Cybersecurity threats are now so common it’s inevitable that your company and products will be attacked – if it hasn’t already happened. Within seconds of connecting to the internet, any new device or IP address is scanned for vulnerabilities by giant botnets made up of millions of compromised devices, including many poorly protected household items such as network-connected cameras, thermostats and even lightbulbs.
In a dramatic demonstration of just how aggressive malware botnets are, a French researcher recently programmed a server to appear online as a computer running a vulnerable older version of the Windows operating system.
Within 90 minutes the server was infected, reset and infected again six times – once in just three minutes – by WannaCry ransomware, which encrypts all data on a hard drive and demands payment to unlock it (1). While the initial WannaCry outbreak in May 2017 was contained, hundreds of new WannaCry variants still infest the Internet.
In another demonstration showing how connected “Internet of Things” devices can compromise an entire computer network, a low-end surveillance camera was attacked by the Mirai worm just 98 seconds after it was plugged in. The worm entered using the camera’s default password, and would have taken control of every computer, router and device on the network had the researcher not isolated the camera before connecting it (2).
This same Mirai botnet temporarily shut down Twitter, Netflix and Reddit along with a host of smaller companies in a major cyberattack in October 2016. Its variants remain active to this day, and could launch a new attack at any time.
Winning the cybersecurity arms race
To defend themselves, device manufacturers, software developers and computer security experts find themselves locked in a perpetual arms race with hackers and malware developers. Constant vigilance and quick responses are required (see Fig. 1).
Historically, it’s taken several months from outbreak detection until a security patch can be developed and deployed. But as can be seen from the history of the WannaCry ransomware, this isn’t quick enough. By the time a fix for the original WannaCry worm was developed two months after its initial detection, its source code had spread far and wide, and new variations continue to develop (see Fig. 2).
Historically, it’s taken several months from outbreak detection until a security patch can be developed and deployed. But as can be seen from the history of the WannaCry ransomware, this isn’t quick enough. By the time a fix for the original WannaCry worm was developed two months after its initial detection, its source code had spread far and wide, and new variations continue to develop (see Fig. 2).
It’s now generally recognised that security patches must be developed and deployed to all vulnerable devices within 30 days to prevent a new threat from becoming a major problem. In a recent event, 143 million American consumers had personal and financial data stolen from a major credit card reporting agency. Attackers compromised systems due to a known vulnerability, for which a patch was available for 2 months prior to the attack but had not been applied – a development that could be life threatening when medical devices are involved.
In addition, hackers may target device source code and other intellectual property held by device developers and end-user health systems. The stolen information may be held for ransom or sold to other potential attackers. For example, in June 2016, a hacker known as “The Dark Overlord” offered to sell for about $500,000 source code and digital signatures that would allow attackers to break into healthcare administrative software. The hacker also offered personal data from millions of patients stolen from clinics and insurance companies (3).
These examples illustrate the range and potential severity of the cybersecurity threats that medical device makers face. While it’s not possible to predict every threat, here are five you are likely to see in the near term:
- Ransomware – Hackers threaten patients, caregivers, or the manufacturer with the interruption of a patient’s device functions, such as dosing of medication, or disruption of communications between devices and critical data servers, in exchange for ransom
- Collateral damage – General malware or viruses interfere with device software and potentially assimilate a device into a botnet to launch denial of service or other attacks on IT infrastructure that underpin critical services, such as Mirai-like attacks on DNS providers
- Privacy breaches – Exposure of sensitive clinical data harms patients, violates privacy laws with steep financial penalties, or places users in physical danger by revealing their real-time location. Hacking into medical databases through unprotected devices also exposes patients to identity theft
- Device takeover – Cardiac or other devices are taken over through a near-field communication device, unsecured USB ports, or remotely though internet-enabled connections, threatening patient safety
- Financial vulnerability – Cybersecurity vulnerabilities can be exposed publicly to manipulate the stock price or gain other financial advantages over a manufacturer.
Guarding against these and other cybersecurity threats is essential to protect patients and company finances. In fact, the FDA, EMA and other regulators consider cyber threats to be so dangerous they now require cybersecurity risk management plans that cover the entire lifespan of new and existing devices.
ICON has the experience and expertise to help you win the online arms race with hackers. For guidance on developing and maintaining an effective medical device cybersecurity risk management programme, contact us.
References:
(1) Cimpanu C. Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes. BleepingComputer, May 14, 2017.
(2) Coldewey D. This security camera was infected by malware 98 seconds after it was plugged in. Techcrunch.com, Nov 16, 2016.
(3) Kirk J. 'The Dark Overlord' Advertises Stolen Source Code. Bank Info Security, July 14, 2016.
