Medical device industry falling behind on cyber security

The need for Cyber security is no longer an option – it’s needed, thanks to a real risk to all who live in modern society.

If you have a mobile phone, an email account, a bank account – anything that links you to the digital world where masses of information is stored online – you can be at risk. Even seeing your GP or having an operation opens you up to data breaches. How do you know a hospital receptionist won’t accidentally send your medical files into the public domain? Or perhaps your GP uses an old version of windows with a number of security faults that open patient databases vulnerable to data hacks?

The medical industry is under huge and constant threats of data breaches; but is there enough being done to protect it?

Medical devices and the use of technology in the healthcare industry is increasingly popular, giving healthcare providers easier and faster access to patient records to provide informed decisions and a better service based on the greater availability of information. However, it’s not only doctors and physicians who benefit from convenient medical devices; hackers are easily gaining access to them as well.

“Under siege”

“The medical device industry appears to be under siege by cyber criminals,” noted Phil Taylor, contributor to Fierce Biotech’s security blog. However, the key problem may be that they’re not “taking steps to defend itself”.

Recent surveys were carried out by the Ponemon Institute, an IT research organisation, and Synopsys, a security company. Together they found that, whilst members of the medical device industry were aware of the data risks, they were reportedly not doing very much to prevent them. Over 66% of medical device manufacturers and over 50% of healthcare delivery organisations said they expect a cyber-attack on at least one of the medical devices they make or use. Despite this, only 15-17% of these entities are actually doing something to help prevent the attack.

These are staggering findings…

Do we need stricter laws?

As cyber security – especially in the medical field – is relatively new compared to our longstanding laws and regulations, medical device manufacturers are not yet heavily regulated with strict impositions and sanctions. Whilst the Information Commissioner’s Office has the power to investigate and issue penalties, like fines and undertakings for general breaches, manufacturers can be left to their own devices in making sure their products are digitally safe and secure against cyber-attacks.

There also seems to be a lack of testing as only 9% of manufacturers and 5% of medical device consumers are reported to test their systems annually.

Understandable concerns

The global director of critical systems security at Synopsys, Mr Mike Ahmadi, is concerned with the way things are:

“The healthcare industry continues to struggle when it comes to software security. The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”

A few years ago, worrying reports of hacked pacemakers hit the headlines. Even the former U.S. Vice President Dick Cheney reportedly had his pacemaker disconnected from its wireless function to prevent such a hacking. Whilst there have been no confirmed cases reported, the incident still serves as a dire warning of the potential dangers of leaving electronic medical devices without adequate security checks and measures. Medical device manufacturers and suppliers are already aware of the risks, but now they need to step up and take action in implementing cyber safety measures before lives are lost.

AA’s data breach: recovery may not be enough this time…

70% of smartphone users sharing more personal information through apps than they realise