The security of medical devices is a major problem for the healthcare industry. Security of medical devices is still one of the biggest worries in the healthcare industry. There are several challenges facing the industry including potential risks to patient safety due to the existence of legacy devices, the industry’s growing interconnectivity, and the necessity for industry-wide standards in the medical device security space.
In order to address these issues and gain a better understanding into the current situation of the medical device industry, the Medical Device Innovation Consortium (MDIC) published its first ever medical device security maturity benchmarking tool and report based on survey results from 17 different medical devices. Based on survey responses from 17 the participating medical device manufacturers (MDMs), MDIC, created 44 survey questions in four categories using the Health Sector Coordinating Council’s (HSCC) Joint Security Plan (JSP), a product lifecycle reference guide for developing, implementing, and supporting secure medical devices and health IT products and solutions. The benchmarking tool will be available for MDMs to utilize as a resource to evaluate maturity in the future, and MDIC aims to publish the report yearly. The analysis shed some insight on the security postures and maturity of MDMs while encouraging discussion and offering crucial benchmarking capabilities for the industry, even if the data only represent the maturity of 17 MDMs.
Based on the Capability Maturity Model Integration (CMMI) framework, which the JSP recommends for evaluating the maturity of goods and services, MDIC graded responses with the help of Booz Allen Hamilton. The questions posed to the participants related to areas such as complaint management, risk management, organizational structure, and design control. While MDMs demonstrated a high maturity level with regards to organizational structure, they scored low levels of maturity for the design control category. The survey’s result highlighted the urgent need for MDMs to establish end-of-life dates for supporting third-party parts in addition to the necessity to prioritize vulnerability detection and remediation.
Furthermore, the research also emphasized the value of undertaking third-party risk assessments and educating organizational leadership on product security policy. Overall, the results indicated that there is tremendous opportunity for development in the sector. The sector will need aid from future editions of the study that incorporate insights from a larger range of MDMs to examine its existing weaknesses and pinpoint security and operational shortcomings..