MedTech under attack: 5 strategies to protect your company against cyber-attacks

At a glance:

  • AI, robotics, OT and the Internet of Things (IoT) continue to rapidly transform the MedTech industry.
  • Innovative technologies like these process vast amounts of highly sensitive data. But if they are not sufficient in terms of security, the risk of cyberattacks increases significantly.
  • The healthcare sector is now one of the most attacked in the world.
  • High costs and difficulties leave many MedTech companies with inadequate protection against cyberattacks.
  • The time to act is now! Inaction puts your customers, partners and investors at risk. Not only that, it can destroy trust and threaten your financial stability.

This article focuses on basic cyber security issues that CEOs, CTOs and other decision makers in MedTech companies need to consider now. Learn how to lead your company into a secure future step by step.

Chapter 1: How do things stand today?

Digital technologies are advancing medical technology in fantastic ways:

  • Networked sensors collect and analyse a wide range of vital data.
  • Digital tools help diagnose and treat diseases.
  • Connected devices link people, data and surgical tools and optimise clinic processes.

There’s practically no end to this list. And so, leaders in the MedTech industry are happy about how these technologies are rapidly changing the whole industry. After all, significant improvements in patient care mean financial opportunities.

But innovations like these also open up the MedTech industry to attacks. When more and more data is stored and processed on outdated IT systems, new risks emerge.

Current figures reveal an alarming picture:

MedTech companies must balance changing demands on many fronts. It might be scrambling to comply with new regulations, overcoming compliance hurdles with digital solutions or optimising quality management.

But statistics like these highlight how important it is for the MedTech industry to prioritise cyber threats. Balancing your response with your other priorities is always a challenge.

But it’s more important than ever to act fast. By 2026, companies that have invested in ongoing threat management will have two-thirds fewer cyber security breaches.

Meanwhile, attacks continue to cost companies more and more. Since 2020, the cost of a healthcare data breach has increased by 42%.

Make these investments now to avoid hefty fines and increasingly expensive data breaches.

Executives are paying more attention to cybersecurity

There is good news! More and more executives are recognising how cyber security can affect the future of their company for years to come. According to a report from the World Economic Forum, 56% of all cyber security leaders now meet monthly or more often with their board.

This attention makes it easier to prioritise information security throughout your company. But there is still a lot to do to improve collaboration between InfoSec leaders and operational teams. Many MedTech companies are still not prepared for the increased number and intensity of cyberattacks.

How healthcare companies are attacked

“Right now, ransomware is the most serious threat to MedTech,” says our DataGuard Senior Principal Information Security Consultant Michael Papenhagen, (LL.M.). A ransomware attack is when a hacker encrypts a company’s critical data, making it unusable. The attacker will only unencrypt the data if the company pays a ransom.

That’s what happened in the famous WannaCry cyberattack that crippled much of England’s National Health Service (NHS) in 2017.

Besides ransomware, companies face other threats from traditional attacks on web-based applications. These include:

  • Phishing: Phishing is an attempt to steal sensitive data (e.g. login data) or install malware via fake websites, emails or text messages.
  • Session hijacking: Session hijacking is when an attacker exploits vulnerabilities (often in user authentication processes) to take over a valid user session. Basically, the attacker impersonates a legitimate user to break into protected areas.
  • SQL injection: There are programming mistakes that an attacker can exploit to ‘inject’ database commands directly into the system via a company’s website, allowing them to steal data.
  • Distributed denial-of-service (DDoS) attacks: This is when a group of hackers tries to overload a company’s server by making a large number of requests.

Attackers keep a sharp lookout for known weak points in digital systems, known as common vulnerabilities and exposures (CVEs).

According to Papenhagen, the most common security problems are:

  • Faulty software
  • Inadequate encryption
  • Missing security patches
  • Insecure communication protocols

What consequences do cyberattacks have for MedTech companies?

Below you’ll find the four main problems that companies that suffer a cyberattack face.

Disruption of business operations

Often, security breaches result in long downtimes. This is especially true in the case of ransomware attacks, which we discussed above. The productivity losses can be staggering. Pharmaceutical giant Merck suffered $1.4 billion in damages in the 2017 NotPetya attack.

Issues with medical devices

Things get even more serious when medical devices are attacked. Imagine the consequences of malfunctioning surgical or patient monitoring equipment: the patient’s well-being is quickly jeopardised. Even injury and death are possible outcomes. Obviously, no one wants that.

Add to that expensive recalls, legal headaches, and an incalculable loss of trust.

Costly data breaches

The cost of data breaches in the healthcare industry has increased by 42% since 2020. For the 12th year in a row, healthcare had the highest average data breach cost of any industry.

And when patient data is stolen, the consequences go far beyond legal ramifications and hefty fines – they affect your customers’ trust in your company.

Theft of intellectual property

Innovation is the lifeblood of medical technology. It drives breakthrough innovations that transform healthcare. That’s why intellectual property is often one of a MedTech company’s most valuable assets. If it is stolen, the financial damage is huge. The very future of your company hangs in the balance.

Large sums of money are at stake: cyberattacks can cost you millions

Cybersecurity Ventures believes that the global costs for cyber criminality over the next five years will rise 15% each year. By 2025, cyber criminality will cause $10.5 trillion in damages – compared to $3 trillion in 2015. This makes it the greatest transfer of economic wealth in history.

Chapter 2: What you can do about it

There are many ways a company can be attacked. The consequences of an attack are severe. What can you do to make your company more resilient? MedTech companies need a comprehensive, continuous approach to information security. Here are 5 effective steps that you can take.

Step 1: Determine your company’s risk tolerance and internal skills

MedTech companies face many risks. Create an overview of critical assets in your systems. Determine your company’s risk tolerance, considering your internal skills. Identify vulnerabilities in your information security processes.

This will prepare you to implement a risk management process, bringing you one step closer to an internationally recognised certification according to ISO 27001, the gold standard in information security.

Step 2: Prioritise your risks by importance

Take care of your most critical vulnerabilities first. You should focus on two types of risk:

  • Risks that could cost your company the most.
  • Risks that are the most likely to result in an attack.

Then develop an individual response and management strategy for each risk.

Step 3: Set up a customised, cost-efficient information security management system (ISMS)

Your response strategy to various security incidents is one of the most important parts of your ISMS. “It’s important to respond to an incident proactively rather than just reacting. You also need to consider any negative side effects of your management strategy,” says our security consultant Michael Papenhagen.

A solid ISMS that you’re continuously improving is essential for your company’s success. It also forms the core of the ISO 27001 requirements. But implementing it will tie up many of your InfoSec team’s resources. This makes taking a cost-effective approach using software-based tools even more important.

Step 4: Continuous monitoring and improvement

The enemy never sleeps. Information security is an ongoing process. Monitor your systems constantly. Assess your vulnerabilities and implement useful, necessary improvements.

Step 5: Raise employee awareness

Make all your employees aware of cyber risks. Make it clear what actions they need to take to avoid financial losses and damage to your reputation. Provide them with resources and offer awareness training.

And DataGuard can help! Our easy-to-follow guides and online courses are perfect for raising awareness of cyber risks among MedTech employees.

This was the experience of DataGuard customer Calim Coman-Enescu, Head of Operations at Behaviour Lab:

“I like the DataGuard Academy most of all. The trainings are very helpful. They’ve allowed us to raise awareness for information security throughout the company.”

Leadership, leadership, leadership

Cyber security is a trickle-down process. Weigh the value of new technologies against their potential risks. If you focus solely on business growth, you may miss out on the benefits of a robust cybersecurity strategy.

Show your commitment to information security to your partners, customers and investors: implement an ISMS that meets the requirements of ISO 27001. DataGuard customers have a 100% success rate on their first attempt at getting ISO 27001 certification.

The DataGuard information security platform can save you time and money – never miss a beat when setting up your ISMS.

Watch our webinar and find your path to ISO 27001 implementation.



About the author

DataGuard Information Security Experts DataGuard Information Security Experts
DataGuard Information Security Experts

Tips and best practices on successfully getting certifications like ISO 27001 or TISAX®, the importance of robust security programmes, efficient risk mitigation... you name it! Our certified (Chief) Information Security Officers and InfoSec Consultants from Germany, the UK, and Austria use their year-long experience to set you up for long-term success. How? By giving you the tools and knowledge to protect your company, its information assets and people from common risks such as cyber-attacks. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional Europe (IAPP), ITIL® 4 Foundation Certificate for IT Service Management, ISO 27001 Lead Implementer/Lead Auditor/Master, Certificate in Information Security Management Principles (CISMP), Certified TickIT+ Lead Auditor, Certified ISO 9001 Lead Auditor, Cyber Essentials

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk