Medical and healthcare technology is developing at a rapid pace. The COVID-19 pandemic accelerated the connected medical technology revolution with telehealth and remote patient monitoring prioritized as never before.
While the revenue benefits for technology manufacturers are clear – whether being the first to market a healthcare solution or monetizing data – there are significant cybersecurity, regulatory and compliance risks that keep business leaders up at night.
Irdeto recently partnered with both Censuswide and Guidepoint Global to conduct a quantitative and qualitative survey of senior executives at Fortune 1000-sized U.S.-based companies within various Internet of Medical Things (IoMT) fields. Specifically, we aimed to learn how both senior-level corporate execs (CEOs, CIOs, etc.) and product leaders (VP of engineering, VP of Product, etc.) at medical device manufacturers, digital and mobile health companies and telehealth providers perceive their existing cybersecurity policies and processes as related to risk mitigation and regulatory compliance.
The survey asks questions about existing cybersecurity policies and processes, their hopes and fears for connected health – from compromised health data to direct attacks on the patient – and potential solutions to the growing vulnerabilities, risks and threats.
Confidence in cybersecurity among MedTech leaders lags
IoMT companies have the incredible challenge of establishing cybersecurity protocols and procedures to mitigate risk to not just their businesses assets, but also to ensure the integrity of the products (software and hardware) and services that they bring to market. Failure to do so can result in data breaches and noncompliance penalties that put the company’s reputation and financial stability at great risk, not to mention the potential harm to patients.
Unfortunately, our survey found that only 13% of IoMT leaders believe their business is very prepared to mitigate future risks; while 70% believe that they are only somewhat prepared at best. Remarkably, about one fifth (17%) stated that their firm was not prepared at all.
This is concerning when considering that 80% of our survey participants report having suffered at least one cyberattack in the past five years, and it is all but certain that they face at least dozens of additional threats on a daily basis. The breadth of attacks targeting IoMT companies is also problematic. Our survey revealed that organizations have fallen victim to several attack techniques, including ransomware, malware, phishing, spoofing and DDoS, with customer databases, employee information and even R&D platforms being exploited.
Respondents unanimously reported concern over attackers ability to gain access to an environment where software is running, ranking the most significant vulnerabilities as security misconfiguration and broken authorization protocols, insecure network connections (including automatic guest wi-fi connection) and lack of defenses within API layers, among other risks.
MedTech leaders don’t trust cybersecurity tools
Data breaches are skyrocketing, as are ransomware attacks on hospital networks and medical devices. New threat vectors will compromise telehealth platforms, homecare devices and mobile apps, putting patients at a very real risk.
The industry must adapt in the same way the web did: plan for failure. Products need to be built on the assumption that security breaches will take place. There is no longer a single answer to security that can defend against the ever-evolving threat landscape. Security must be built in from the start and be layered and adaptable.
Currently, 53% of IoMT leaders report handling cybersecurity in house, while the others outsource all or parts of the security strategy to partners. However, IoMT leaders are mostly bearish on cybersecurity, with 80% rating their organization’s cybersecurity products as just adequate, or not robust. Only 18% believe the security built into their medical device products is strong.
To mitigate risk, 21% of respondents believe that the most important aspect to implementing adequate protections will require a bigger cybersecurity budget, while 19% point to the need for greater cybersecurity expertise and another 19% cite the need for more effective tools.
When it comes to tools, 48% prefer to invest in more cloud-native services while 23% intend to seek out a remote consultancy. Only 8% of respondents report investing more in on premise security services as a priority.
MedTech cybersecurity regulation: it’s complicated
80% of respondents believe that regulatory compliance is the biggest business benefit of implementing a strong cybersecurity strategy. Interestingly, however, only four in 10 rated themselves very aware/knowledgeable about forthcoming EU and US regulations, such as US FDA pre-market guidelines or EU Medical Device Regulation (MDR). Further, an astounding 28% – almost three in 10 respondents – report not knowing anything at all about forthcoming regulations.
Organizations are activating different plans to comply with existing and emerging regulations. Some respondents have escalated the issue to board level, while other organizations are appointing experts or turning to their legal teams. More though are partnering with external cybersecurity experts. These businesses provide technical prowess but also regulatory support – something our respondents were very keen to tap into.
Currently, an equal proportion (21%) reach out for software protection support and antivirus/anti-malware strategies. A fifth outsource firewall management, while around one in six need help with continuous security and a similar amount seek mobile app protection.
Reducing IoMT risk requires cybersecurity and regulation expertise
It’s clear that as the healthcare sector becomes increasingly connected, the potentially costly impact of the IoMT cyberattacks must be mitigated. Insecure devices and companion apps, and a lack of user understanding present a variety of risks to safety and privacy in a critical industry.
Moving forward, vendors must be empowered to address cybersecurity issues arising from both emerging threats and new regulation, ultimately promoting the value of their products to medical teams and their patients.
Cybersecurity can be a minefield without the right expertise in place to make defenses as watertight, cost-effective and efficient as possible. But businesses that successfully align all of these aspects will help their customers deliver on critical outcomes and include patients securely in a healthcare revolution.
Download our full report on the business value of cybersecurity in MedTech here.