AI-enabled medical devices present unique cybersecurity threats

AI-enabled medical devices present additional risks that must be closely considered. Credit: MUNGKHOOD STUDIO / Shutterstock

Between 2022 and 2027, leading data and analytics company GlobalData forecasts show cybersecurity spending by healthcare providers will grow at a compound annual growth rate (CAGR) of 12.5% from $6.1bn to $10.9bn. This is fuelled by cybersecurity attacks in healthcare, which have historically been highly damaging to companies and health services.

Synnovis, which provides pathology services to the National Health Service (NHS) as a public-private partnership, was subject to a ransomware attack in June 2024. This resulted in estimated costs of £32.7m ($43.7m), seven times the previous year’s profit, while causing serious disruption to the NHS through data breaches and delayed and cancelled appointments.

Medical devices are often highly connected within hospitals, providing a secure network for criminals to tap into. Due to these life-saving devices’ storage of highly sensitive data, they create a target for cybercriminals to extort organisations trying to protect their hospitals and patients. Thus, medical device companies’ spending on cybersecurity will grow at a CAGR of 12.9% from $631.2m to $1.2bn to try to defend their devices from attacks. Cybersecurity threats to traditional medical devices include data breaches, malware, and ransomware attacks. As medical devices evolve and incorporate AI, additional cybersecurity concerns emerge. A survey revealed that 61% of respondents acknowledged cybersecurity was already impacting the medical device industry, in response to inquiries regarding the timelines for technological disruptions within their sector. The US Food and Drug Administration (FDA) has approved over 1,000 AI-enabled medical devices, encompassing technologies such as AI-enhanced imaging machines and AI-integrated stethoscopes. Subsequently, the FDA has made specific cybersecurity warnings about these devices throughout their product life cycle. The specific cybersecurity issues include:

• Data poisoning – Malicious or fake data can be injected to distort model outcomes, affecting areas such as medical diagnosis.
• Model inversion/stealing – Attackers may deduce model details or replicate them, risking intellectual property theft and model integrity.
• Model evasion – Inputs can be manipulated to fool AI models into making incorrect predictions, reducing their trustworthiness.
• Data leakage – Hackers might access sensitive training or inference data from AI systems.
• Overfitting – Threats can force models to overfit by training the system on data with outliers and noise, rather than representative patterns. This reduces the system’s ability to understand real-world data, making it less adaptable and more vulnerable to errors and adversarial manipulation.
• Model bias – Attackers can manipulate data to introduce or exploit bias, including embedding specific data patterns to later alter the AI’s behaviour (backdoors) or skewing specific data.
• Performance drift – Cyber threats can cause gradual changes in data, which can degrade model performance over time and increase susceptibility to attacks.

Despite increased investment in cybersecurity, concerns from stakeholders and healthcare professionals persist that recent budget and staff reductions at the Department of Health and Human Services may undermine the security of medical devices. This is due to the critical role the FDA plays in this area. As well as this, Eric Decker, vice-president and chief information security officer at Intermountain Health, has reported that hospitals have implemented only about 55% of the recommendations for medical device security outlined by the Health Industry Cybersecurity Practices.

One contributing factor to this shortfall may stem from the device manufacturers’ urgency in expediting medical devices to market. According to a 2024 report by Cybellum on medical device security, a staggering 93% of respondents admitted they would prioritise rapid market entry over device security, which only 14% chose as a priority. This prioritisation leaves healthcare institutions vulnerable to cyberattacks. Compounding the issue is the challenge of detecting when a device has been compromised, further complicating the landscape of medical device security. Robust cybersecurity measures must be implemented at each stage of the device’s life cycle, as well as within hospitals, to protect the critical industry from attack. This will ensure that medical devices can continue to save lives and improve care, rather than being a point of entry for cybercriminals. AI-enabled medical devices present additional risks that must be closely considered, especially when training the model.

GlobalData’s business fundamentals senior analyst Ophelia Chan says: “Oncology continued to dominate as the leading therapeutic area for IPOs this year, highlighted by CG Oncology’s $437m upsized IPO—the largest and first of the year. The company’s robust clinical data and ability to secure substantial capital have contributed to its strong performance in 2024.”

After a quiet summer, the IPO market reached full swing in autumn when Bicara Therapeutics, Zenas BioPharma, and MBX Biosciences all opened on the NASDAQ on the same Friday in September. The ‘triple-header event’ saw the three companies pull in over $700m combined. It was no surprise that the surge in activity came after the Federal Reserve’s decision to lower interest rates for the first time in years, ushering in a more inviting funding environment. This fruitful month was a stark contrast to August, which saw a significant global stock market dip amid fears of a US recession.

In June, Telix Pharmaceuticals – an emerging player in the fast-growing radiopharmaceutical space – pulled a last-minute plug on its IPO. The Australian company had been planning to list on NASDAQ and was on course to raise $232m – a value that would have placed it high on the list of biotech IPO sizes this year. Telix cited that its board did not move forward with the plans due to market conditions at the time.

Numb feet, bleeding legs and dehydrated bodies mark their journeys – not to mention infectious diseases and psychological trauma. Studies have identified outbreaks of measles, diphtheria and malaria across Venezuela, while tuberculosis, typhoid and HIV, are also resurgent.

Australia could be one of the main beneficiaries of this dramatic increase in demand, where private companies and local governments alike are eager to expand the country’s nascent rare earths production. In 2021, Australia produced the fourth-most rare earths in the world. It’s total annual production of 19,958 tonnes remains significantly less than the mammoth 152,407 tonnes produced by China, but a dramatic improvement over the 1,995 tonnes produced domestically in 2011.

The dominance of China in the rare earths space has also encouraged other countries, notably the US, to look further afield for rare earth deposits to diversify their supply of the increasingly vital minerals. With the US eager to ringfence rare earth production within its allies as part of the Inflation Reduction Act, including potentially allowing the Department of Defense to invest in Australian rare earths, there could be an unexpected windfall for Australian rare earths producers.