Doctors looking at scan

Cyber attacks: How medical device manufacturers can protect themselves

Porträtfoto von Stephanie Carstensen
Stephanie Carstensen

Director Consumer Products & Retail Sector, EY Consulting GmbH | Deutschland

Contributors

5 minute read 18 Oct 2023

In healthcare, good prevention and rapid action in the event of cyber attacks can prevent damage and minimize risks.

In brief

  • The networking of different systems in the healthcare sector offers gateways for cybercriminals.
  • Any attack on a healthcare facility can not only have financial consequences, but also endanger the lives of patients.
  • The human factor must not be forgotten in all efforts to improve IT security.

Whether in the surgery room, in the laboratory or in nursing: digitization and networking are playing an increasingly important role in medicine. For more convenience, better data exchange or state-of-the-art treatment methods, more and more medical devices are connected to the Internet,  such as in the field of robot-assisted minimally invasive surgery. Pacemakers, insulin pumps or blood glucose meters send their data to smartphones via Wi-Fi, patient data is only stored digitally instead of on paper, and the digital patient file is intended to provide a remedy – for example, in the case of referrals to a specialist or a change of doctor. However, medical progress comes at a price. Increasing networking opens gateways for cyber attacks, which can have dramatic consequences. If, for example, patient data is no longer accessible to nursing staff and doctors after an IT failure, incorrectly dosed medication could be life-threatening. A manipulated device during heart surgery can lead to irreversible damage or even to the patient’s death. For this reason, manufacturers of medical devices are also obliged to assess corresponding risks, continuously review the products on the market and, if necessary, take corrective measures in accordance with regulatory reporting

Increasing connectivity in the medical industry opens gateways for cyber attacks that can have devastating consequences.

How EY can help

Hospitals, doctors’ surgeries, emergency services, laboratories, drug authorities, pharmaceutical companies, universities or manufacturers of medical devices – a cyber attack can affect any organization, as recent incidents show. The motives of the criminals are as varied as their methods. Extortion of ransom, identity theft, activists who want to make their concerns heard, but also cyber espionage and targeted – often state-sponsored – attacks on critical infrastructures (KRITIS) to unsettle the population play a role.

 

A hacker attack can not only have health consequences for patients, but also means the loss of sensitive data. This is not insignificant, because the health-related data is very personal and misuse could even allow identity theft. In addition, a cyber attack often involves considerable reputational damage and the loss of a lot of money for the companies concerned. If IT or production fails for a longer period of time, or if operationally necessary data and systems cannot be restored quickly, this can threaten the company’s existence. Moreover, anyone who pays the demanded ransom in the hope of quickly regaining access to the data may be liable to prosecution.

 

Raising protective shields: How medical device companies can prepare for cyber attacks

Even if the methods of cybercriminals are becoming more and more perfidious, surrender to cyber threats is not a solution. Suppliers of medical devices, in particular, have a responsibility in this respect, which, in fact, is also required by law. Cyber risks and vulnerabilities that may affect internal IT, production or manufactured products must be continuously analyzed and remedied. This is uncomfortable, but compared to a hacker attack that paralyzes production or entire facilities, it is still the lesser evil. In order to keep up with the methods of the attackers, however, a look at the technology alone does not go far enough. In addition to the products, the processes and regulatory requirements must also be considered. Along with a crisis plan, which should be regularly practiced in simulations, preparation therefore also includes building a powerful cybersecurity team with the necessary qualifications and competencies.

Even if the methods of cybercriminals are becoming more and more perfidious, surrender is not a solution.

In addition, companies should be aware that medical devices can already be manipulated in production. Operational technology (OT) environments in the medical field often consist of a variety of specialized devices connected to the network. These are usually only weakly armed against attacks, which is why it is also important to strengthen cybersecurity in this field. The “Zero Trust” approach can play a role in this respect by restricting access for users to the absolutely necessary level and basically verifying every data access.

Defense in case of emergency: What to do if the company has been hacked?

There is no such thing as one hundred percent security. With sufficient criminal energy and a great deal of effort, attackers can penetrate even supposedly perfectly secure systems. It is important to be aware of the dangers of a cyber attack and to act rationally to prevent from becoming an easy prey for hackers. If an incident occurs, it can be contained with an efficient and structured defense. Procedures and tools such as Incident Response (IR) or Security Information and Event Management (SIEM) should be used to detect, control, analyze and quickly lock out intruders in real time.

Cybersecurity is often seen as a niche topic that IT professionals are supposed to take care of. However, the fact is that phishing e-mails – namely e-mails containing  attachments opened without reflecting – are still one of the biggest gateways for cyber attacks. In hectic everyday life, computers are not always locked when leaving the workplace, there is hardly any time for software updates, passwords are written under keyboards and tablets so that sensitive patient data are openly accessible on trolleys in hospitals. Since every single employee, whether in medical facilities or at manufacturers of medical devices, is jointly responsible for ensuring the safety of the systems, all employees must be trained and emergency processes practiced. This also applies to reactive tasks, such as reporting to competent authorities, assessing risks (possibly also for patients) and informing employees and users in a timely manner. Cross-functional and even cross-departmental collaboration is essential and should also be part of regular training – for example in the form of a cyber crisis simulation. 

EY 612332 graphic

Investing in cybersecurity protects patients and businesses

With tight budgets, skills shortages and time pressures, cybersecurity is often seen as a mere cost factor that doesn’t make a significant contribution to patient care. But security in the area of IT, OT and products is more like an insurance: You hope you will never need it, but sleep more soundly when you have it. Ultimately, investments in information security protect medical care and thus the health and lives of many people.

Summary

In the MedTech industry, digitization and networking have brought great progress. However, these technologies also open gateways for cyber attacks that can have consequences for patients’ health. In addition to the loss of sensitive data or a halt in production, the affected companies are also threatened with reputational damage and high costs. Investing in cybersecurity helps prevent hacker attacks or minimize their impact on patients, medical device operators and users, and the healthcare industry as a whole.

About this article

Porträtfoto von Stephanie Carstensen
Stephanie Carstensen
Director Consumer Products & Retail Sector, EY Consulting GmbH | Deutschland
Sieht Cybersecurity als Thema, das jeden angeht; hat die Mission, Unternehmen gerade im Produktionsbereich resilienter gegen Cyberangriffe zu machen und sie darauf vorzubereiten.

Contributors

Related topics
Consulting
Cybersecurity
Technology
Digital
Health

Related article

If protection starts with perception, how do you see cybersecurity?

We believe the board should focus on cybersecurity – to truly understand why security by design is so important.

Roman Haltinner + 1

How do you balance technological progress and cyber risk in MedTech

To benefit and protect patients in today’s healthcare landscape, we need cutting-edge technologies coupled with robust security frameworks.

Mario Pesenti

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Limited, each of which is a separate legal entity. Ernst & Young Limited is a Swiss company with registered seats in Switzerland providing services to clients in Switzerland.