The healthcare and life sciences industry continues to be plagued by cybersecurity threats.1 According to FTI Consulting’s U.S. Healthcare & Life Sciences Industry Outlook 2023 survey, 70 percent of leaders surveyed from healthcare and life sciences companies said their organization experienced a cybersecurity incident in the last 12 months, and nearly half said they think their company is still vulnerable to a potential cyber attack or incident2.
When it comes to medical devices and other Internet of Medical Things (IoMT), the pervasiveness, variety and connectivity of these products make them an ideal target for threat actors seeking to inflict maximum pain. Not only is the frequent exchange of health information potentially at risk in IoMT cyber attacks, but especially for those wireless, Internet- and network-connected devices that remotely deliver potentially life-saving treatments to patients, the stakes could not be higher. Think of the operational, legal, reputational and – above all – patient safety havoc a cyber attack could inflict on blood glucose devices, pacemakers and infusion pumps.
Not coincidentally, cybersecurity protections for medical devices are high on the regulatory agenda. The FDA recently issued new guidelines for medical devices, that use software to collect and transmit data, to be protected against potential cybersecurity threats – before the product goes to market. 3 IoT devices are also on the radar of the White House and were identified as one of five pillars in the Biden Administration’s recent National Cybersecurity Strategy (Strategic Objective 3.2-Drive the Development of Secure IoT Devices).4 To secure go-to-market approval, device makers will be required to demonstrate that they have a robust cybersecurity plan to deal with vulnerabilities that surface after their product is released; cybersecurity information disclosures are now required for every new product entering the market; and guidance will be released this fall relating to the design and maintenance of medical device cybersecurity features over their entire product life cycle.
Against a cybersecurity threat landscape of increased vulnerability and complexity, medical device and IoMT companies must prepare for increased regulatory scrutiny, litigation risk and reputational damage – before a cybersecurity incident occurs.
- Assess cybersecurity vulnerabilities. Medical device companies should regularly identify, assess and prioritize potential cybersecurity risks and gaps specific to their company/product. These exercises help to guide critical cybersecurity investment decisions to minimize the likelihood and impact of an incident. Cybersecurity considerations should also be incorporated early and throughout the product and/or software design and development lifecycle to address potential risks and vulnerabilities before the product/software hits the market.
- Prepare for potential data loss – and data integrity – scenarios. Given the importance and value of health information maintained by medical device companies, it is imperative that they prepare for potential scenarios involving the exfiltration or theft of such data, which may trigger legal disclosure obligations to and scrutiny from patients, partners/customers, regulators and the media. Even more so, they should prepare for the possibility of an even more impactful scenario with potentially severe consequences for the device companies and the patients they serve – threat actors accessing and manipulating critical health data stored/maintained in the devices.
- Evaluate third-party risks. In an increasingly connected world, all companies must recognize that they will be judged by “the company that they keep.” Life sciences companies often use the services of third-party vendors, suppliers and contractors – some of whom may have access to medical device companies’ networks and data. When these third-party partners experience their own cybersecurity incidents, this could lead to downstream impacts on medical device companies. Cybersecurity risk assessments should include evaluating risks associated with third-party partners, including plans for mitigating such risks before they occur and responsive actions after incidents occur.
- Develop and enhance cybersecurity and incident response plans. Cybersecurity plans are not only required for regulatory compliance, but they also help to mitigate reputational risk6. Incident response plans are critical for all organizations, including leaders of medical device companies, so that when a crisis occurs, established processes can be immediately followed, helping mitigate damages and increase resilience. Best-in-class incident response plans include clear roles and responsibilities of incident response team members, including assigning accountabilities, workstreams and owners of critical aspects of the incident response process; technical/operational, legal and communications considerations and processes to enable swift and decisive action in response to an incident; and scenario plans for top risk areas and messaging templates.
- Test and train teams to build muscle memory. Having a plan on paper, however, will only get response teams so far in preparing to effectively respond to a live incident. Medical device company leadership and incident response teams must regularly train against those plans and exercise critical decision-making muscles in order to pressure test the plan, and the team. Table-top exercises, simulations and message trainings are effective training tools.
- Realize and understand the cyber threat landscape. Threat actors frequently target the healthcare and life sciences sector because of sensitive data and access to it, along with the devices that support treatment and their importance to the services provided by healthcare and life sciences companies. This sector, medical device companies, and the IoMT, are under increased pressure when they do suffer a cybersecurity incident because of the possibility to impact patient care. These circumstances make this sector attractive to threat actors through ransomware and data breach extortion schemes. Keeping apprised of the tactics, techniques, and procedures employed by threat actors to infiltrate systems and networks can help an organization from becoming an easy target.
IoMT devices play a growing role in modern medical treatment, benefitting the care of hundreds of thousands of patients worldwide7. But with tremendous opportunity and growth, comes increased risk. It is incumbent on medical device industry leadership to proactively prepare for the inevitable before it’s too late.
1John Hewitt Jones, “HHS issues new cyber incident response resources for healthcare sector,” FEDSCOOP (April 17, 2023), https://fedscoop.com/hhs-issues-new-cyber-incident-response-resources-for-healthcare-sector/.
2Robert Stanislaro, Jamie Singer, Lauren Crawford Shaver, Jacqui Wilmot, Jim Polson, “FTI Consulting Survey: US Healthcare & Life Sciences Industry Outlook 2023,” FTI Consulting (March 28, 2023), https://www.fticonsulting.com/insights/reports/fti-consulting-survey-us-healthcare-life-sciences-industry-outlook-2023.
3Lizzy Lawrence, “Medical device companies now need to prove to FDA they’re protected against cyberattacks,” STAT+ (March 29, 2023), https://www.statnews.com/2023/03/29/fda-medical-devices-cybersecurity-hack/.
4“National Cybersecurity Strategy,” The White House (March 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
6Matt Chevraux, Jamie Singer, “A Presidential ‘Prescription’ for Hospital Cybersecurity,” FTI Consulting (June 15, 2023), https://fticybersecurity.com/2023-06/a-presidential-prescription-for-hospital-cybersecurity/.
7Ben Lutkevich, Alex DelVecchio, “internet of medical things (IoMT) or healthcare IoT,” TechTarget (June 2023), https://www.techtarget.com/iotagenda/definition/IoMT-Internet-of-Medical-Things.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2023 FTI Consulting, Inc. All rights reserved. fticonsulting.com
Jamie Singer
Jamie Singer co-leads FTI Consulting’s Cybersecurity Data Privacy Communications practice and previously was an Executive Vice President and Director of Data Security, Privacy and Crisis Communications at Resolute Strategic Services.
Matt Chevraux
Matt Chevraux is a Managing Director in FTI Consulting’s Cybersecurity practice and is a senior cybersecurity expert and federal law enforcement veteran, spending more than 22 years with the Secret Service, most recently as a Senior Supervisory Program Manager in the Office of Investigations and Criminal Investigative Division.
Robert Stanislaro
Robert Stanislaro is a Senior Managing Director and Head of the Healthcare Life Sciences’ Corporate Reputation offering within the Strategic Communications segment at FTI Consulting, and uses his expertise in corporate communications and capital markets communications to counsel his clients on a variety of issues, which play a critical role in driving enterprise value.
