critical benchmarking capabilities for the sector.

Key Findings

MDIC and Booz Allen Hamilton scored responses based on the Capability Maturity Model Integration (CMMI) framework, a JSP-recommended framework for assessing the maturity of products and services.

The CMMI scale ranges from zero, meaning “not initiated” to five, meaning “optimized.” Respondents were asked questions about organizational structure, risk management, design control, and complaint handling.  

The results varied greatly between surveyed MDMs, but the report found that “the industry as a whole has a low level of cybersecurity maturity, especially concerning Design Control.”

MDMs reported the highest levels of maturity when it came to organizational structure (an average of 1.68 on the CMMI scale). The organizational structure section questioned MDMs on roles and reporting structures, whether their product security functions were appropriately staffed, and other organizational inquiries.

The design control category, which questioned MDMs about how they manage security throughout the lifecycle of a device, held the lowest scores, at 1.42 on average. The findings indicated a need to prioritize vulnerability scanning and remediation, as well as an urgent need to establish end-of-life dates for supporting third-party components.

In addition, the report called attention to the importance of briefing organizational leadership on product security policies and conducting third-party risk assessments. Overall, the findings suggested that the industry has significant room for improvement.

Future iterations of the report with insights from a wider variety of MDMs will be crucial to helping the sector further assess its current shortcomings and identify security and operational gaps.

“With the release of this initial benchmarking study, the medical technology industry is now on a journey toward increasing cybersecurity maturity,” the report concluded.

“We hope that future benchmarks will attract additional participants and invite all in the industry to be a part of shaping MDM cybersecurity in the years to come.”