Shared Cybersecurity Risk Management in the Industry of Medical Devices

Abstract

The cybersecurity capabilities of Class 1 medical devices must be seriously addressed when the industry moves toward Industry 4.0. Many U.S. manufacturers are not committed to cybersecurity risk management because they pursue lower cost and shorter product life cycles, do not have sufficient knowledge of operating environments of hospitals, have defensive attitudes toward vulnerability disclosure, and reap quick benefits from the low-trust level among stakeholders and the unequal power between manufacturers and distributors. Only a few large U.S. manufacturers of medical devices have set up robust secure platforms and interoperable optimal standards that can elevate the security practices of entire global supply chain of Class 1 devices. Many small and medium-sized enterprises inside and outside the U.S. need to be equipped to co-foster cybersecurity values with large manufacturers through the coordination between government and industry regulations and the support of international organizations and local government policies.