Medical device vendors are disclosing more vulnerabilities as 'stigma' wanes, report suggests

The "stigma" surrounding cybersecurity disclosures is beginning to wane, encouraging more medical device vendors to release alerts about their products over the past two years, according to a MedCrypt report.

MedCrypt — a medical device security company — reviewed alerts that various medical device vendors have submitted to the Industrial Control Systems-Cyber Emergency Response Team, a program of the U.S. Department of Homeland Security, since 2013. In total, MedCrypt detected 47 cybersecurity disclosures from medical device companies, comprising 122 vulnerabilities.

Most of the disclosures MedCrypt identified — 74 percent — occurred after the FDA released its Postmarket Management of Cybersecurity in Medical Device Guidance in December 2016. Eighteen medical device companies have reported vulnerabilities since then, up from only six prior to December 2016.

The stigma surrounding cybersecurity vulnerabilities has historically led vendors to disclose only a limited amount of information "when absolutely necessary," MedCrypt suggests. However, this mentality might be shifting in light of the FDA's guidance, which contained several recommendations to help vendors manage cybersecurity risks, including a recommendation to disclose vulnerabilities.

"The stigma surrounding cybersecurity vulnerabilities is beginning to wane, allowing more medical device vendors to share information more freely," the report reads.

MedCrypt notes there's still significant room for improvement. Only seven of the top 36 medical device vendors have ever disclosed a cybersecurity vulnerability through the ICS-CERT system, and alerts related to surgical robotics, diagnostics, radiation oncology and clinical decision support devices seem lacking, according to the report.

"The 'bar for disclosure' will remain high for most vendors over the next six to 12 months, meaning that only the most serious vulnerabilities will be disclosed by the majority of vendors, but … [it] will begin to lower, meaning that vendors with more advanced cybersecurity competencies will release disclosures more frequently," the report reads.

To download MedCrypt's report, click here.

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.