Increasing connectivity in the medical industry opens gateways for cyber attacks that can have devastating consequences.
Hospitals, doctors’ surgeries, emergency services, laboratories, drug authorities, pharmaceutical companies, universities or manufacturers of medical devices – a cyber attack can affect any organization, as recent incidents show. The motives of the criminals are as varied as their methods. Extortion of ransom, identity theft, activists who want to make their concerns heard, but also cyber espionage and targeted – often state-sponsored – attacks on critical infrastructures (KRITIS) to unsettle the population play a role.
A hacker attack can not only have health consequences for patients, but also means the loss of sensitive data. This is not insignificant, because the health-related data is very personal and misuse could even allow identity theft. In addition, a cyber attack often involves considerable reputational damage and the loss of a lot of money for the companies concerned. If IT or production fails for a longer period of time, or if operationally necessary data and systems cannot be restored quickly, this can threaten the company’s existence. Moreover, anyone who pays the demanded ransom in the hope of quickly regaining access to the data may be liable to prosecution.
Raising protective shields: How medical device companies can prepare for cyber attacks
Even if the methods of cybercriminals are becoming more and more perfidious, surrender to cyber threats is not a solution. Suppliers of medical devices, in particular, have a responsibility in this respect, which, in fact, is also required by law. Cyber risks and vulnerabilities that may affect internal IT, production or manufactured products must be continuously analyzed and remedied. This is uncomfortable, but compared to a hacker attack that paralyzes production or entire facilities, it is still the lesser evil. In order to keep up with the methods of the attackers, however, a look at the technology alone does not go far enough. In addition to the products, the processes and regulatory requirements must also be considered. Along with a crisis plan, which should be regularly practiced in simulations, preparation therefore also includes building a powerful cybersecurity team with the necessary qualifications and competencies.
Even if the methods of cybercriminals are becoming more and more perfidious, surrender is not a solution.
In addition, companies should be aware that medical devices can already be manipulated in production. Operational technology (OT) environments in the medical field often consist of a variety of specialized devices connected to the network. These are usually only weakly armed against attacks, which is why it is also important to strengthen cybersecurity in this field. The “Zero Trust” approach can play a role in this respect by restricting access for users to the absolutely necessary level and basically verifying every data access.
Defense in case of emergency: What to do if the company has been hacked?
There is no such thing as one hundred percent security. With sufficient criminal energy and a great deal of effort, attackers can penetrate even supposedly perfectly secure systems. It is important to be aware of the dangers of a cyber attack and to act rationally to prevent from becoming an easy prey for hackers. If an incident occurs, it can be contained with an efficient and structured defense. Procedures and tools such as Incident Response (IR) or Security Information and Event Management (SIEM) should be used to detect, control, analyze and quickly lock out intruders in real time.
Cybersecurity is often seen as a niche topic that IT professionals are supposed to take care of. However, the fact is that phishing e-mails – namely e-mails containing attachments opened without reflecting – are still one of the biggest gateways for cyber attacks. In hectic everyday life, computers are not always locked when leaving the workplace, there is hardly any time for software updates, passwords are written under keyboards and tablets so that sensitive patient data are openly accessible on trolleys in hospitals. Since every single employee, whether in medical facilities or at manufacturers of medical devices, is jointly responsible for ensuring the safety of the systems, all employees must be trained and emergency processes practiced. This also applies to reactive tasks, such as reporting to competent authorities, assessing risks (possibly also for patients) and informing employees and users in a timely manner. Cross-functional and even cross-departmental collaboration is essential and should also be part of regular training – for example in the form of a cyber crisis simulation.
![](https://assets.ey.com/content/dam/ey-sites/ey-com/en_ch/topics/consulting/ey-612332-graphic.png)
Investing in cybersecurity protects patients and businesses
With tight budgets, skills shortages and time pressures, cybersecurity is often seen as a mere cost factor that doesn’t make a significant contribution to patient care. But security in the area of IT, OT and products is more like an insurance: You hope you will never need it, but sleep more soundly when you have it. Ultimately, investments in information security protect medical care and thus the health and lives of many people.
Summary
In the MedTech industry, digitization and networking have brought great progress. However, these technologies also open gateways for cyber attacks that can have consequences for patients’ health. In addition to the loss of sensitive data or a halt in production, the affected companies are also threatened with reputational damage and high costs. Investing in cybersecurity helps prevent hacker attacks or minimize their impact on patients, medical device operators and users, and the healthcare industry as a whole.