While industries and governments across the country continue to work to implement cybersecurity measures, it has become increasingly clear that no sector is immune from the threat of outside hackers trying to steal vital, private information. One industry that needs to be particularly attuned to this possible threat is the medical device industry; given the impact this could have on protecting a person’s health information, it is critical that the right security protocols are put in place immediately.
The medical device industry is one in which we have seen numerous new technologies and products come to market that involve the Internet of Things (IOT), or the ability to connect a device directly to the Internet, potentially serving health information virtually around the world. These are devices that track and monitor a person’s health, and can provide physicians with rapid health information on patients—such technological advancements in the medical device industry have become highly beneficial to treatment and, ultimately, patient care.
But with these IOT devices comes the challenge. By having this information linked up to a network and potentially the Internet, it suddenly becomes available to outside parties looking to do harm. Medical device businesses and medical health practitioners don’t always know what information is exposed to the world through these devices, and this lack of control creates a vulnerability. Organizations need to understand what kind of information is leaving the safe confines of the business or home, they need to know where the information is going and they need to determine what controls should be in place to ensure proper security of electronic personal health information.
When new medical devices come to market, companies need to ask themselves what the protocols are to understand the information these devices capture and transmit. They need to understand how it is stored and what kind of information the IOT device is pushing out through the network/Internet. These are questions that ideally are asked before a product is brought to market, so the right cybersecurity procedures can be set in place to prevent hackers from stealing or accessing this information.
What’s more, once these devices are on a network, they are subject—just like anything else in the cyber world—to potential vulnerability threats (e.g. malware, viruses). The repercussions for these companies could be extreme if private and/or vital health care information is exposed.
So what needs to be done to ensure these products are safe from potential cyber thieves and hackers?
Most importantly, a more robust and elaborate vetting process needs to be put in place at the outset—a device may seem to be perfect for market introduction, but first companies need to investigate what information is captured and how it is transmitted. They need to determine if the device has an operating system that could be compromised by malware or viruses. And if the answer is yes, the products need to be further shored up before being brought to the public.
Much of this can be accomplished by a company asking some basic questions while the products are being developed, such as:
- What information is the device storing?
- Where is that information being stored?
- Is the information encrypted?
- If not, how is the information being secured?
- Is this information being sharing with another system? Is that other system secure?
- Is the IOT device information being pushed out via the network/Internet?
Solutions to protecting this information can then be found, but only once these questions are asked.
Cybersecurity in medical devices is a newer issue for companies to address; after all, in the past, medical devices didn’t have the ability to directly connect to the Internet. But with challenges, as always, come opportunities, and those companies that act at the outset to ensure the security of their IOT-based devices will find themselves much more protected.
Unfortunately, cyber thieves work every day to find newer and more stealthy ways to steal, disrupt and cause industry chaos. But by taking these steps and asking these questions, medical device companies will do more than just keep pace with hackers. They give themselves the best chance to remain a step ahead of them.
Jeffrey I. Ziplow, MBA, CISA, CGEIT, is a partner with BlumShapiro, the largest regional business advisory firm based in New England, with offices in Connecticut, Massachusetts and Rhode Island. The firm, with a team of over 500, offers a diversity of services, which include auditing, accounting, tax and business advisory services. Blum serves a wide range of privately held companies, government and non-profit organizations and provides non-audit services for publicly traded companies. To learn more visit us at blumshapiro.com.