Expert view

Key questions about cybersecurity in the medical device industry: Q&A with GlobalData thematic analyst

Credit: Bert van Dijk/Getty images.

Alexandra Murdoch has been an analyst on the medical devices team since July of 2021. She currently leads the medical themes team, and prior to that she led the wound care management, neurology, diagnostic imaging, and dental therapy areas. Prior to joining GlobalData, Alexandra completed a master’s degree in Health Information Science.

Lara Virrey: What are the biggest cybersecurity challenges facing medical device companies today?

Alexandra Murdoch: Since the start Covid-19, virtual medicine, digital health and remote patient monitoring devices are more popular. The rise of digital health devices happened quite quickly to ease wait times and reduce crowds in hospitals and other healthcare institutions, and there wasn’t always time to address the cybersecurity challenges that come with using these devices. The increased use of technologies such as cloud increased the potential attach surface and technology security teams did not have time to install adequate security defences.

Lara Virrey: How can medical device companies best defend themselves against cyber threats?

Alexandra Murdoch: Medical device companies can defend themselves against cyber threats through investing in cybersecurity measures. There is cybersecurity hardware which includes chip-based security, protecting chips from cyberattacks. There is also cybersecurity software, which includes identity management, network security, endpoint security, threat detection and response, cloud security, data security, email security, application security, unified threat management, and vulnerability management. Medical device companies should evaluate different types of cybersecurity measures and determine which are best for their devices to ensure they can prevent cyber threats.

Lara Virrey: How has the nature of cybersecurity threats to the healthcare industry changed in the past 2-3 years?

Alexandra Murdoch: The largest change in recent years is the use of digital health tools. Digital health tools are used in multiple therapy areas, including diagnostic imaging, healthcare IT, patient monitoring, and more. The widespread use of these devices and the quick adoption due to Covid-19 has made it challenging to keep up with the cybersecurity needs. Additionally, with changing software, some cybersecurity measures previously put into place can no longer be used. For example, in diagnostic imaging there are many older, legacy devices that are no longer compatible with the technology being used in hospitals alongside these devices. This has resulted in certain devices lacking software updates and going without adequate cyber protection.

Lara Virrey: Is the pace of innovation in security technologies keeping up with evolving threats?

Alexandra Murdoch: Cybersecurity innovation is doing relatively well at keeping up with evolving threats so far. That being said, technology is advancing so quickly that it is hard to say what the future holds for cybersecurity and how well innovation will keep up. With artificial intelligence advancing in healthcare and digital health devices, the cybersecurity landscape could look very different in a couple years’ time.

Lara Virrey: Are medical device companies doing enough to protect themselves against cyber threats?

Alexandra Murdoch: Medical device companies are investing more time and money in cybersecurity in recent years, but again because of the rapid adoption of various digital health tools in recent years, many companies have catching up to do. The medical industry deals with a lot of sensitive data including patient data, and cyberattacks can threaten devices and quality of care. Because of the risk cyberattacks pose in medical, companies should be investing considerable amounts into cybersecurity.

GlobalData, the leading provider of industry intelligence, provided the underlying data, research, and analysis used to produce this article.

GlobalData’s Thematic Intelligence uses proprietary data, research, and analysis to provide a forward-looking perspective on the key themes that will shape the future of the world’s largest industries and the organisations within them.

05/22/2024 22:41:14

Feature

Cybersecurity: building resilience into the medical device market

With cyberattacks on the rise, medical device manufacturers must invest substantial resources and expertise to mitigate the threat. Sally Turner looks at industry developments and the regulatory landscape and ask how the key challenges in this space can be overcome. 

Credit: GettyImages/Yuichiro Chino

Medical devices have become a prime target for cyber-attacks which can have a devastating impact on business operations and patient safety. The COVID-19 pandemic led to an exponential explosion of these incidents, as criminal syndicates, nation-states, and individual actors capitalised on the stress the industry was under.

Devices susceptible to cyber-attack include vital signs monitors, insulin pumps, pacemakers, and devices such as Magnetic Resonance Imaging machines and Positron Emission Tomography scanners. With medical devices becoming more reliant on ‘network connectivity’ there is the increased risk that hospital networks may come under widespread threat putting patients’ privacy, health, and safety at risk.

