What is Medical Device Security?

Similar to our smart phones and computer, as technology advances so the the threat for large-scale cyber attacks. The bigger problem is when these attacks are against healthcare companies carrying millions of patients personal information; the attacks can lead to postponed surgeries, leaking information or even shutting down entire computer networks in hospitals.

Global healthcare cybersecurity is anticipated to spend more than $65 billion to 2021, and ransomware attacks on healthcare organizations are predicted to quadruple by 2020, according to a Cybersecurity Ventures report, noting that hospitals are most at risk.

In 2017, 21st Century Oncology agreed to pay a $2.3 million fine on December 12, 2017 to the Department of Health and Human Services for a 2015 data breach affecting more than 2.2 million patients. They additionally agreed to “to appoint a compliance representative, conduct a risk analysis, revise its cybersecurity policies and develop internal breach reporting procedures,” Fierce Healthcare reported.

This was one of many attacks which resulted in patients records being leaked, or millions in fines or settlements. The only positive outcome from cybersecurity negligence are the warnings given to other companies in the healthcare industry.

An overview of medical device security

The US Food and Drug Administration (FDA) states that “medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.”

With an increase from wireless technology and connected devices, the FDA finds itself in a place where it has to evaluate the threat level from attacks and the number of devices targeted; for example, a whole network of computers at a hospital.

The agency recommends for manufacturers of common devices to be aware of the risk involved with their product and take the proper precautions in order to prevent any type of hacking. This can be in the way of an update to their device, which isn’t typically reviewed before products are released and received FDA approval.

According to a report from Deloitte, medical devices have gotten more sophisticated, with network capabilities and complicated software. This has opened the door to sophisticated hacking tactics, which the medical world hasn’t directly dealt with before.

“Information technology, compliance, and risk executives in healthcare organizations will need to be able to anticipate and address present and future medical device security risks to safeguard patient safety and protected health information,” the report said.

Another report by Security Scorecard on healthcare cybersecurity risks said the threat of cyber health of the healthcare industry has dropped since 2016.

Steps to protecting medical devices

Communications of the ACM report on security with medical devices explained the industry must approach this issue with the guidelines put forth by the FDA by subscribing to these principles: Identity, Protect, Detect, Respond and Recover.

A number of recommendations on the issue is for the organizations to take it seriously and be on the lookout for their potential customers and patients. All of this to prevent what IoT For All called the nightmare scenario: death by hacking.

The report noted, “cybersecurity makes up only 4 percent of [75 percent of providers] overall IT budget, device manufacturers are embedding safeguards to mitigates the effects of device hacks.”

A 2017 study found over half of manufacturers and healthcare organizations are expecting attacks to their devices within the year.

While defibrillators and pacemakers may be at risk for being hacked, Dr. Dhanunjaya Lakkireddy told CBC News most of the risks are only theoretical at this point.

“There has not been a documented case of a cardiac device hacked in a real patient,” Lakkireddy said. However if a case did occur to disrupt these machines, the result could be deadly.

Investor takeaway

It’s clear healthcare companies need to focus more resources on cybersecurity, but they’re still just in the healthcare business—not information technology. To address this need, many big companies are investing money into cybersecurity companies focusing on healthcare, according to CP Insights. ClearData is one company that has received funding from the Merck Global Health Innovation Fund. Although ClearData is a privately held company, if publicly-traded companies follow suit from Merck (NYSE:MRK) by investing in cybersecurity companies, it may be a good place for investor consideration as these companies look to prevent attacks on medical devices.

Don’t forget to follow @INN_LifeScience for real-time updates!

This is an update to an article originally published in 2017.

Securities Disclosure: I, Gabrielle Lakusta, hold no direct investment interest in any company mentioned in this article.