Securing Connected Medical Devices is an International Emergency

Photo credit: Depositphotos

By Steeve Huin, CMO, Irdeto

Connected medical devices, an integral part of the Internet of Medical Things (IoMT), continue to evolve at a rapid pace. In fact, Mordor Intelligence quantified the medtech market size at just over US$28 billion in 2020, and estimates it to grow by almost 19% each year to $94.32 billion in the next five years. While such projections are sure to delight medical device manufacturers, digital and mobile health companies and telehealth providers, this positive financial outlook is disrupted by the reality that connected medical devices are increasingly the target of cyberattacks. 

The transition from traditional to connected healthcare is challenging security professionals worldwide. The number of observed cyberattacks on Internet of Things (IoT) devices rose by 300% in 2019 alone, and it’s estimated that 50 billion medical devices will be connected to clinical systems over the next decade, reaffirming the opportunity for hackers in the IoMT market. When a cyberattack is successful, patients and their healthcare providers become vulnerable to care disruption, identity theft, and financial fraud, among other types of criminal activity. 

Stealing health records is a lucrative business for cyber criminals; they can be sold on the dark web for upwards of $1,200 per record, which is up to 200 times more valuable than financial records. This makes health records the most valuable personal identifiable information (PII) asset being traded by cyber criminals. Simply put, no other type of record currently provides as comprehensive and complete a picture of a person’s background and identity than a health record. And once a record is obtained, cyber criminals can harvest the sensitive information for personal financial gain by selling it to forgers, human traffickers, terror organizations, hostile countries, drug cartels, and other criminal elements. 

Majority of medtech execs not prepared for cyberattack

Regulation in most countries puts a steep price on healthcare organizations that are compromised by cyberattack. For example in the United States, a breach of HIPAA enforced by the Department of Health and Human Services’ Office for Civil Right (OCR) can have severe consequences; the average financial penalty for a breach in 2019 was close to $1.2 million. 

Yet the fear of hefty fines doesn’t appear to be enough motivation for the IoMT industry to become more proactive about cybersecurity. Irdeto recently partnered with Censuswide and Guidepoint Global to conduct a quantitative and qualitative survey of senior executives at Fortune 1000-sized U.S.-based companies within various IoMT fields to better understand the state of cybersecurity in the market. Specifically, we aimed to learn how both senior-level corporate executives (including CEOs and CIOs) and product leaders (VPs of engineering, VPs of Product, etc.) perceive their existing cybersecurity policies and processes as related to risk mitigation and regulatory compliance. 

The survey asked questions about existing cybersecurity policies and processes, their hopes and fears for connected health – from compromised health data to direct attacks on the patient – and potential solutions to the growing vulnerabilities, risks and threats. 

While many of the results were astonishing, there was one particular result that stood out. That is, only 13% of IoMT leaders believe their business is very prepared to mitigate future risks, while 70% believe that they are only somewhat prepared at best. Remarkably, about one fifth (17%) stated that their firm was not prepared at all. 

The survey also revealed that 80% of survey participants report having suffered at least one cyberattack in the past five years, and it is all but certain that they face at least dozens of additional threats on a daily basis. The breadth of attacks targeting IoMT companies is also problematic. Our survey revealed that organizations have fallen victim to several attack techniques, including ransomware, malware, phishing, spoofing and DDoS, with customer databases, employee information and even R&D platforms being exploited. 

Further, 80% of respondents believe that regulatory compliance is the biggest business benefit of implementing a strong cybersecurity strategy. Interestingly, however, only four in 10 rated themselves very aware/knowledgeable about forthcoming EU and US regulations, such as US FDA pre-market guidelines or EU Medical Device Regulation (MDR). Further, an astounding 28% – almost three in 10 respondents – report not knowing anything at all about forthcoming regulations. 

Finding solutions to IoMT threats is essential 

There are signs that the connected medical device industry is beginning to take cyber threats more seriously. Just recently, the U.S. Food and Drug Administration appointed Kevin Fu, PhD as the agency’s first head of medical device cybersecurity. 

But the magnitude of threats the industry faces cannot be successfully mitigated by regulation alone: it must be mandatory for top IoMT professionals to practice effective cybersecurity management.

To begin, stakeholders should re-assess how they tackle cyber risk and implement effective cybersecurity measures within their respective areas. Protecting software running on medical devices should now be the top priority, as software applications are becoming an increasingly significant part of the attack surface, and unprotected software applications can leave a trail of breadcrumbs that can be reverse engineered to disrupt a virtual care platform. As much as possible,  these protections should be built into devices during the original R&D process, as it is much more of an arduous task to add cybersecurity once a product is in market. 

Even as cybersecurity posture improves, there’s no telling what the next vulnerable entry point for hackers could be. Just recently the cybersecurity company ForeScout discovered that millions of IoT communication protocols remain vulnerable to cyberattack. If anything, this news reinforces just how big the threat landscape is. For this reason, it’s also important for executives to regularly monitor threats, evaluate their cybersecurity systems and keep pace with industry developments.

In truth, IoMT businesses simply cannot move forward and innovate effectively until there is ubiquitous cybersecurity that protects the most crucial data and devices from those who badly want to access and corrupt it. This is why securing connected medical devices has become an international emergency; a challenge that will take a mix of government, industry, company and individual ingenuity and accountability to solve. 

We no longer have to preach the existence of threats – everyone knows they exist. But we must find ways to motivate connected medical device leaders into action, so we can begin to solve tomorrow’s healthcare problems without interruption, today. 

About the Author

Steeve Huin is Chief Marketing Officer at Irdeto. He is a seasoned cybersecurity executive with nearly 20 years of experience in building products, driving engagement and revenue within the cybersecurity domain. Steeve has wealth of market knowledge and experience in the video entertainment, mobile gaming and connected industries such as healthcare and transport. Steeve holds a master’s degree in Software Engineering and is well-versed in the international business landscape, having held key strategic positions in the Netherlands, Canada and China throughout his career.  Prior to his current leadership role at Irdeto, Steeve was Co-Chief Executive Officer at International Datacasting Corporation (IDC), a technology provider to the world’s premiere broadcasters in Canada.