What the Medical Device Industry Can Learn From Past Cybersecurity Vulnerability Disclosures

Since the FDA issued its Postmarket Cybersecurity Guidance in 2016, the rate of ICS-CERT medical device advisories has increased by 386%, reflecting growing transparency and maturity across the medical device ecosystem.
This updated 2025 report extends Medcrypt’s longitudinal analysis through 2024, highlighting emerging patterns in vulnerability disclosure, patching, and regulatory impact.

Key findings reveal that:

• Vulnerabilities continue to cluster around user authentication and code defects — making up nearly 60% of all disclosures.
• Patch references in advisories declined by 22% in 2024, despite new FDA enforcement authority under Section 524B.
• Only 27 of the top 40 medical device manufacturers maintain any public vulnerability disclosure process.
• Half of all vulnerabilities originate from just four manufacturers, demonstrating a clear divide between proactive and lagging programs.

This whitepaper provides data-driven insights into where progress has been made, where it has stalled, and what medical device manufacturers (MDMs) can do to strengthen cybersecurity maturity in 2025 and beyond.

Despite spending $10–20 billion annually on cybersecurity, the healthcare sector consistently ranks among the most targeted and least secure industries.
Regulatory fragmentation, economic misalignment, and clinical priorities often push security down the list of business imperatives.
As a result, security debt — vulnerabilities that originate from design, integration, or maintenance — is passed downstream to hospitals and patients.

Understanding these constraints is the first step toward systemic reform. This whitepaper provides insight into how industry and regulators can rebalance incentives, reduce security debt, and build sustainable, resilient healthcare technology systems.

• Medical Device Manufacturers (MDMs): product security, regulatory, and R&D teams focused on postmarket vigilance
• Regulatory and Quality Professionals: responsible for FDA submissions and maintaining compliance with 524B and 81001-5-1
• Healthcare Delivery Organizations (HDOs): security and IT teams relying on manufacturer disclosures for clinical risk management
• Policy and Standards Leaders: working on coordinated vulnerability disclosure (CVD), ICS, and cybersecurity harmonization

• Vulnerabilities have tripled since 2016, but the root causes remain unchanged.
• Disclosure transparency is improving, but patching performance declined in 2024.
• 59.8% of vulnerabilities still stem from authentication and code-related issues.
• Researchers now drive two-thirds of all disclosed advisories.
• FDA’s new Section 524B patch enforcement may redefine disclosure behavior in coming years.

1. Introduction
   
   1. Purpose of the analysis and methodology
   2. FDA and ICS-CERT context: 2013–2024 data review
2. Section I: Data Overview
   
   1. Data sources (ICS-CERT advisories, NVD, CISA)
   2. Scope of medical device advisories and vendor inclusion
   3. Disclosure trends since FDA postmarket guidance
3. Section II: Observations From the Data
   
   1. Root Causes Haven’t Changed: 59.8% of vulnerabilities tied to code defects and user authentication failures
   2. Vulnerabilities by Device Type: imaging, patient monitoring, and infusion pumps dominate
   3. Relationship Between Device Type and Severity: imaging systems yield highest CVSS scores despite being non-life-sustaining
   4. Patch Frequency and Researcher Involvement: 77% of advisories include patches; 68% reference external researchers
4. Section III: Industry Insights and Hypotheses
   
   1. The plateau in disclosure rates since 2022
   2. Disparities between mature and non-reporting vendors
   3. Three plausible reasons for lack of disclosures (non-connected devices, alternate reporting channels, immature programs)
   4. How researchers and FDA expectations are driving better transparency
5. Section IV: Comparative Analysis — ICS-CERT vs NVD
   
   1. Purpose, scope, and audience differences
   2. Disclosure process and timeline comparison
   3. Why medical device-specific advisories rarely appear in NVD
   4. Quality, completeness, and CVSS discrepancies between systems
6. Section V: Key Findings
   
   1. 386% growth in disclosures post-FDA guidance (2016–2024)
   2. 22% decrease in patch references in 2024 advisories
   3. 200 of 433 vulnerabilities originate from four major vendors
   4. Growing importance of coordinated vulnerability disclosure (CVD) maturity
7. Section VI: Conclusions & Predictions
   
   1. ICS-CERT’s limited usability for end users
   2. Disclosure fatigue and plateau effect
   3. 524B enforcement as a catalyst for renewed momentum
   4. The shift toward proactive, supply-chain-integrated cybersecurity as the next frontier
8. Appendices
   
   1. Appendix A: Data methodology and advisory frequency by year
   2. Appendix B: CVSS scoring and severity distribution
   3. Appendix C: Root cause definitions
   4. Appendix D: ICS-CERT vs NVD comparison chart