Having a patient’s information fall into a hacker’s hands is probably a nightmare scenario that no medtech CEO wants to think about. But ‘they should’ said Uri Barel, an expert in software analytics and testing told MD+DI.
Barel’s chat with MD+DI comes on the heels of a security breach of American Medical Collection Agency, a third party collections agency used by both Quest Diagnostics and LabCorp. The security breach resulted in nearly 20 million customers of both companies having their personal information exposed.
Barel, is the Global Head of Cyber Security at Qualitest, a software testing and business assurance company. He spoke about what the recent breach means and how medtech can best protect itself from future ones. He also pointed out the attacks on both Quest Diagnostics and LabCorp were examples of hackers moving into a new sector to attack.
“Hacking today is a full-blown industry that is mostly dominated by organized crime,” Barel told MD+DI. “Organized crime identifies that there is a better return on investment [ROI], when they do things online rather than in the physical world. Large organizations started protecting themselves and putting defense lines and practices in place a long time ago. Today we look at banks; we look at insurance companies; and other industries and they’ve all been targeted before. When we look at these industries - organized crime has discovered it’s much difficult to impact the bank, let’s find other sectors where we can have this expensive ROI. All of a sudden organizations that haven’t been a target, now are a target.”
Barel added, “this is one important thing to note, hackers will not just say OK we did one, now let’s move to a different sector. The efforts are usually focused on a sector and are usually months and months of efforts. So we can or might see more breaches coming up quite soon.”
Already there have been some significant breaches in the industry. In September of last year, liquid biopsy specialist, Guardant Health said in an SEC filing that the private information from about 1,100 individuals was exposed due to the cybersecurity attack. In March, the Department of Homeland Security and FDA alerted people about cybersecurity vulnerabilities affecting Medtronic's implantable defibrillators. The Dublin-based company said it was developing updates to further mitigate these vulnerabilities.
About a year ago, Abbott Laboratories recalled nearly 350,000 implantable defibrillators to prevent possible hacks.
In response to the growing number cybersecurity threats to medtech, AdvaMed has adopted a set of five principles aimed at helping medical device companies and healthcare organizations mitigate these issues.
“I think medtech companies need a change of mindset. It’s not how can we now prepare ourselves for when it’s going to happen, medtech has to assume it’s already happened," Barel said. "Because if it happened at Quest now? A hack like this takes months to put in place. Then it takes months for the companies to actually realize the breach has happened.”
He added, “Hacking has been a part of life for a long time now. It’s just finding its way to other sectors.”