Analyzing cybersecurity gaps in medical device procurement using NLP and vulnerability databases
摘要
Medical devices are increasingly connected to public networks, offering benefits such as remote diagnosis but also introducing new cybersecurity risks. One pathway to strengthening protection at the design stage is to ensure that procurement requirements explicitly incorporate cybersecurity terms and controls. This study examines how such considerations are represented in medical procurement within Indian public healthcare sector. We compile and standardize 760 e-procurement documents (2014–2024) from major public hospitals across the country and analyze them using natural language processing techniques, including Term Frequency-Inverse Document Frequency (TF-IDF), Non-negative Matrix Factorization (NMF), and regular expressions, to identify security-related clauses. In parallel, 123 CISA advisories (2018–2024) highlighting vulnerabilities in medical systems are mapped to the MITRE Common Weakness Enumeration (CWE) framework. Bridging these two datasets (tender documents and CISA advisories) reveals significant gaps: cybersecurity specifications appear in only 15% (114/760) of tenders, and high-risk CWEs such as CWE-287 (Authentication Bypass) are largely unaddressed. Operational terms (e.g., “warranty”: 82%) dominate over technical controls (e.g., “encryption”: <5%). The findings indicate limited integration of threat intelligence into procurement design and suggest stronger policy measures for enhancing vendor accountability through security-aligned tender specifications.