Headlines of new security vulnerabilities found in critical medical devices are increasing at a worrying rate. Ransomware attacks have targeted healthcare facilities and medical device providers with alarming success compromising systems and encrypting critical data so the systems cannot operate and then requiring a ransom payment to restore the system to working order. Many medical device engineers have long assumed that their products are not targets for hackers and have not considered security a critical priority, taking the approach “if we don’t get this product out there is no company, so release it and we’ll sort out the security later”.

That now MUST change.

Due to their nature, medical devices are often deployed outside of the enterprise security network. They may be mobile or installed in the home – both environments lacking the protections found in a corporate space. Almost no one in the MedTech industry disputes the vulnerability posed by cyberattacks but how to go about boosting security is an area which now needs a vastly increased focus.

Some of the top priorities identified by the Center for Devices and Radiological Health in its 2019 regulatory science report (medtechdive.com) are leveraging big data and real-world evidence in regulatory decisions, enhancing medical device cybersecurity and streamlining clinical trial design. It’s good to see MedTech executives waking up to the reality of the threat here.

As Aaron Zander, head of IT at HackerOne succinctly points out, “The fact that there are more stringent controls on the software that doctors use to send each other instant messages than there are on the software that goes into a pacemaker shows that the medical device field needs to advance in terms of both regulation and security. The repercussions of not acting now are deadly.”

 

The risks are real – sometimes life-threatening

81% of healthcare organisations have had their data compromised by a cyber attack in the last 2 years, according to KMPG. These vulnerabilities can result in potential harm to patients, financial loss for providers and loss of brand reputation, posing major challenges for medical device manufacturers.

So how well are you prepared?

Healthcare has all the operational complexities of other industries with the added responsibilities of keeping patients safe, ensuring patient health records are secure and keeping their facilities operational 24/7. We’ve seen in recent years, and indeed during the Covid-19 pandemic, that the healthcare industry is a primary target of increasingly sophisticated cyber criminals looking to install ransomware to steal patient health records or harm patients with connected medical devices such as insulin pumps or pacemakers.

This is where the risk gets real. They are potentially life-threatening.
An example is the cybersecurity vulnerabilities identified in Medtronic’s MiniMed 508 and MiniMed Paradigm insulin pumps – a hacker could potentially connect wirelessly to a nearby device and change the pump’s settings, according to the FDA. This could allow a hacker to over deliver insulin to a patient, leading to low blood sugar, or to stop insulin delivery altogether, leading to high blood sugar and a build up of acids in the blood. Clearly a seriously worrying breach situation with more than just data loss on the line.

Abbott is also especially aware of cyber security challenges. It acquired St. Jude Medical in 2017, just months after short-selling investment firm Muddy Waters publicly claimed that St. Jude cardio devices were especially vulnerable to hacking. The crisis accelerated Abbott’s efforts to make cybersecurity a priority through their end to end product development process, rather than adding it on at the end when changes are more expensive and time-consuming. Abbott took the right approach with cyber security experts working with its R&D, IT and engineering teams to ensure that they’re designing devices with the right threats in mind, and accommodating for those threats.

 

MedTech Senior executives are now prioritising cyber security

It seems that Senior Executives are now stepping up and realising the need for an early cyber security focus in the medical device development process. As with Abbott, cyber threat needs to be considered from the outset and by all parties involved in its inception, production and eventual launch to market.

A recent Deloitte survey in 2020 shows that half (50%) of the executives rated transformation of functions using digital and information technologies, cyber readiness, and economic issues as their highest priorities. Looking to future strategies, 69% of them said cyber readiness will be their highest priority in the next 5 years, clearly showing the need to balance digital transformation opportunities with cyber risk preparedness.

 

 

Deloitte’s findings prompted them to advise MedTech executives to “Prepare for and address, especially cyber and economic risks, but also policy and regulatory risks. With increased digitization, MedTech companies should be prepared to handle and mitigate cyber risks. The growth of connected medical devices renders medical devices to be susceptible to cybersecurity attacks.”

So, what do Medical device manufacturers need to consider for cyber security?

We advise the following to be taken into consideration among other areas:
Critical functionality of the device

Replication threat – how many devices could be accessed?

Patching limitations – can the devices be remotely updated and monitored?

Long lifecycle – can it stand up to security requirements for the next 10 years?

Cyber security vulnerabilities outside of the corporate network

The benefits of technology towards the healthcare sector have been significant but cyber security will now need to be an integral part of the medical device industry’s strategy. Interoperability will be critical to help the industry transition towards more digital technologies for health care whilst at the same time, ensuring the safety and security of patients.

Find out more about our MedTech cyber security solutions.