Feature

Health hackers: why are medical device and patient platforms cybercrime hotbeds?

Cybercrime in healthcare has grown, but with the FDA clamping down on cybersecurity requirements for devices, is our medical cyber-future secure? By Robert Barrie.

Credit: GettyImages/Jaiz Anuar.

It seems no industry is safe from the cybersecurity discussion. From patient platforms to car manufacturers, hackers are after only one thing – money. 

But it is true that some industries – and thus organisations – are more susceptible and attractive than others. 

In August, the UK electoral commission, Northern Irish police force, and American energy giant Tesla were all victims of data leaks, and the healthcare industry has had its fair share of issues in 2023, too. 

In July, HCA Healthcare – one of America’s largest healthcare systems – was hit by a data breach affecting 11 million patients. There was also the unveiling that millions of medical devices in use across the NHS in England are unprotected against cybercrime, after a freedom of information request by Armis Security, a US cybersecurity firm. 

Such news means that there is patient worry about the health systems that their data is stored on, along with the devices their health depends on. Is the industry getting on top of cybercrime, or is a cybersecure future in health out of reach? 

Newborns go from healthy to critical illness much, much faster than older children or adults, so we need answers immediately

Dr Stephen Kingsmore, President and CEO of Rady Children’s Institute for Genomic Medicine.

Newborn responses to illness are much more stereotyped than adults as many of their organ systems are just starting to work. As a result, their “responses to disease are often the same despite having different causes, again making diagnosis more difficult,” Kingsmore adds.

Healthcare cybersecurity regulations 

When it comes to getting ahead on cybercrime, regions have only recently begun to take the bull by the horns, or the data by its firewall as it were, with specialised legislation. 

At the end of 2022, the US Senate passed the $1.7tn 2023 omnibus package. Included in it were powers given to the US Food and Drug Administration (FDA) to ask for cybersecurity requirements in submissions for medical devices by manufacturers. 

The FDA issued guidance in May that gave vendors a deadline of 1 October 2023 to prepare submissions meeting the new requirements. Therefore, at the moment, regulatory status for cybersecurity in medical devices is in a state of flux. 

The European Parliament passed cybersecurity laws of its own in late 2022 – which encompassed sectors including energy, transport, banking, and health. The Directive (EU) 2022/2555 on the Security of Network and Information Systems (NIS 2 Directive) belatedly gave products such as telehealth platforms, wearable devices, and in vitro diagnostics requirements to be cybersafe. 

Why is healthcare attractive for cybercrime?

“Cyber criminals have identified healthcare as a profitable industry that is easy to go after. Weak security posture, high pressure to restore operations, therefore, more likely to pay,” Axel Wirth, chief security strategist at MedCrypt – a company that provides data security for medical devices – tells Medical Device Network. 

Wirth adds that compared to other industries, healthcare is seen as having a less mature cybersecurity landscape. A survey by Indusface – a cloud-based application security company – found that over half of health and social care businesses have been targeted by cyberattack. Only four other industries – education, arts and entertainment, accommodation and food, and real estate, reported higher incidents of cyberattacks. 

The trends of cyberattacks in healthcare are telling. A 2022 report on healthcare cybersecurity by the Department of Health & Human Services shows a steady increase in data breaches from 2012 to 2021. Moreover, the average ransomware demand grew by 45% from 2020 to 2021. To put this into perspective, the largest ransom in 2020 was $30m, whereas in 2021 it was $240m. 

Breaches have affected over 42.7 million US citizens in 2023 so far, a 50% increase from the 28.4 million individuals affected in the same period in 2022.

Wirth continues: “We not only see a steady increase in breaches of healthcare organisations but also the category of malicious breaches – [this is] the sole driver of growth there.”

Hackers see no distinction in targeting manufacturers or individuals, Wirth explains it’s about maximising profit – and extortion can be a big problem in healthcare. Sensitive data stored in specific institutions like psychiatric hospitals or cosmetic surgery clinics means that patients themselves are being contacted and threatened with leaking of their data.

Wirth says that attack trends are shifting and that hackers have identified internet of things (IoT) devices as a valuable target. Any device in a hospital, from a data platform to a security camera, can be used to shut down operations in ransomware.

Ashley Clarke, medical analyst at GlobalData, says: “Hackers can exploit various entry points, ranging from physical medical devices in and outside of medical facilities to gaining unauthorised access to networks from nearly any connected device, medical or not. The implications of such attacks can be far-reaching, affecting patient privacy, interrupting healthcare services, and jeopardising the safety and effectiveness of medical devices.”

Wirth adds that care-disruptive events are much more difficult to recover from: “If your email is down, if your business systems are down, even if your electronic health record is down, you can still operate as a hospital, at least from an emergency perspective. But once your imaging goes down once your heart pumps go down, it gets much more difficult.” 

Increased connectivity means increased risk

It’s no surprise that the recent wave of cybersecurity legislation comes amongst a boom in increased connectivity amongst healthcare devices, with IoT being a central pillar of how medical technology is being used in healthcare. Its advantages are plethoric, allowing decentralisation of health provision and empowering patients to take control of their own well-being and health monitoring.

And though there has been a small decline in the number of reported breach events – hinting that systems are beginning to get on top of cyber weaknesses – the prevalence of connectivity in healthtech means the risk will always be there.

The remote patient monitoring market is expected to reach $760m by 2030, growing at a CAGR of 8.9%. The future of telehealth looks promising too as more patients seek digital means to connect with healthcare professionals – the market is expected to grow to $3.8bn by 2030.

A key hurdle to both markets reaching their potential, however, is if patients can be guaranteed their data is safe amidst privacy concerns. For instance, Cerebral, a telehealth company, said earlier this year that 3 million patients on its platform were affected by a data breach.

“Connectivity is increasing the traditional network enterprise boundary that was widely used as a control point historically, this is weakening and we [now] have data in the cloud hosted by various providers. We now have devices that go home with patients and operate in home care type of environment,” Wirth says.

“The challenges of designing a more secure device that can be operated without a lot of security around it in its operating environment, are being met by the industry. Maybe not as quick as some wish but I think we’re making progress.”

Clarke concurs, adding: “As we progress towards a more interconnected healthcare landscape, collaboration with cybersecurity experts, the adoption of advanced technologies like blockchain and zero-trust architecture, and prioritising data security will be vital to safeguard patient information and ensure continuous, secure care.” 

Who wins – hackers or authorities?

Reports of data leaks and security breaches in healthcare belie the efforts being made to produce cybersafe devices. Indeed, there is an apparent cyber-arms race in healthcare that in truth is seeing both sides make gains. The FDA’s Refuse to Accept policy for cyber devices gives an incentive for manufacturers to hasten cybersecure technology. If they can’t demonstrate cyber-safety, the device will be duly turned away.

Developing healthcare cybersecurity at the foundational level of medical devices is easier than trying to implement it later in its lifecycle. It’s evident that clamping down on regulatory checkpoints in the infancy of health devices will give the industry longevity in safety risk from hacking.

“Considering that medical devices typically have a long, useful life, and a very long development lifecycle, I think trying to win in a reactive approach in an arms race approach is unrealistic because cybertech moves within weeks or even days… [whereas medtech] …moves in years,” Wirth says.

“If we get the basics right, I think we have a good chance on providing more secure devices out of the gate that easier to defend and can withstand a more aggressive future.”