In this section
-
Digital Disruption
-
Clinical strategies to optimise SaMD for treating mental health
-
Digital Disruption: Surveying the industry's evolving landscape
- AI and clinical trials
-
Clinical trial data anonymisation and data sharing
-
Clinical Trial Tokenisation
-
Closing the evidence gap: The value of digital health technologies in supporting drug reimbursement decisions
-
Digital disruption in biopharma
-
Disruptive Innovation
- Remote Patient Monitoring
-
Personalising Digital Health
- Real World Data
-
The triad of trust: Navigating real-world healthcare data integration
-
Clinical strategies to optimise SaMD for treating mental health
-
Patient Centricity
-
Agile Clinical Monitoring
-
Capturing the voice of the patient in clinical trials
-
Charting the Managed Access Program Landscape
-
Developing Nurse-Centric Medical Communications
- Diversity and inclusion in clinical trials
-
Exploring the patient perspective from different angles
-
Patient safety and pharmacovigilance
-
A guide to safety data migrations
-
Taking safety reporting to the next level with automation
-
Outsourced Pharmacovigilance Affiliate Solution
-
The evolution of the Pharmacovigilance System Master File: Benefits, challenges, and opportunities
-
Sponsor and CRO pharmacovigilance and safety alliances
-
Understanding the Periodic Benefit-Risk Evaluation Report
-
A guide to safety data migrations
-
Patient voice survey
-
Patient Voice Survey - Decentralised and Hybrid Trials
-
Reimagining Patient-Centricity with the Internet of Medical Things (IoMT)
-
Using longitudinal qualitative research to capture the patient voice
-
Agile Clinical Monitoring
-
Regulatory Intelligence
-
An innovative approach to rare disease clinical development
- EU Clinical Trials Regulation
-
Using innovative tools and lean writing processes to accelerate regulatory document writing
-
Current overview of data sharing within clinical trial transparency
-
Global Agency Meetings: A collaborative approach to drug development
-
Keeping the end in mind: key considerations for creating plain language summaries
-
Navigating orphan drug development from early phase to marketing authorisation
-
Procedural and regulatory know-how for China biotechs in the EU
-
RACE for Children Act
-
Early engagement and regulatory considerations for biotech
-
Regulatory Intelligence Newsletter
-
Requirements & strategy considerations within clinical trial transparency
-
Spotlight on regulatory reforms in China
-
Demystifying EU CTR, MDR and IVDR
-
Transfer of marketing authorisation
-
An innovative approach to rare disease clinical development
-
Therapeutics insights
- Endocrine and Metabolic Disorders
- Cardiovascular
- Cell and Gene Therapies
- Central Nervous System
-
Glycomics
- Infectious Diseases
- NASH
- Oncology
- Paediatrics
-
Respiratory
-
Rare and orphan diseases
-
Advanced therapies for rare diseases
-
Cross-border enrollment of rare disease patients
-
Crossing the finish line: Why effective participation support strategy is critical to trial efficiency and success in rare diseases
-
Diversity, equity and inclusion in rare disease clinical trials
-
Identify and mitigate risks to rare disease clinical programmes
-
Leveraging historical data for use in rare disease trials
-
Natural history studies to improve drug development in rare diseases
-
Patient Centricity in Orphan Drug Development
-
The key to remarkable rare disease registries
-
Therapeutic spotlight: Precision medicine considerations in rare diseases
-
Advanced therapies for rare diseases
-
Transforming Trials
-
Accelerating biotech innovation from discovery to commercialisation
-
Ensuring the validity of clinical outcomes assessment (COA) data: The value of rater training
-
Linguistic validation of Clinical Outcomes Assessments
-
Optimising biotech funding
- Adaptive clinical trials
-
Best practices to increase engagement with medical and scientific poster content
-
Decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
Decentralised and Hybrid clinical trials
-
Practical considerations in transitioning to hybrid or decentralised clinical trials
-
Navigating the regulatory labyrinth of technology in decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
eCOA implementation
- Blended solutions insights
-
Implications of COVID-19 on statistical design and analyses of clinical studies
-
Improving pharma R&D efficiency
-
Increasing Complexity and Declining ROI in Drug Development
-
Innovation in Clinical Trial Methodologies
- Partnership insights
-
Risk Based Quality Management
-
Transforming the R&D Model to Sustain Growth
-
Accelerating biotech innovation from discovery to commercialisation
-
Value Based Healthcare
-
Strategies for commercialising oncology treatments for young adults
-
US payers and PROs
-
Accelerated early clinical manufacturing
-
Cardiovascular Medical Devices
-
CMS Part D Price Negotiations: Is your drug on the list?
-
COVID-19 navigating global market access
-
Ensuring scientific rigor in external control arms
-
Evidence Synthesis: A solution to sparse evidence, heterogeneous studies, and disconnected networks
-
Global Outcomes Benchmarking
-
Health technology assessment
-
Perspectives from US payers
-
ICER’s impact on payer decision making
-
Making Sense of the Biosimilars Market
-
Medical communications in early phase product development
-
Navigating the Challenges and Opportunities of Value Based Healthcare
-
Payer Reliance on ICER and Perceptions on Value Based Pricing
-
Payers Perspectives on Digital Therapeutics
-
Precision Medicine
-
RWE Generation Cross Sectional Studies and Medical Chart Review
-
Survey results: How to engage healthcare decision-makers
-
The affordability hurdle for gene therapies
-
The Role of ICER as an HTA Organisation
-
Strategies for commercialising oncology treatments for young adults
-
Blog
-
Videos
-
Webinar Channel