MedCrypt
Published in

MedCrypt

What Can Medical Device Manufacturers Learn from the 2021 ICS-CERT Advisory Data?

Since 2017, we’ve released an annual analysis of the changes in the ICS-CERT vulnerability disclosure data, the trends we see, and predictions for the future of medical device cybersecurity. This week we’re showing what we found in the 2021 data:

After a sharp rise in vulnerability disclosures caused by FDA’s 2016 postmarket cybersecurity guidance publication, the rate of advisories appears to have plateaued.

The nature of vulnerabilities disclosed suggests that the medical device industry is still new to the disclosure process. As vulnerability management programs mature, similarly to other industries, we would expect the rate of advisories to increase.

Root Causes

User authentication issues were the most common root cause for advisories. User authentication and code defects make up 61.4% of vulnerabilities disclosed since 2017.

This trajectory suggests that we would expect future advisories to focus on deeper “layers” of the technology stack as medical device cybersecurity matures.

The Role of Widespread Vulnerabilities

Widespread vulnerabilities like log4shell & Ripple20 made an impact across industries. While 15 of the top 40 medical device manufacturers reference at least one high-impact vulnerability on their website, we found no demonstrated impact of these kinds of vulnerabilities on ICS-CERT advisories.

This could be because medical device vendors don’t believe a vulnerability in a supporting software platform or application necessitates a disclosure on their part, as further validated by only one operating system related vulnerabilities being disclosed in 2021.

Frequency of Patching

Issuing advisories reflects active cybersecurity posture management of a device post-market. In fact, the frequency of patching has increased from 48.6% to 78% since the FDA guidance, revealing medical device manufacturers’ ability to address vulnerabilities through patches and updates.

But what happens once a patch is available? We won’t be able to patch fast enough and complete enough to become secure enough and therefore, as an industry, need to shift to a more proactive security approach.

Read the full white paper, What Medical Device Manufacturers Can Learn from Past Vulnerability Disclosures, to learn more about our data interpretations and predictions for the future of medical device cybersecurity.

You can also join the discussion by registering for the free webinar on April 6, 2022. Register today!

--

--

--

Proactive Healthcare Security in a Few Lines of Code

Recommended from Medium

Why Go Domainless? | JumpCloud

More than 60,000 Hosts Vulnerable to BlueKeep (CVE-2019–0708) in Latin America, Central America…

03 Sure-Fire Ways To Hack Facebook Messenger [2020 Updated]

03-sure-fire-ways-to-hack-facebook-messenger-2020-updated

Bash Tricks for Command Execution and Data Extraction over HTTP/S

{UPDATE} Puppet Show: Geliebte Rosie Hack Free Resources Generator

Cybersecurity Advice for your Mom

10 GDPR fines and what to learn from them

How a just-in-time VPN access might have helped in the case of the APT10 attacks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
MedCrypt

MedCrypt

More from Medium

Digital Transformation: Transforming Physical Warehouses into Digital

Find and measure what's important (to you), only call it a KPI afterwards

Tips to protect your data, security, and privacy from a hands-on expert

The Monetization of Digital Consumption Data