MDIC Release Premiere Medtech Cybersecurity Maturity Benchmarking Report

The Medical Device Innovation Consortium (MDIC) today released its first benchmark report of the medical device industry’s cybersecurity maturity. The online tool, made in partnership with Booz Allen Hamilton, was developed to survey the medical device industry on cybersecurity practices. Additionally, it works to provide a baseline which will enable industry manufacturers, health delivery organizations (DHOs), and other stakeholders a pathway to more effectively establish long-term strategic plans to increase company-wide cybersecurity maturity and efficiently track progress.

MDIC collaborated with Healthcare Sector Coordinating Council (HSCC) and leveraged its 2019 Medical Device and Health Information Technology Joint Security Plan (JSP) framework to creating the survey.

“The goal of the MDIC Medical Device Cybersecurity Benchmarking Initiative is to measure cybersecurity maturity and benchmark across the industry to drive common improvements that reduce overall cybersecurity risk,” said Andrew Fish, MDIC president and CEO.

The released report revealed no correlation between the amount of a medical device manufacturer’s annual revenue and its cybersecurity score. For the companies participating in the initiative, results showed that the industry’s highest level of maturity was related to organizational structure and the lowest scores related to cybersecurity design control.

“It is well understood that you can’t improve what you can’t measure,” said Greg Garcia, cybersecurity executive director at the HSCC. “Increasingly, cyber safety must be measured against patient safety. Thanks to MDIC, we have a means to begin measuring how medical device companies using the JSP and other frameworks are improving cybersecurity design and development in medical devices that patient safety requires. For HDOs, this is an important resource for their cyber risk management programs.”

In addition to MDIC’s ongoing benchmarking efforts, the company’s Medical Device Cybersecurity Initiative Steering Committee — chaired by Rob Suarez, chief information security officer for Becton Dickinson — focuses on treat modeling, penetration testing, and coordinated vulnerability disclosure.

MDIC intends to publish an annual Medical Device Cybersecurity: Industry Benchmark Report that will serve as a resource and enable help the industry improve product security. The company noted that future benchmarking will ideally include an expanded cohort with broader representation across smaller and larger medical device manufacturers both in and outside the United States.

“As an industry, we must keep improving,” Rob Suarez said. “The MDIC benchmarking report provides a baseline for understanding the industry’s current cybersecurity maturity. For medical technology companies, benchmark data provides a useful tool in our collective journey toward advancing cybersecurity in healthcare. Knowing where we stand today can help all of us identify opportunities to boost cybersecurity and resilience, which are essential to protecting patient safety and privacy.”