In the US, a 2022 report issued by the Federal Bureau of Investigation declared that 53% of digital medical devices in hospitals had serious security issues that were previously documented. The same year, the European Union Agency for Cybersecurity (ENISA) published its annual Threat Landscape report, which declared that approximately ten terabytes of data was stolen by cyber criminals every month in 2022 as a result of ransomware attacks. ENISA also reported that approximately 60% of all organisations targeted by ransomware may have paid the ransom demands to mitigate threats to patient safety.

The European regulatory landscape

The security of European medical technologies is currently regulated under the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Medical Devices Regulation (IVDR). These guidelines lay out comprehensive, essential, requirements for digital medical technologies and services, including Medical Device Software (MDSW) placed on the EU market. The MDCG 2019-16 rev.1 guidance on cybersecurity also provides additional advice, and the Cybersecurity Act, General Data Protection Regulation and Network and Information Security Directive is also relevant. This guidance helps to ensure the cybersecurity of a medical device from its inception, design, and development to the end-of-life and decommissioning of the device.

MedTech Europe, the European trade association for the medical technology industry, has recently published a ‘position paper’ outlining Europe’s vision for a resilient medical technology ecosystem. Along with stringent guidelines in this space, the report calls for “measures aimed at improving the level of overall digital literacy, and particularly, cybersecurity skills. The evolving cybersecurity threat landscape coupled with a significant European cybersecurity skills shortage is an untenable situation, and must be addressed.”

Alexander Olbrechts, MedTech Europe Director Digital Health, says the update of the NIS Directive (NIS2) further emphasises the importance and responsibilities of the medical technology manufacturers in the supply chain to ensure a higher level of security in healthcare.

“Also, medical technology manufacturers must ensure that third parties involved in device manufacturing and operation (e.g. hosting) have measures in place from a security and/or internal controls perspective,” he adds, “and support continuous improvement in information security through periodic assessments and certifications by independent external experts.”

In drug development, every storage location and every transport hub is a supply chain risk, Walsh added. As demand for new treatments outpaces transport and manufacturing capacity, the stakes of supply chain management are quickly rising, he said.

US

In the US, the Food and Drug Administration (FDA) has faced criticism over concerns that internet-connected products used in healthcare could be subject to cyber-attack. Under FDA guidance published in March 2023, medical devices are now required to submit specifics on how to ‘monitor, identify, and address’ cybersecurity issues, and make security updates and patches available on a regular basis. The FDA must also re-evaluate its medical device cybersecurity regulations at least every two years.

“The recent FDA guidelines for medical device cybersecurity offer a solid step in the right direction,” observes Charles Fracchia, CEO of Black Mesa Labs and co-founder of BIO-ISAC, an international organisation that addresses threats unique to the bioeconomy. “It is very encouraging to see this momentum and we would love this to include other centres beyond the Center for Devices and Radiological Health.”

Challenges and solutions

Fracchia adds that questions remain regarding products that do not fall under this definition for medical devices. Instruments and equipment used across the bioeconomy, particularly in biomedical infrastructure, require the same security approach and need similar guidance and are not covered by this regulation.

“The FDA needs to embrace cybersecurity as an intrinsic component of safety and expand to have core cybersecurity competency levels at its other divisions, like the Center for Drug Evaluation and Research and the Center for Biologics Evaluation and Research too,” he says. “As one example, language in these guidelines calls for including a software bill of materials which offers important advancements in securing our products at the starting point – the acquisition of software. Yet, we don’t include devices outside the definition of a medical device, and they are needed.”

MedTech Europe applauds legislative intervention aimed at reinforcing shared cybersecurity responsibilities and curbing emerging and expanding vectors of attack used by would be cyber-criminals. However, Olbrechts says the ongoing digital transformation of society coupled with a lagging digitalisation of healthcare institutions, continues to position healthcare as a prime target for malign actors.

“MedTech Europe welcomed the revised Network and Information Security Directive (NIS2) as a means of reinforcing the digital resilience of states and businesses, while ensuring that they increase their investments in cybersecurity,” he says. “While we welcome such legislative intervention, the legislation should be combined with tangible investments in organisations’ security postures, resilience of digital tools and processes, and the investment in people and the skills necessary to deliver on such legislation.”

Credit: Getty Images/fstop123 

Future outlook

Effective global cybersecurity strategies require sound actions to improve overall cybersecurity postures and to broaden cyber resilience. Digital literacy, and in particular, cybersecurity skills, plays a key part in this.

