Cybersecurity is an important consideration for many industries, but the healthcare, pharma, and medical device sectors are particularly susceptible to cyberattacks. Personal healthcare information is highly valuable to hackers, and the medical industry is known to be slow to adopt new technology and update existing products to patch security vulnerabilities. GlobalData forecasts that spending on cybersecurity in the medical device sector will grow from $869 million to $1.2 billion between 2020 and 2025, at a Compound Annual Growth Rate (CAGR) of 7.3%—only accounting for about 11.3% of health cybersecurity spending and 0.6% of the forecast global security spending of $198 billion for 2025. Read more in GlobalData’s recent report, Cybersecurity in Healthcare 2022.
Hackers can use personal healthcare information to target victims with fraudulent schemes related to their medical history, create fake insurance claims to buy/sell medical equipment, or acquire illegal prescription medications for their own gain or for resale. Unlike credit card information or personal identification information, medical history cannot be changed, making it much more valuable on the black market. Over 41 million individuals in the US alone were affected by healthcare data breaches in 2021, according to reports of breaches affecting 500 individuals or more by the US Department of Health and Human Services (HHS) Office of Civil Rights. Thus far in 2022, cases affecting more than 22.5 million individuals in the US are under investigation, which is a 4.6% increase compared to the same time last year. The HHS reports the largest breach for 2022 so far was the network server breach at Shields Health Care Group, affecting as many as two million individuals and involving personal information, home and billing addresses, diagnoses, and other medical or treatment information.
Interconnectedness via the Internet of Things (IoT) is important to devices like insulin pumps, heart pacemakers, connected inhalers, and wearable trackers, as it helps improve diagnosis, reduces costs, and allow remote monitoring and consultation. As such, medical device companies and their business associates are increasingly responsible for large amounts of sensitive electronic patient data and, without securing all components of the cybersecurity value chain, these companies will remain a primary target for data breaches. For example, in mid-2021 over 61 million records related to Apple and Fitbit users’ wearables were exposed due to an unprotected third-party database.
Regulatory bodies set the minimum requirements for medical device security, such as the FDA’s draft guidance on medical device cybersecurity or the EU’s Medical Device Regulation. Cybersecurity is a prominent concern, but many critical devices in use today are legacy devices unable to receive security patches or updates. Safety considerations can also delay updates to currently marketed products, and companies may lack the resources needed to seek reapproval for older devices needing more substantial security changes. To combat this, more regulatory bodies could enforce premarket requirements to provide a security update plan for a medical device’s entire lifecycle, like the Protecting and Transforming Cyber Health Care (PATCH) Act introduced to the US Senate in March 2022.