Life Sciences companies, particularly medical technology device manufacturers and healthcare facilities, have become increasingly vulnerable to cyberattacks. The advancement of IoT (Internet of Things), IoMD (Internet of Medical Devices), and SaMD (Software as a Medical Device) have certainly improved healthcare, patient-physician connectivity, and transparency, but they have also broadened the attack surface for cybercriminals.
What Are Some of the Key Cyber Security Vulnerabilities in the Life Sciences Industry
Cyber attacks on medical devices can pose severe, life-threatening implications. These network-connected devices not only collect large amounts of data such as PHI and PII, but they also deliver vital patient care, monitoring, or drug delivery services.
For example, the insulin pump has been found to be vulnerable to hacks in recent years; in 2019, MedTech company, Medtronic, issued a recall of its MiniMed remote controller for insulin pumps because of the discovery of a cyber security vulnerability in the device. If a bad actor were to hack this remote-controlled pump, they could regulate the amount of insulin a patient should receive causing an overdose or lack of insulin. More recently, FDA concerns were raised again over a new possibility of unauthorized access to the device by malicious actors
Similarly, pacemakers are subject to security vulnerabilities. While many device manufacturers of cardiac devices have not experienced a hack, the lack of authentication and encryption of these devices causes them to be extremely vulnerable – even to unskilled hackers. This reflects the serious lack of cybersecurity for medical devices. For example, half a million pacemakers made by Abbot were recalled by the FDA in 2017 due to a lack of security and outdated software.
Many ransomware attacks on healthcare facilities are fueled by vulnerabilities in network-connected medical devices. A lack of software patches and investment in cybersecurity protection, together with widescale use of legacy systems, make this industry a particularly easy target for both a cyberattack and large-scale data breaches. In fact, back in 2017, WannaCry was one of the first known ransomware attacks on networked medical devices such as radiological devices.
Clinical trials can also be affected by cyberattacks. For example, eResearchTechnology, which sells software to support clinical trials, suffered a ransomware attack in 2020 affecting the CRO (Contract Research Organization) IQVIA which managed AstraZeneca’s COVID-19 vaccine trial as well as Bristol Myers Squibb, a pharmaceutical manufacturer. Luckily, no patients were severely affected and according to the New York Times. It is unclear if ERT paid the ransom.
Regulatory Compliance Is No Longer Enough – Cyber Hygiene Is Vital
Medical device manufacturers and distributors have strict regulatory guidelines set forth by regulatory bodies such as the FDA or MDR and IVDR. Life Sciences companies must follow these guidelines to commercialize their products and maintain compliance with these regulations post-commercialization. This is a costly and complex process. But what happens when software, firmware, or a mobile app forms part of the medical device? In these situations, MedTech companies should place their security posture on the same level of priority as meeting regulatory requirements.
As we have seen, medical device manufacturers and healthcare facilities alike have historically had poor security posture. These organizations should be implementing threat assessments, privacy compliance assessments, asset management, patches, Pen Tests, IRP, EDR, and thoroughly reviewing their third-party vendors. They should also be ensuring that all software is updated regularly in order to patch any vulnerabilities as and when they arise, and they should have an experienced incident response team waiting in the wings if and when there is a cyber incident. Finally, these companies can and should purchase cyber liability insurance coverage to better transfer their cyber risk.
However, it should be noted that most cyber liability policies do not cover bodily injury or property damage. If for example, a ransomware attack were to occur and render a network inaccessible and, in turn, cause a device to malfunction or become unresponsive, there could potentially be bodily injury or property damage to the patient as a result. It’s important to note that a life sciences company should consider purchasing a a Products Liability policy together with a Cyber Liability policy. Other coverages to consider include also be a Technology E&O policy.
It is better to nip this in the bud now as, in the near future, these life sciences businesses be forced to implement these minimum security benchmarks, as legislators move to mandate a proper cybersecurity standard for the industry.
The FDA issued draft guidance in 2018 for medical device cybersecurity including software, firmware, SaMD or devices with programable logic. It has since been updated in April 2022. The guidance is widely drafted, and includes premarket, postmarket, and total life-cycle product development framework, borrowing largely from the NIST framework for cybersecurity (introduces a Secure Product Development Framework (SPDF) similar to the NIST Secure Software Development framework). A medical device company must comply with the QSR or Quality System Regulations, which include cybersecurity requirements. The guidance provides that companies must incorporate threat modeling and vulnerability testing such as Pen tests, and total product life-cycle security management including software patches and updates post-market.
Similarly, the MDR and IVDR in the EU have updated regulations around cybersecurity. They also have guidance around pre and post-market security requirements as well as managing cybersecurity across the entire life cycle of the device with an emphasis on privacy and security.
Life sciences companies may be attempting to promote greater cybersecurity protection pre- and post-market, but much more work is to be done on mandating thorough due diligence, planning, and investing in creating a secure cyber environment if the cyber risk in the sector is to deflate. Moreover, greater emphasis must be placed on regular software updates and patches for IoT, IoMD, and SaMD devices operating within a network, even if they are only one component of the entire medical device itself.