Continuous monitoring of security throughout the medical device product lifecycle also poses problems. Credit: Leo Wolfert / Getty Images The top cybersecurity challenge faced by medical device makers is managing a growing set of tools and technologies, according to the results of a global survey released Wednesday by software risk assessment company Cybellum.The survey, conducted by Global Surveyz, an independent survey company, polled 150 senior decision makers from North America, Europe and Asia. It shows that while device security is in its infancy, it is managed by many fragmented tools. “Siloed and fragmented processes and tools are much less efficient and effective and limit the ability to assess the business impact of device security on the organization as a whole,” the report says.It also finds that continuously managing product security is a huge challenge to device makers. Nearly half the survey respondents (43%) identify continuous management as the second greatest challenge facing security teams. In response to that challenge, 37% of the participants say they’re making “shift left” a priority in their development lifecycles.Medical devices can be hacked like computers“If you shift left in the development process, the earlier you can detect vulnerabilities, the less it will cost you as a company,” Cybellum CMO David Leichner explains in an interview. “Monitoring has to be continuous. You can’t just check the device in the design phase. You have to check it as your developers integrate its components and software, to make sure no threats are introduced, and you have to be able to check it when it’s in the market.” Trying to manage complex security challenges can be difficult if you don’t have a cybersecurity mindset, Leichner adds. “These devices are computers. They can be hacked like computers. Until that becomes the mindset as these device makers, you won’t have real security in the medical device industry.”Bare compliance minimum not enough for device securityThe researchers also note that respondents seem to be ambivalent about cybersecurity. Eighty-three percent of the survey respondents (83%) say device security can give them a competitive edge in the market. Yet, 80% find it a necessary evil imposed by regulators. “Part of the reason for those opposing views has to do with the fact that, while there has been a lot of recalls for vulnerabilities, we haven’t seen a hack of medical devices that has caused major, major damage,” Leichner says. “It’s expected that will happen.” In addition, more than three quarters of the participants (78%) say they do the minimum to achieve compliance. That may help explain why, on average, only half of companies are meeting their compliance obligations, the report notes.Compliance standards usually regulate the minimal efforts needed for security, Leichner says, so if companies are doing the bare minimum perhaps they are not taking device security seriously enough, and instead are hyper-focused on getting products to market quickly. Related content news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO CSO and CISO C-Suite news Cybersecurity experts raise concerns over EU Cyber Resilience Act’s vulnerability disclosure requirements Open letter claims current provisions will create new threats that undermine the security of digital products and individuals. By Michael Hill Oct 03, 2023 4 mins Regulation Compliance Vulnerabilities opinion Cybersecurity professional job-satisfaction realities for National Cybersecurity Awareness Month Half of all cybersecurity pros are considering a job change, and 30% might leave the profession entirely. CISOs and other C-level execs should reflect on this for National Cybersecurity Awareness Month. By Jon Oltsik Oct 03, 2023 4 mins CSO and CISO Careers feature The value of threat intelligence — and challenges CISOs face in using it effectively Knowing the who, what, when, and how of bad actors and their methods is a boon to security, but experts say many teams are not always using such intel to their best advantage. By Mary K. Pratt Oct 03, 2023 10 mins CSO and CISO Advanced Persistent Threats Threat and Vulnerability Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe