By Jill McKeon, Associate Editor Published: February 24, 2025
Medical device security is vital. It’s a critical aspect of healthcare aiming to minimize risks and enable patient care. The Food and Drug Administration (FDA) even requires medical device manufacturers to prove they’ve met certain cybersecurity standards before their products hit the market.
Regulators, manufacturers, and healthcare organizations all have a role to play in securing the devices that patients and providers use daily. However, establishing and maintaining strong medical device security standards remains an ongoing challenge.
The Medical Device Innovation Consortium (MDIC), a public-private partnership, works to bring together medical device manufacturers, regulators, providers, and other key stakeholders. The MDIC aims to clarify the path forward. It collects and shares benchmarking data that helps manufacturers pinpoint security weak spots and ultimately build more secure products.
MDIC’s efforts have culminated in an annual medical device security maturity benchmarking assessment. The Health Sector Coordinating Council (HSCC) and Apraciti partner on this initiative. Manufacturers can participate in a free self-assessment. The assessment questions are based on the HSCC’s Joint Security Plan (JSP), a product lifecycle reference guide for developing secure medical devices, which was first issued in 2019.
However, the regulatory landscape of medical device security has evolved since the first report was published in 2022. Some cybersecurity regulations weren’t yet in effect when the JSP came out. Now, these regulations are very important to healthcare stakeholders, such as Medtronic.
Jithesh Veetil, senior program director of digital health and technology at MDIC, and Chris Reed, senior director of cybersecurity policy at Medtronic, recently discussed the persistent challenges in medical device security and how benchmarking data can help manufacturers improve their security programs.
Persistent Medical Device Security Challenges
Several challenges continue to plague medical device security. These include the prevalence of legacy devices, a lack of visibility into device inventory, and an increasingly complex cyberthreat landscape. The FBI has issued warnings about security risks associated with outdated and unpatched medical devices, and the industry has long struggled with managing the risks these legacy devices pose.
Legacy devices themselves aren’t inherently insecure, but unsupported devices can be vulnerable. In 2023, HSCC published guidance focused on managing legacy medical device security risks, describing it as a “multi-faceted challenge.”
“Healthcare organizations don’t get reimbursed based on how new their equipment is. They get reimbursed on how many procedures they’re doing or services they’re offering,” said Reed, who is on the cybersecurity executive committee that puts together MDIC’s yearly report. “So, sometimes the incentives in the system are just kind of broken, and we get cases where they’re using devices that the manufacturers no longer really support.”
Even with these challenges, Reed has seen significant progress in medical device security. He pointed to the FDA’s efforts to raise the bar for medical device security standards and provide comprehensive guidance, as examples of industry advancement.
Aside from outdated devices, communicating and measuring medical device security risks also present hurdles. “One of the things I think is unique about security compared to other areas device companies are used to operating in — and you’ll see it even in the FDA’s premarket guidance — a lot of times risk in our industry is measured on past performance, like parts failing a manufacturing process, failing to seal something correctly, and all of a sudden it fails out in our monitoring,” Reed said.
“Security is such a difficult thing because we’re trying to predict future performance, like how they’re going to resist new threats and new attacks. So, these are quite different practices we’re trying to integrate into our quality systems at our companies and to get our leadership to understand.”
Reed noted that the JSP, which MDIC’s benchmarking assessment is based on, has been instrumental in defining best practices in medical device security and, in turn, assessing organizational adherence to those practices.
The most recent MDIC benchmarking report, which analyzed anonymized responses from 27 medical device manufacturers, revealed that manufacturers are still in the early stages of adopting the best practices outlined in the JSP. Manufacturers acknowledge room for improvement, but this benchmarking data offers a valuable view into industry-wide gaps. It could become a crucial tool in informing manufacturers’ future security actions.
Value of Benchmarking Data
Benchmarking data can help security leaders make the case for increased security investments, hiring staff, and purchasing new technologies, according to a 2023 report by Censinet and the Ponemon Institute. Respondents reported valuing peer benchmarking data as a tool for setting cybersecurity program goals and gaining security buy-in from leadership teams.
Reed and Veetil suggested that benchmarking data’s impact lies in providing manufacturers information on the state of the industry, which was previously unavailable. “A lot of the industry is resource-strapped, particularly small and medium organizations,” Veetil noted. “Companies can utilize this free tool and get their posture and average scores in a very systematic way and use them to justify budgets.”
Veetil said that all survey results are de-identified for the public report, and respondents will receive a personalized report shortly after completing the survey. This report gives them information on their organization’s maturity score and posture relative to industry peers. The 2024 assessment is open for responses until Feb. 28, 2025.
“We use our scores to measure our progress and how we’re doing, but also our scores contribute to how the industry is doing,” Reed said of Medtronic’s participation in the report. “The scores help us in our leadership conversations about funding to say, ‘Hey look, we’re really behind on this and even compared to our peers and we really need to invest in this.’ And so, we do use it to report up to our executive leadership about how we’re doing and where we’re focusing our resources to mature.”
As manufacturers face increasing pressure to enhance security practices and deliver devices secure by design, benchmarking data can help them better understand their security gaps and address them effectively.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
