Increased data access opens wide medical device security vulnerabilities – Technologist

The latest GlobalData report, ‘Cybersecurity in Healthcare – Thematic Research’ reveals that increased data access means there are more opportunities for security vulnerabilities in the medical device sector.

Medical analyst at GlobalData, Ashley Clarke says the healthcare, pharma, and medical device sectors are particularly susceptible to cyberattacks.

“Medical history cannot be changed, unlike identification and credit card information, making it invaluable to hackers and resulting in high costs for healthcare data breaches,” he added.

A growing concern

Medical devices have become increasingly connected as remote medicine soared during the COVID-19 pandemic. Many companies now struggle to accommodate provider, patient, and third-party access to sensitive patient information while ensuring security.

Clarke says hackers can use healthcare information to create fake insurance claims, buy and sell medical equipment, or acquire illegal prescription medications.

“They can also target victims with fraudulent schemes related to their medical history, which are more believable than financial or legal scams due to the intimate nature of health information,” he added.

Lessons from the US

According to reports of breaches affecting 500 individuals or more by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights, over 41 million individuals in the US were affected by healthcare data breaches in 2021.

Cases affecting more than 22.5 million individuals in the US are currently under investigation this year, which is a 4.6% increase compared to the same time last year.

Devices like insulin pumps, heart pacemakers, inhalers, and wearables track patient data in real-time and even transmit to the user’s phone, making the data immediately accessible to both the patient and their doctor.

This increased data access has made the medical device sector more vulnerable.

This change in technology means that medical device companies and their business associates are now responsible for increasingly large amounts of sensitive electronic patient data and have been prey to significant data breaches in recent years,” said Clarke.

Without securing all components of the cybersecurity value chain, medical device companies will remain a primary target for hackers.

Clarke adds: “It’s crucial for companies to invest in a variety of technologies such as chip-based security, network security, and cloud security, at every stage of the product development to ensure patient information is safeguarded. Older legacy devices may be unable to receive security patches, but new devices should have a security update plan in place for their entire device lifecycle.”

Lessons from the UK

In the UK, the National Health Service (NHS) has been on high alert for cyberattacks following the 2017 WannaCry ransomware attack that disrupted 1% of all NHS care over a one-week period.

More recently it was again the victim of another attack albeit indirectly via the software company Advanced. Disrupted were NHS’ emergency services (111). Advanced currently has 36 NHS clients, while its Adastra software works with most NHS 111 services.  

Dean Sabri, principal analyst for health and social care at GlobalData, says investment in security software and infrastructure across UK healthcare organisations increased by 53% in real terms between 2016 and 2021.

“A cyber-attack on a large healthcare software supplier such as Advanced suggests that NHS organizations could be effectively wasting as much as £62 million if they do not require tighter security measures from suppliers in future procurements,” he concluded.