Olbrechts explains that action in this space can take many forms, such as investments in cybersecurity education and training at EU Member State’s national curricular level (secondary and/or tertiary), as well as extra-curricular certificates and continuing professional development and life-long learning activities for relevant staff. Public-private partnerships are more important than ever to achieve these goals.

Leveraging the combined expertise of industry, EU Member States, academia, and civil society will be paramount.

“Recent investments have not yet reached that ambition though,” observes Olbrechts “and there still remains a global shortage of a sufficiently educated cybersecurity workforce trained to withstand and respond to the malign cyber activity of today.”

Fracchia agrees and adds that we need to look more broadly at the bioeconomy and identify opportunities for the reinforcement of cybersecurity best practices and, in some cases, regulation.

“New materials, medicines, alternative foods, livestock, and food and beverages – all these all rely on bioproducts that come through cyber-connected equipment. We need cybersecurity to be a priority; it defines our ability to access the entire supply chain, including everyday items like food and antibiotics. There is no safety, without cybersafety.”

05/22/2024 22:41:14

Theme innovation landscape

Cybersecurity innovation: leading companies in patient identification and access

Credit: Bert van Dijk/Getty images.

The medical devices industry continues to be a hotbed of innovation, with activity driven by increased need for homecare, preventative treatments, early diagnosis, reducing patient recovery times and improving outcomes, as well as a growing importance of technologies such as machine learning, augmented reality, 5G and digitalisation. In the last three years alone, there have been over 450,000 patents filed and granted in the medical devices industry, according to GlobalData’s report on Cybersecurity in Medical Devices: Patient identification and access.

According to GlobalData’s Technology Foresights, which uses over 550,000 patents to analyse innovation intensity for the medical devices industry, there are 150+ innovation areas that will shape the future of the industry.

Patient identification and access is a key innovation area in cybersecurity

Patient identification is a critical process in the healthcare sector that involves effectively associating a patient with any procedure planned for them and accurately updating or communicating information throughout the treatment process. Patient identification is concerned not only with the physical identification of the patient but also with technology that can improve the accuracy of patient identification.

GlobalData’s analysis also uncovers the companies at the forefront of each innovation area and assesses the potential reach and impact of their patenting activity across different applications and geographies. According to GlobalData, there are 60 companies, spanning technology vendors, established medical devices companies, and up-and-coming start-ups engaged in the development and application of patient identification and access.

Key players in patient identification and access – a disruptive innovation in the medical devices industry

‘Application diversity’ measures the number of different applications identified for each relevant patent and broadly splits companies into either ‘niche’ or ‘diversified’ innovators.

‘Geographic reach’ refers to the number of different countries each relevant patent is registered in and reflects the breadth of geographic application intended, ranging from ‘global’ to ‘local’.

Baxter International is one of the leading patent filers in the field of patient identification and access. Some other key patent filers in the field include Becton Dickinson, Fresenius, and Medtronic.

In terms of application diversity, Baxter International leads the pack, followed by Johnson & Johnson and Masimo. By means of geographic reach, Abiomed held the top position, followed by AstraZeneca and Milestone Scientific in the second and third spots, respectively.

Among the most important patient identification tactics utilised worldwide for patient identification unique patient IDs, algorithmic approaches, referential matching software, biometrics analysis tools, radio frequency identification device (RFID) systems, and hybrid models are widely used. Further research is being carried out to investigate the possibility of improving patient identification techniques and approaches by improving algorithmic matches via data standardisation and matching software.

Some practices, such as the use of patients' photos at registration, naming conventions, and standardised processes for recording patients' demographic data attributes, should become a mandate for healthcare organisations in order to improve the current patient identification methods and strategies used around the world and address the challenges associated with reliable patient identification.

To further understand how cybersecurity is disrupting the medical devices industry, access GlobalData’s latest thematic research report on Cybersecurity in Medical Devices.

GlobalData, the leading provider of industry intelligence, provided the underlying data, research, and analysis used to produce this article.

GlobalData’s Patent Analytics tracks patent filings and grants from official offices around the world. Textual analysis and official patent classifications are used to group patents into key thematic areas and link them to specific companies across the world’s largest industries.

05/22/2024 22:41:14