With enough time and money anything can be hacked, but here are some pro tips on how medical device manufacturers can safeguard embedded devices and digital assets.
March 29, 2021
As healthcare continues to embrace connectivity across medical devices, cybersecurity is more important than ever before. And yet, a recent survey by Irdeto found that only 18% of medtech leaders believe the security built into their medical devices is strong.
Experts from Irdeto, Siemens Healthineers, and H-ISAC recently came together for a virtual panel discussion on what medical device manufacturers need to do in order to enhance their cybersecurity methods to protect their products and ultimately the providers and patients who use them. The panelists included Hans-Martin von Stockhausen, chief product and solution officer and senior product manager of cybersecurity at Siemens Healthineers; Steeve Huin, chief marketing officer and the general manager of Irdeto’s connected health cybersecurity business. Moderating the discussion was Tyler Cyber, a threat intelligence analyst at the Health-ISAC Threat Operations Center. Below are the key takeaways from the discussion.
'Make the business case negative for the bad guys'
Huin said that in most cases, good cybersecurity is all about making things hard enough to deter hackers and make them want to go hack something else because your network or device is too hard.
"It's not necessarily to make things completely impossible to attack because with enough money and time anything can be attacked," Huin said. "It's mostly about making it hard enough that people go and do something else."
Stockhausen agreed and recalled a phrase he once heard about making the business case negative for the bad guys. You can only increase your protection measures so much, he said, because at a certain point before it begins to interfere with the usability of the medical device.
"This is still a constant debate between product teams in U.S.-centric security, how much security is sufficient in the device, and how much security should shine through," Stockhausen said. "I would say really good security is security that goes by unnoticed but is still doing its job."
Achieving that balance is easier said than done though, he admitted. Really strict cybersecurity controls typically have at least some impact on usability, so in medtech particularly it's difficult to define cybersecurity controls in a way that does not impact clinical routine.
Good cybersecurity talent is tough to come by
"From our analysis looking at other industries, and just broadly speaking, there is a global shortage of security engineers, people with the knowledge that is needed, because at this point in time almost every industry in the world is concerned about cybersecurity, right? We are living in a world that is hyper connected, which means that things are getting more and more vulnerable to attacks," Huin said. "