With cybersecurity attacks on the rise, medical device manufacturers are under pressure to strengthen products against cyber threats and create a culture of shared responsibility and risk management.

According to the US Department of Health and Human Services (HHS) Office of Civil Rights, cases affecting more than 22.5 million individuals in the US are currently under investigation, a 4.6% increase compared to the same time last year.

Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health (CDRH) put cybersecurity at the forefront of his concerns during Advamed’s Medtech Conference in Boston. “We monitor an ever-increasing number of vulnerabilities in the US. You may not hear about all of this, but it is happening,” said Shuren. “This is the kind of stuff that keeps me up at 3 o’clock in the morning. This is a risk not for an individual product but a risk for patients.”

Developing a sophisticated cybersecurity program is an urgent priority for the CDRH as incidents threaten to compromise patient care. Shuren explained how ‘weak links’ in healthcare systems are creating opportunities for hackers to access data, disrupt care, and extract money. “We are seeing hackers becoming more sophisticated and from nation states. So, we really need to up our game,” said the director.

Due to the COVID-19 pandemic, medical device products are increasingly connected to technologies such as cloud-based capabilities, which increase the attack surface for hackers. Devices such as insulin pumps, heart pacemakers, inhalers, and wearables are particularly vulnerable as they track patient data in real-time and transmit information immediately to patient and doctor.

To mitigate risk, the FDA is encouraging manufacturers to leverage a “software bill of materials” (SBOM) program as a key building block in their software security and supply chain. The SBOM lists each software component making up a device, which can be shared to help track and manage vulnerabilities.

“The reason SBOM is important is because you can use it in risk management across the total product life cycle,” explained Aftin Ross, a senior special advisor for emerging initiatives in the Office of Strategic Partnerships and Technology Innovation at the CDRH. “You can use it during the development of a device when you’re actually thinking about what components you want to include, as well as in the post-market phase once the device is on the market and any additional risk needs to be managed.”

Overall, preventing future problems becomes easier if intentional design takes place at the outset, she says. While older legacy devices are often unable to receive security patches, new devices need a security update plan in place for the entire device lifecycle. “If we can build these capabilities in at the beginning then it will enable us to have secure medical devices for a longer period of time and prepare them to go against cybersecurity threats.”

As the cyber landscape evolves daily, Jaap Qualm, VP Product Cybersecurity of GE Healthcare Systems, says companies need to prioritize risk management, instead of incident management. “When you design a medical device, you want it to be ready for whatever might hit those components. You need to assume that there will be software components that at some point face some vulnerability but if you design your device the right way and secure the network around it, then you already do the biggest portion of your risk management.”

As remote working picked up during the pandemic, healthcare organizations such as hospitals reported increased security violations—mostly malware and phishing email attacks. The data attacks aim to gain a foothold in an enterprise network and obtain valuable company data, typically using deceptive messages to persuade recipients to part with sensitive information, open attachments, or click on hyperlinks that install malware on their devices.

According to cybersecurity firm Darktrace, the proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March 2020 to more than 60% six weeks later.

The stress and urgency from COVID-19 weakened hospital resilience, with one incident at the Brno University Hospital, in the Czech Republic, causing an immediate shutdown to all the hospital computer systems. Pharma and contract research organizations were also victims of similar cyber-attacks that tried to steal proprietary R&D information about COVID-19 therapeutics. Many organizations are now adopting zero-trust network access, which asserts that no user or application should be trusted by default.

In the hardware supply chain, chip-based security has been a key focus for manufacturers since 2018 when researchers uncovered two major security flaws in computer processors, dubbed Meltdown and Sceptre. The flaws allow insecure apps to access secure portions of a computer’s memory, including areas where passwords and other private content are stored. A compromise could allow rogue JavaScript code running in a web browser to see supposedly protected information, compromising the computer and its user.

Chris Reed, director of Medtronic’s regulatory policy, said manufacturers are finding ways to work with healthcare delivery organizations to manage end-of-life product support. “The idea is to create rational update cycles. I don’t think healthcare delivery organizations want to see monthly patches for Windows on every medical device—they have thousands of devices they are managing. However, if it is taking two to three years to get an updated Windows operating system patch on medical devices then that’s also not acceptable. So, we’re working to define what those cycles should look like for both the manufacturers and healthcare delivery organizations.”

Vulnerabilities in the UK’s National Health Service (NHS) system have been the costliest, with a report published by the government estimating that the 2017 WannaCry ransomware attack cost the NHS a total of GBP92 million ($118.7 million), including GBP19 million ($24.5 million) in lost productivity and GBP73 million ($94.2 million) in IT costs such as restoring systems and data.

Cybersecurity spending soars

Investment in cybersecurity spending by healthcare providers is mounting, with GlobalData research indicating between 2020 and 2025, companies will increase their spend at a rate of 7.3%, from $869 million to $1.2 billion.

Since the start of the pandemic, M&A activity accelerated, reaching around 40 deals a month towards the end of 2021. Big tech players such as Google and Microsoft have also increased their influence in the cybersecurity space and are leading some of the biggest deals. In early 2022, Google inked a $5.4 billion agreement to buy threat intelligence company Mandiant and paid $500 million to buy Soar technology specialist Siemplify. Microsoft also purchased content moderation company Two Hat in October 2021, and, in July 2021, both cloud infrastructure entitlement management company CloudKnox and digital threat management company RiskIQ for $500 million.

To date, the highest-value deal in the space is Thoma Bravo’s $12.3 billion acquisition of enterprise security specialist Proofpoint in April 2021. According to research by GlobalData, companies specializing in zero-trust services, IoT security, threat intelligence, and enterprise security are among the most sought-after for acquisitions.

An analysis of GlobalData’s Job Analytics database indicates that hiring activity in cybersecurity across all healthcare industries is trending upwards. As of March 2022, there were almost 3,500 active jobs in medical devices, over 3,000 in healthcare, and almost 2,500 in pharmaceuticals. Particularly in medical devices, active jobs rose around the beginning of COVID-19 lockdowns.