Cybersecurity in Medical Devices Must be a Priority

By making devices smarter, they become targets of cyberattacks. In healthcare, this trend can place individuals and systems at risk, urgently calling for the implementation of strategies to protect data. 

“The healthcare environment is complex and manufacturers, hospitals and facilities must work together to manage cybersecurity risks,” says the FDA. Medical devices are an essential part of the digital health ecosystem. But the more connected they are, the more vulnerable they are to cyberattacks. The health sector is experiencing an exhaustive use of technology that has often made it a victim of extortion, leading it to alter its operations in response to cyberattacks. These threats make it essential to safeguard privacy and implement protection strategies, explains Rommel García, Partner of Cyber Security, KPMG.

“What is related to the security of health information is very different from what is being done in other areas because in addition to protecting data, we are protecting people's lives,” says Romeo Sánchez, Vice President of Engineering, Ecaresoft.

Cyberattacks against health facilities have become a profitable business due to the value of health data. However, in Mexico, the health sector is lagging behind in terms of cybersecurity, as reported by Dräger. Many barriers stand in the way of an updated cybersecurity strategy. For example, experts agree that it is not an easy task to convince decision makers to invest in cybersecurity, even at hospitals. “Normally, patients approach us after they have already experienced a cyberattack,” says García. 

Nonetheless, if cybersecurity is not prioritized, cyberattacks to medical devices can generate a loss of privacy, alter the device’s function and cause a denial of intended service or therapy, reports the Australian Government. Also, a cyberattack to a medical device can become a window of opportunity to attack other areas of an organization’s network. “Today, there is no way to deal only with the cybersecurity of a specific medical equipment because everything is interconnected. Cybersecurity has to be recognized as something integral,” says Claudio Baumann, Director LATAM, AKAMAI. Also, when a cyberattack occurs, an institution’s reputation is damaged, he explains. 

For these reasons, it is essential to ensure medical equipment is protected against cyberattacks, especially as both software and hardware evolve, says CANIFARMA. Cybersecurity strategies in health services require an approach that guarantees the optimal functionality of devices to ensure the safety of both patients and health professionals. “This type of data is important because all the medical history could be exposed. In addition, the personal data of health professionals are also at risk,” says Marco Antonio Quezada, CIO State Telehealth Unit, Servicios de Salud de Durango.

When designing a new product, medical device manufacturers must consider many principles, including secure communications, data protection, device integrity, user authentication, software maintenance, physical access and reliability and availability, according to IMDRF. Additionally, it is important to identify the enterprise’s medical devices, develop a mitigation plan, reduce the likelihood of a compromise, apply user management, properly understand connections and periodically review the state of medical devices, suggests the NHS. It is also important to work on awareness and train medical personnel in cybersecurity, as a human error can jeopardize data.

A strong legal framework can also help the sector to ensure the protection of data and medical equipment. For example, in Mexico, the Federal Law on the Protection of Personal Data in Possessed by Individuals supports policies that protect privacy, forcing companies to look at cybersecurity from a different perspective. 

Despite implementing the best strategies, experts agree that there is no way to completely avoid cyberattacks. “Organizations must be resilient to these attacks because they cannot be avoided, they are sure to happen,” says Sánchez.