Ames Gross, Pacific Bridge Medical
Ameing for Asia

Medical Devices Vulnerable as COVID-19 Deepens Cybersecurity Threats in Asia

By Ames Gross
Ames Gross, Pacific Bridge Medical

Despite the high stakes of data vulnerabilities to the entire healthcare system, governments in Asia lag behind in mandating cybersecurity measures, leaving manufacturers to install and maintain systems to protect against cyber criminals.

With patients and medical providers across Asia and around the world forced by the global pandemic to rely on online platforms more than ever before, the medical device industry is finding itself uniquely vulnerable to cyberattack.

But despite the high stakes of data vulnerabilities to patients, providers and healthcare systems, governments in the Asian region lag behind in mandating cybersecurity measures, leaving manufacturers to install and maintain systems against the possibility their products can be hacked by cyber criminals.

For the healthcare industry in general, and the medical device segment in particular, the result is urgent need—and significant opportunity. Healthcare systems across the Asian region will need to invest in better security frameworks, tighter patient data confidentiality systems and safeguards on critical care support systems, documentation of clinical data, management of pharmaceuticals, etc.

Indeed, the global healthcare cybersecurity market is expected to grow from $9.78 billion in 2019 to $33.65 billion by 2027, according to a report published this year by Fior Markets, a technology industry market research firm.

The pandemic has ramped up the urgency of the threats. From January to March of this year, cybersecurity software company Trend Micro tracked 47,000 malicious access attempts worldwide to coronavirus-related online domains. Just over 9,000 of those occurred in February. The number sharpy increased to more than 34,000 in March alone. During the same period, the number of detected cyberattacks on hospitals grew by more than 60%, the firm found.

The broad threat of cybercrime in healthcare predates the era of the coronavirus. Healthcare is not as well protected as other industries, relying heavily on informal processes and systems for collecting, storing and distributing medical records, for processing payments and for the use of medical devices at all levels.

In many parts of Asia, the healthcare industry is still undergoing the early stages of digitalization. Data in many organizations is kept on a broad spectrum of platforms, from hardcopy to the cloud, making for widespread and systemic risks of data breaches. Paper records can easily be lost or stolen, and sometimes non-employees are granted access to restricted areas. One device is often shared by many employees, and older devices used in many hospitals lack protections like multi-factor authentication and encryption software. Across the Asian healthcare industry there is a lack of qualified IT staff and security specialists with the skill sets to rapidly manage cyberattacks such as ransomware, malware, spyware, endpoint attacks and phishing.

Healthcare professionals have become increasingly aware of the vulnerabilities of the field to cyberattacks. In fact, in May 2017, a global ransomware attack that came to be known as WannaCry hit hospitals in 150 countries, including Japan, China, Indonesia and Taiwan. It brought some major hospitals briefly to a virtual stop, with some turning away patients.

But since the COVID-19 threat first began to force employees to work from home, and doctors to examine, diagnose, and treat patients remotely, the cybersecurity threat has become more urgent. Cyber espionage operations have attempted to steal intellectual property on coronavirus treatments. Cybercriminals are increasingly targeting healthcare provider information and personal patient health data. Cybercriminals are hacking healthcare insurance information to submit and cash out fraudulent health insurance claims, forging prescriptions to smuggle illicit drugs, and exploiting health information to blackmail victims.

Driving the threat growth are a number of factors unique to the pandemic. More people are online checking for information, and that means more click on phishing emails. The rapid shift to remote works means people began working from home before proper safeguards could be installed on their devices.

In addition to the above-mentioned factors, the increasing reliance on cloud-based communications devices like Slack, Teams, WebEx and Zoom, whose defenses are sometimes porous, and it is no wonder the threat is ramping up.

The illicit activity has drawn warnings from the United Nations and the international police organization Interpol. Asian governments have issued warnings as well. India’s government reports that since the pandemic began, its educational and healthcare systems have been subject to phishing attacks. Authorities in Japan and the Philippines have warned their healthcare industries of the possibility of attacks, though they have not cited any specific breaches.

In Japan, China and South Korea, regulatory agencies have over the past three years issued guidelines to medical device firms on coping with cyber threats. But they have in each case largely relied on the industry to police itself, rather than issuing mandates.

China’s most recent cybersecurity law dates back to June 2017. It requires medical device companies to register their networked medical devices with the China Food and Drug Administration (CFDA), with a description of their cybersecurity protection measures. The requirements cover Class II and III medical devices to ensure that electronic data is accurate, cannot be altered and is accessible only to authorized users for a set period of time.

In addition, manufacturers are asked to “self-assess” their cybersecurity status. Compliance with the guidelines are not mandatory, but failure to conduct them delays obtaining permits.

In Japan, the Pharmaceutical and Medical Devices Agency (PMDA) issued a safety information notice in June saying that medical device manufacturers should “implement all reasonable measures” on medical devices imported into the country “to ensure the highest level of protection against cybersecurity risks.”

The Japanese government is leaving assessment of the risks to the marketing authorization holders (MAHs). The medical device should also be accompanied by information regarding potential cybersecurity issues related to its use that consumers can refer to, along with other instructions.

And in South Korea, the government issued guidelines in 2018 that simply ask medical device manufacturers to follow United States cybersecurity standards. The guidelines say registration submissions should include evidence that the manufacturer has made efforts to mitigate cybersecurity risks and vulnerabilities.

Cybersecurity experts say that real solutions to the threats facing the healthcare industry will need to dig considerably deeper. Governments will need to take action, but both device manufacturers and healthcare systems will need to implement independent cybersecurity audits, design models that separate data and construct virtual security zones, and institute password encryption across systems.

Overall, investments will be needed in cyber defense, with better security strategies to work across different platforms within the same healthcare organization. Security operations and threat monitoring will need to be ongoing—especially in Asia.

About The Author

Ames Gross, