Medical Device Cybersecurity Maturity Benchmarking Assessment

Upon completion of this survey, respondents will receive a high-level report containing the organization’s overall score, sub-score per category (Organization, Risk Management, Design Control & Complaint Handling) and a high-level depiction of current posture relative to industry peers based on the participating pool of Medical Device Manufacturers.

We hope these insights will enable medical device manufacturers of various sizes to better understand and measure their product security programs; to further adopt secure product development processes; and to build more robust, higher quality, medical devices that positively impact public health. While similar maturity models have been used previously by some medical device manufacturers (e.g., OWASP SAMM, CMMI, NIST), this benchmark is a first step to provide a standardized assessment custom to the medical device industry while building evidence-based data sets for on-going improvement.

Please note this survey does not provide a certification or attestation and should not be considered a substitute for completing a comprehensive security maturity assessment or for conducting a third-party security audit. Respondents may publicly disclose survey results for marketing purposes but by participating in this survey, each respondent acknowledges and agrees that (1) it will be clearly stated that these survey scores are based on a subjective self-assessment that yielded results which have not been certified by an objective third-party each and every time the respondent publicly discloses the survey scores in any and all media or discloses the scores to a third party, and (2) it will not indicate or imply that the Medical Device Innovation Consortium has certified or attested to the survey results.

• Once you select the “Continue to the 2024 benchmarking assessment” button, a new window will open. To initiate the survey, simply click “sign up now” and fill out the required information.
• Please answer each question to the best of your ability and revert to other colleagues for additional data, where relevant.
• This assessment should be completed by a cross functional team composed, but not limited to, Product Security, Quality, R&D, and Risk Management with direct responsibility and knowledge of the organization’s product portfolio and relative security posture. In a circumstance where a cross functional team is not able to complete this, we recommend a senior member of the Product Security Organization who can provide relevant and accurate responses to the survey.Only one assessment per company or organization is meant to be completed and submitted; duplicates will be discarded.
• You are strongly encouraged to refer to the JSP before answering each question. Specific line numbers of the JSP corresponding to each question have been added to help guide you.
• An explanatory note and additional guidance have been provided where needed. Each question includes an optional comment field to supply additional context at respondents’ discretion.
• For your convenience, all survey questions are available as a PDF in this document and may be freely shared with other members of your organization to assist with the survey process.
• You may save your progress and return to the survey at a later time by clicking the “Save and Continue Later” link at the bottom of the page.
• COMPLETION DEADLINE: December 13, 2024

For additional support, please contact cybersecurity@mdic.org

Read the 2023 Benchmarking Report here

Read the 2022 Benchmarking Report here