MedTech under attack: 5 strategies to protect your company against cyber-attacks

Chapter 1: How do things stand today?

Digital technologies are advancing medical technology in fantastic ways:

• Networked sensors collect and analyse a wide range of vital data.
• Digital tools help diagnose and treat diseases.
• Connected devices link people, data and surgical tools and optimise clinic processes.

There’s practically no end to this list. And so, leaders in the MedTech industry are happy about how these technologies are rapidly changing the whole industry. After all, significant improvements in patient care mean financial opportunities.

But innovations like these also open up the MedTech industry to attacks. When more and more data is stored and processed on outdated IT systems, new risks emerge.

Current figures reveal an alarming picture:

• In 2022, healthcare was one of the top 3 industries targeted by cyberattacks.
• 53% of all medical IoT devices have at least one unpatched critical vulnerability. Vulnerabilities allow bad actors to access sensitive data and even tamper with devices.
• Last year, the number of ransomware attacks increased by 328% in the healthcare industry – a ransomware attack is when hackers extort money from companies.

MedTech companies must balance changing demands on many fronts. It might be scrambling to comply with new regulations, overcoming compliance hurdles with digital solutions or optimising quality management.

But statistics like these highlight how important it is for the MedTech industry to prioritise cyber threats. Balancing your response with your other priorities is always a challenge.

But it’s more important than ever to act fast. By 2026, companies that have invested in ongoing threat management will have two-thirds fewer cyber security breaches.

Meanwhile, attacks continue to cost companies more and more. Since 2020, the cost of a healthcare data breach has increased by 42%.

Make these investments now to avoid hefty fines and increasingly expensive data breaches.

Executives are paying more attention to cybersecurity

There is good news! More and more executives are recognising how cyber security can affect the future of their company for years to come. According to a report from the World Economic Forum, 56% of all cyber security leaders now meet monthly or more often with their board.

This attention makes it easier to prioritise information security throughout your company. But there is still a lot to do to improve collaboration between InfoSec leaders and operational teams. Many MedTech companies are still not prepared for the increased number and intensity of cyberattacks.

How healthcare companies are attacked

“Right now, ransomware is the most serious threat to MedTech,” says our DataGuard Senior Principal Information Security Consultant Michael Papenhagen, (LL.M.). A ransomware attack is when a hacker encrypts a company’s critical data, making it unusable. The attacker will only unencrypt the data if the company pays a ransom.

That’s what happened in the famous WannaCry cyberattack that crippled much of England’s National Health Service (NHS) in 2017.

Besides ransomware, companies face other threats from traditional attacks on web-based applications. These include:

• Phishing: Phishing is an attempt to steal sensitive data (e.g. login data) or install malware via fake websites, emails or text messages.
• Session hijacking: Session hijacking is when an attacker exploits vulnerabilities (often in user authentication processes) to take over a valid user session. Basically, the attacker impersonates a legitimate user to break into protected areas.
• SQL injection: There are programming mistakes that an attacker can exploit to ‘inject’ database commands directly into the system via a company’s website, allowing them to steal data.
• Distributed denial-of-service (DDoS) attacks: This is when a group of hackers tries to overload a company’s server by making a large number of requests.

Attackers keep a sharp lookout for known weak points in digital systems, known as common vulnerabilities and exposures (CVEs).

According to Papenhagen, the most common security problems are:

• Faulty software
• Inadequate encryption
• Missing security patches
• Insecure communication protocols

What consequences do cyberattacks have for MedTech companies?

Below you’ll find the four main problems that companies that suffer a cyberattack face.

Disruption of business operations

Often, security breaches result in long downtimes. This is especially true in the case of ransomware attacks, which we discussed above. The productivity losses can be staggering. Pharmaceutical giant Merck suffered $1.4 billion in damages in the 2017 NotPetya attack.

Issues with medical devices

Things get even more serious when medical devices are attacked. Imagine the consequences of malfunctioning surgical or patient monitoring equipment: the patient’s well-being is quickly jeopardised. Even injury and death are possible outcomes. Obviously, no one wants that.

Add to that expensive recalls, legal headaches, and an incalculable loss of trust.

Costly data breaches

The cost of data breaches in the healthcare industry has increased by 42% since 2020. For the 12th year in a row, healthcare had the highest average data breach cost of any industry.

And when patient data is stolen, the consequences go far beyond legal ramifications and hefty fines – they affect your customers’ trust in your company.

Theft of intellectual property

Innovation is the lifeblood of medical technology. It drives breakthrough innovations that transform healthcare. That’s why intellectual property is often one of a MedTech company’s most valuable assets. If it is stolen, the financial damage is huge. The very future of your company hangs in the balance.

Large sums of money are at stake: cyberattacks can cost you millions

Cybersecurity Ventures believes that the global costs for cyber criminality over the next five years will rise 15% each year. By 2025, cyber criminality will cause $10.5 trillion in damages – compared to $3 trillion in 2015. This makes it the greatest transfer of economic wealth in history.

Chapter 2: What you can do about it

There are many ways a company can be attacked. The consequences of an attack are severe. What can you do to make your company more resilient? MedTech companies need a comprehensive, continuous approach to information security. Here are 5 effective steps that you can take.

Step 1: Determine your company’s risk tolerance and internal skills

MedTech companies face many risks. Create an overview of critical assets in your systems. Determine your company’s risk tolerance, considering your internal skills. Identify vulnerabilities in your information security processes.

This will prepare you to implement a risk management process, bringing you one step closer to an internationally recognised certification according to ISO 27001, the gold standard in information security.

Step 2: Prioritise your risks by importance

Take care of your most critical vulnerabilities first. You should focus on two types of risk:

• Risks that could cost your company the most.
• Risks that are the most likely to result in an attack.

Then develop an individual response and management strategy for each risk.

Step 3: Set up a customised, cost-efficient information security management system (ISMS)

Your response strategy to various security incidents is one of the most important parts of your ISMS. “It’s important to respond to an incident proactively rather than just reacting. You also need to consider any negative side effects of your management strategy,” says our security consultant Michael Papenhagen.

A solid ISMS that you’re continuously improving is essential for your company’s success. It also forms the core of the ISO 27001 requirements. But implementing it will tie up many of your InfoSec team’s resources. This makes taking a cost-effective approach using software-based tools even more important.

Step 4: Continuous monitoring and improvement

The enemy never sleeps. Information security is an ongoing process. Monitor your systems constantly. Assess your vulnerabilities and implement useful, necessary improvements.

Step 5: Raise employee awareness

Make all your employees aware of cyber risks. Make it clear what actions they need to take to avoid financial losses and damage to your reputation. Provide them with resources and offer awareness training.

And DataGuard can help! Our easy-to-follow guides and online courses are perfect for raising awareness of cyber risks among MedTech employees.

This was the experience of DataGuard customer Calim Coman-Enescu, Head of Operations at Behaviour Lab:

“I like the DataGuard Academy most of all. The trainings are very helpful. They’ve allowed us to raise awareness for information security throughout the company.”

Leadership, leadership, leadership

Cyber security is a trickle-down process. Weigh the value of new technologies against their potential risks. If you focus solely on business growth, you may miss out on the benefits of a robust cybersecurity strategy.

Show your commitment to information security to your partners, customers and investors: implement an ISMS that meets the requirements of ISO 27001. DataGuard customers have a 100% success rate on their first attempt at getting ISO 27001 certification.

The DataGuard information security platform can save you time and money – never miss a beat when setting up your ISMS.

Watch our webinar and find your path to ISO 27001 implementation.