With cybersecurity attacks on the rise, medical device manufacturers are under pressure to harden products against cyber threats and create a culture of shared responsibility and risk management.
According to the US Department of Health and Human Services (HHS) Office of Civil Rights, cases affecting more than 22.5 million people in the United States are currently under investigation, an increase of 4 .6% compared to the same period last year.
Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health (CDRH), made cybersecurity a top priority at Advamed’s Medtech conference in Boston. “We are monitoring an ever-increasing number of vulnerabilities in the United States. You might not hear about all of this, but it is happening,” Shuren said. “It’s the kind of thing that keeps me awake at 3 in the morning. This is not a risk for an individual product but a risk for patients.
Developing a sophisticated cybersecurity program is an urgent priority for CDRH as incidents threaten to compromise patient care. Shuren explained how “weak links” in healthcare systems create opportunities for hackers to access data, disrupt care and extract money. “We are seeing hackers becoming more sophisticated and coming from nation states. So we really have to up our game,” the director said.
Due to the COVID-19 pandemic, medical devices are increasingly connected to technologies such as cloud-based capabilities, which increase the attack surface for hackers. Devices such as insulin pumps, pacemakers, inhalers, and wearables are particularly vulnerable because they track patient data in real time and relay information immediately to patient and physician.
To mitigate risk, the FDA encourages manufacturers to leverage a “software bill of materials” (SBOM) program as a key part of their software security and supply chain. The SBOM lists each software component that makes up a device, which can be shared to help track and manage vulnerabilities.
“The reason SBOM is important is because you can use it in risk management throughout the total product lifecycle,” explained Aftin Ross, Senior Special Advisor for Emerging Initiatives in the Office of Strategic Partnerships. and technological innovation at CDRH. “You can use it during the development of a device when you’re actually thinking about what components you want to include, as well as in the post-market phase once the device is in the market and any additional risk needs to be managed. .”
Overall, preventing future problems becomes easier if intentional design takes place from the start, she says. While older legacy devices are often unable to receive security patches, newer devices require a security update plan in place for the entire lifecycle of the device. “If we can integrate these capabilities early on, it will allow us to have medical devices secure for a longer period of time and prepare them to deal with cybersecurity threats.”
As the cyber landscape changes daily, Jaap Qualm, vice president of product cybersecurity at GE Healthcare Systems, says companies must prioritize risk management over incident management. “When you design a medical device, you want it to be ready for anything that might hit those components. You have to assume that there will be software components that at some point will face some vulnerability, but if you design your device the right way and secure the network around it, you’re already doing the greatest part of your risk management.
As remote working has resumed during the pandemic, healthcare organizations such as hospitals have reported an increase in security breaches, primarily malware attacks and phishing emails. Data attacks aim to gain a foothold in a corporate network and obtain valuable corporate data, typically using deceptive messages to persuade recipients to part with sensitive information, open attachments, or click on hyperlinks that install malware on their devices.
According to cybersecurity firm Darktrace, the proportion of attacks targeting home workers rose from 12% of malicious email traffic before the start of the UK lockdown in March 2020 to more than 60% six weeks later.
The stress and urgency of COVID-19 has weakened the resilience of hospitals, with an incident at the University Hospital in Brno, Czech Republic causing an immediate shutdown of all IT systems in the hospital. Pharmaceutical and contract research organizations have also fallen victim to similar cyberattacks that have attempted to steal proprietary R&D information on COVID-19 therapies. Many organizations are now embracing trustless network access, which asserts that no user or application should be trusted by default.
Chris Reed, Medtronic’s director of regulatory policy, said manufacturers are finding ways to work with healthcare delivery organizations to manage end-of-life product support. “The idea is to create rational update cycles. I don’t think healthcare delivery organizations want to see monthly Windows patches on every medical device – they manage thousands of devices. However, if it takes two to three years to get an updated Windows OS patch on medical devices, that is also not acceptable. So we are working to define what these cycles should look like for both manufacturers and healthcare delivery organizations.
Vulnerabilities in the UK’s National Health Service (NHS) system have been the costliest, with a report released by the government estimating that the 2017 WannaCry ransomware attack cost the NHS a total of £92m ($118.7m), including £19m ($24.5m) in lost productivity and £73m ($94.2m) in IT costs such as system restoration and data.
Cybersecurity spending soars
Investment in cybersecurity spending by healthcare providers is growing, with research from GlobalData indicating that between 2020 and 2025, companies will increase spending at a rate of 7.3%, from $869 million to 1, $2 billion.
Since the onset of the pandemic, M&A activity has accelerated, reaching around 40 deals per month by the end of 2021. Big tech players such as Google and Microsoft have also increased their influence in the area of cybersecurity and are leading some of the biggest deals. In early 2022, Google signed a $5.4 billion deal to buy threat intelligence firm Mandiant and paid $500 million to buy tech specialist Soar Siemplify. Microsoft also bought content moderation company Two Hat in October 2021 and, in July 2021, cloud infrastructure rights management company CloudKnox and digital threat management company RiskIQ for $500 million.
The highest-value deal to date in the space is Thoma Bravo’s $12.3 billion acquisition of enterprise security specialist Proofpoint in April 2021. According to research by GlobalData, the companies specializing in zero-trust services, IoT security, threat intelligence and security are among the most sought after for acquisitions.
An analysis of GlobalData’s Job Analytics database indicates that cybersecurity hiring activity across all healthcare sectors is on the rise. As of March 2022, there were nearly 3,500 active jobs in medical devices, over 3,000 in healthcare, and nearly 2,500 in pharmaceuticals. Particularly in medical devices, active jobs increased at the start of the COVID-19 shutdowns.