Medtech survey finds widespread cybersecurity noncompliance despite rising investment

Dive Brief:

• More than half of medical device companies think they are noncompliant with cybersecurity regulations, standards and guidelines, according to a global survey of 150 senior decision makers.
• The poll commissioned by Cybellum, a medtech security company, found that compliance with requirements ranged from 54% for Food and Drug Administration premarket submissions to 37% for International Medical Device Regulators Forum (IMDRF) cybersecurity principles and practices. Many of the surveyed decision-makers plan to become compliant with the various requirements this year. 
• Plans to improve compliance are part of a set of evidence that security is becoming a higher priority for medical device manufacturers. More than 80% of respondents see device security as a competitive advantage and almost every polled company increased its security budget this year. However, 78% of those surveyed indicated they are doing the minimum to achieve compliance and 80% view device security as a "necessary evil" imposed by regulators.

Dive Insight:

ECRI, a nonprofit that evaluates medical devices for safety and efficacy, put cybersecurity at the top of its list of medtech hazards for 2022, reflecting the potential for vulnerabilities to harm patients. The Cybellum survey, released on Wednesday and conducted by independent company Global Surveyz, supports the view that there is scope for the medical device industry to raise cybersecurity standards.

On average, 46% of respondents considered themselves to be compliant. Very few respondents have no plans to comply with security requirements, but the poll suggests it may take until 2023 or later for some companies to bring their practices in line with the rules. IMDRF cybersecurity principles and practices are the top priority for 2022, with 52% of respondents aiming to achieve compliance this year. Thirty-seven percent of respondents already consider themselves to be compliant. 

If the 52% of respondents achieve IMDRF compliance this year as planned, FDA postmarket management will likely fall to the bottom of the list. Today, 43% of respondents are compliant. A further 21% plan to become compliant this year but most, 33%, are aiming to achieve compliance in 2023 or later.

The Cybellum survey results come on the heels of the release of FDA's long-awaited draft cybersecurity guidance earlier this month.

The draft guidance, which replaces a 2018 document, lays out a total product lifecycle approach to cybersecurity with recommendations for how medical device manufacturers should address security in premarket submissions and in order to maintain their software-based products postmarket.  

However, 78% of the respondents to the Cybellum survey said their goal overall is to do the minimum needed to achieve compliance with FDA and IMDRF. The finding contrasts somewhat with the fact that 83% of respondents see device security as a competitive advantage, but is in line with the finding that 80% view device security as a "necessary evil" imposed by regulators and 79% prioritize time to market over security. 

The survey found evidence of attempts to be more proactive about security. Asked about their product security priorities for 2022, respondents listed the establishment of overarching governance practices and the integration of security earlier in the design stage as their top objectives. Respondents have more cash than ever to achieve those goals, with half of companies dialing up their security budgets by at least 26%. 

Having made the investments, 99% of respondents were at least somewhat confident in their ability to handle a cyberattack. One-third of respondents were 100% confident.

Cybellum contrasted the finding to responses to other questions, noting that the fact 65% of respondents test their device firmware once a month, at most, suggests companies may be more vulnerable than they think.

Comments are closed.