Medical devices are becoming increasingly connected, but with these advances in technology comes greater exposure to cyber-attacks. To reduce risk, manufacturers will need to develop cybersecurity talent and build a culture of responsibility.
We live in a more connected world than ever before. We can control our homes, monitor our fitness levels and unlock our cars at the tap of a screen. Increasingly, we are also connecting to medical devices to gain deeper insight into our health in real time.
The industry is moving fast. Research suggests that 60% of healthcare enterprises have implemented the so-called Internet of Medical Things, and this is unlikely to slow down.
“One of the big new developments is the ability for individuals to buy medical equipment from the internet,” says Oliver Hoare, a cybersecurity expert and Director of Cyber Capacity Unit. “These include bio-sensors, inhalers, epi-pens, smart thermometers, and a variety of wearable devices which monitor heart rate or blood sugar levels, all of which are connected and often managed via online applications.”
But while increased connectivity in these devices can help both individuals and medical practitioners monitor wellness more easily, it is not without risks.
New ways in for attackers
While it is rare for medical devices themselves to be a target as they do not contain anything of much value to hackers, they do create more points of entry for cyber attackers. Devices that connect to healthcare networks in particular can draw the attention of criminals as they can be used as portals for attacking other systems.
The life-critical nature of healthcare and the sensitivity of its data mean the sector is vulnerable to ransomware attacks. If a hospital system is down for any amount of time then the stakes are high and so is the pressure to pay hackers the ransom.
Indeed, the UK government’s National Cyber Security Centre recently published a joint advisory with the US Federal Bureau of Investigation outlining some of the ways criminals use ransomware against hospitals. The warning highlighted that ransomware is a significant cyber risk for the health sector.
Hoare adds: “We have recently seen that hospitals are a target for ransomware attacks – currently these are aimed at enterprise or corporate systems, but it does not take much of a leap of imagination to see how this might directly affect medical devices.”
Tackling attacks with talent
To counter the increased cyber risk that comes with connected medical devices, manufacturers must ensure they have the talent to improve cyber security. Current in-demand profiles in the industry include cyber security, data integrity and information security subject matter experts.
It is important for individuals coming into these roles to understand the specific regulatory frameworks of the market. While the core skills of a cyber security expert might be the same at any organisation, in a life science context a certain level of knowledge is required to navigate the evolving regulatory requirements that exist within the sector.
As well as seeking external talent, Hoare says in the long term, it may be worth retraining individuals already familiar with the medical device industry. “This will take time of course, but it is all about cyber capacity building.”
He adds that in the immediate term, competitive salaries are likely to be key in recruiting cybersecurity talent. “To attract people into the industry, roles will have to be financially attractive to them, although individuals can also be attracted to doing good in the world and healthcare certainly offers that.”
Creating a culture of risk awareness
Of course, improving cyber talent alone cannot prevent risks. Attacks such as phishing scams only need one person from anywhere inside the organisation to let their guard down. For this reason, it’s vital that medical device manufacturers create a culture of risk awareness in order to minimise exposure to these types of attack.
One way of creating this mindset is to make sure cyber security is represented at the top of the company. By ranking cyber among the top risks to the business, alongside issues such as the pandemic or financial resilience, and discussing it at board level, directors of life science organisations can help mitigate the threat.
Through a culture of awareness, cyber security can become a foundational part of operations, which is key to successful risk management. “I would go as far as to say that security should be the starting point in product development. Trust and confidence are hugely important in the medical industry, and this attitude should be matched in cyber security,” Hoare says.
He adds that this must also be communicated in line with each organisation’s wider strategy: “We have developed some very successful awareness raising programmes within the critical national infrastructure sectors, but it is important that all this is done within a strategic context - you have to know where you are, where you are going and how to get there.”
And he warns against cutting corners: “This needs to be communicated at all levels of the organisation. This not only costs money, but is fundamentally about a culture change and building capacity.”
However, the good news for many life sciences organisations is that they are at a stronger starting point to build this culture than other industries.
Given the nature of their work, life science companies are very risk aware. If something were to go wrong with a medical device it could have fatal consequences, so from manufacturing to cyber security, risk is tightly controlled. The industry is no stranger to owning risk and operating under strict regulations.
We’ve been assisting businesses across the Life Sciences Sector with their medical device needs, and helping skilled professionals find the right jobs since 1998. Read more about the disciplines we cover or get in touch if you are looking for a job or for a new talent.