Medtech is a term used to describe technology and devices used in a medical care setting. Medtech is a broad category, and can include disposables, surgical equipment and procedure innovations, implant technology, biomaterials, connected health IT and essentially any and all devices with which a patient can be diagnosed or treated. These devices are almost always Internet of Things (IoT) devices or otherwise connected to a network, which makes them susceptible to cybersecurity vulnerabilities.
The healthcare industry is already a prime target for cyber attackers simply due to the amount of and value of data that is stored in and transferred between providers’ networks. In more recent attacks, cyber criminals have begun to more frequently attack the medical devices themselves, either for commercial gain or just to create difficulties for healthcare providers. Data breaches already pose a serious threat to the healthcare industry, but the malicious attacks against medtech devices put more than just personal health information at risk; they threaten the very wellbeing of patients everywhere.
In 2017, a ransomware known as WannaCry, infiltrated the network for the National Health Service hospitals in England and Scotland. Approximately 70,000 of their devices – including medtech devices – were affected by the attack. That same ransomware also affected a Bayer Medrad device, only referred to as a “power injector,” in an unnamed U.S. hospital. The contamination of the device, which is said to be used to deliver a contrast agent into patients, raised major concerns throughout the healthcare industry – namely that attackers could harm patients by altering their medication dosing.
The U.S. Food and Drug Administration (FDA) warned healthcare providers in 2015 that a specific networked infusion pump was vulnerable to being accessed and controlled by unauthorized users, but it took a malicious attack to bring real attention to the issue.
More recently, the FDA issued recommendations regarding safe guards that manufacturers of medtech devices should include in their submissions for networked devices:
- A hazard analysis that lists the cybersecurity risks considered and the cybersecurity controls incorporated into the device.
- A traceability matrix linking the actual cybersecurity controls to the risks that were considered.
- The manufacturer’s plans for validating and updating device software.
- A description of controls in the software supply chain.
The medtech industry and the security of networked medical devices is relatively new and is still growing and evolving. While manufacturers work to make their devices more secure, healthcare providers should take the initiative to protect themselves and their patients from malicious attacks by obtaining cyber risk services from a knowledgeable service provider that specializes in cyber insurance solutions for the healthcare industry.
About Highland Risk Services
At Highland Risk, we use our expertise and experience to provide insurance information and programs to those who serve long-term care and senior living facilities. Since 2007, we’ve been offering insurance and risk management plans designed to help our agents give their clients the ability to achieve continued growth while simultaneously protecting against loss, containing costs and increasing profitability. With offices to serve you in Chicago, Illinois and Phoenix, Arizona, we do everything we can to make your experience with us as professional and transparent as possible. To learn more, contact us at (877) 890-9301.