Medical devices have become increasingly connected to ensure equipment uptime guarantee and to bring exciting new functionalities for patient care. Yet more connectedness brings more vulnerability, and hackers are taking note—healthcare was the most targeted sector in ransomware attacks in the first quarter of 2018. Both medical devices and patient data are susceptible to cyberattacks, but vendors and hospitals are taking steps to improve security. The MarkeTech Group interviewed a number of Chief Cybersecurity Officers (CCO) at leading Medical Imaging and In-Vitro Diagnostic OEMs regarding their level of preparedness for cyberattacks and solutions they have already applied to prevent breaches. We also reached out to our imagePRO™ panel, a representative sample of imaging directors in the US, to better understand the concerns they face regarding cybersecurity and how this influences their decisions.

Cyberattacks on medical devices are a major threat, but attacks on hospitals are a reality

Cyberattacks focusing on sensitive patient data are already commonplace. A highly publicized example is the attack on the National Health Service (NHS) in the UK in May 2017. In this instance, the WannaCry attack was used to gain access to thousands of NHS patients’ records and hold them ransom. In many cases, the main entry point for the attackers can be traced back to human error, which is difficult to prevent solely through IT infrastructure and implementation. A recent survey highlights that 87% of healthcare professionals have used non-secure email to send sensitive information. Additionally, over one third of the survey participants had shared such sensitive information insecurely over cloud services such as Microsoft OneDrive or Google Drive.

Internet connectivity also means medical professionals can externally monitor and adjust patient devices such as pacemakers and artificial valves. It is now possible to remotely shut down a moving car, and similar attacks on medical devices would not be unprecedented. Some medical manufacturers have already recalled products precisely because they were vulnerable to such attacks, a partial list of which is available at the FDA website.

Vendors are partnering with cybersecurity firms…

From TMTG interviews, most if not all CCOs report directly to the CEO or provide updates to the Board of Directors, indicating how strategically important the issue is. One Chief Product and Solution Security Officer said that his company “monitor[s] activity but also [has] proactive patching.” They use encryption technology and constantly scan for vulnerability to determine when a patch is necessary, which he notes is not yet common practice in the medical device industry.

While some companies seek internal solutions to security challenges, others are partnering with software and IT firms. Startups like Vera Security and MedCrypt now work with MedTech companies to monitor and prevent outside sources from interfering with medical devices or accessing proprietary software and data. A Global Product Privacy and Security Director interviewed by TMTG said that, while cryptography and certificate management used to be handled internally, his company has since outsourced it to DigiCert, a software firm specializing in encryption, adding that his company “can’t do it all in-house”. Their concerns are valid: vendors’ reputation for cybersecurity is very or extremely influential to 41% of imaging directors polled.

…while hospitals are leaning towards human solutions

Hospitals, for their part, are leveraging various internal resources to solve the issue. Hospitals recognize that lack of IT expertise plays a role in data breaches, and 14% are looking to hire a senior information security leader in the next year. IT solutions for hospitals, like data loss prevention and incident detection, do exist, but are far from ubiquitous. One large medical device vendor actively collaborates with hospitals and healthcare systems to develop security solutions.

The need for cybersecurity will only increase

Such targeted attacks will likely increase for the foreseeable future. Medical vendors are making strides in securing their devices, and our interviewees expect real-time monitoring and vulnerability scanning to become common practice in the near future. Yet 31% of respondents in our survey have no dedicated cybersecurity team. The often outdated nature of healthcare IT infrastructure and medical device software opens up an opportunity for vendors to work with hospitals and provide value-added IT solutions with their hardware to ensure that patient data is airtight.

If you are interested in learning more about the details of TMTG interviews or wish to learn more about cybersecurity in healthcare, please contact TMTG. We strive to remain at the forefront of technological innovation, and we pride ourselves on using the expertise of industry professionals to help your company provide the best solutions possible.

Zach Moore

Please click below to view the full charts: