What Can Medical Device Manufacturers Learn from the 2021 ICS-CERT Advisory Data?

Since 2017, we’ve released an annual analysis of the changes in the ICS-CERT vulnerability disclosure data, the trends we see, and predictions for the future of medical device cybersecurity. This week we’re showing what we found in the 2021 data:

After a sharp rise in vulnerability disclosures caused by FDA’s 2016 postmarket cybersecurity guidance publication, the rate of advisories appears to have plateaued.

The nature of vulnerabilities disclosed suggests that the medical device industry is still new to the disclosure process. As vulnerability management programs mature, similarly to other industries, we would expect the rate of advisories to increase.

Root Causes

User authentication issues were the most common root cause for advisories. User authentication and code defects make up 61.4% of vulnerabilities disclosed since 2017.

This trajectory suggests that we would expect future advisories to focus on deeper “layers” of the technology stack as medical device cybersecurity matures.

The Role of Widespread Vulnerabilities

Widespread vulnerabilities like log4shell & Ripple20 made an impact across industries. While 15 of the top 40 medical device manufacturers reference at least one high-impact vulnerability on their website, we found no demonstrated impact of these kinds of vulnerabilities on ICS-CERT advisories.

This could be because medical device vendors don’t believe a vulnerability in a supporting software platform or application necessitates a disclosure on their part, as further validated by only one operating system related vulnerabilities being disclosed in 2021.

Frequency of Patching

Issuing advisories reflects active cybersecurity posture management of a device post-market. In fact, the frequency of patching has increased from 48.6% to 78% since the FDA guidance, revealing medical device manufacturers’ ability to address vulnerabilities through patches and updates.

But what happens once a patch is available? We won’t be able to patch fast enough and complete enough to become secure enough and therefore, as an industry, need to shift to a more proactive security approach.

Read the full white paper, What Medical Device Manufacturers Can Learn from Past Vulnerability Disclosures, to learn more about our data interpretations and predictions for the future of medical device cybersecurity.

You can also join the discussion by registering for the free webinar on April 6, 2022. Register today!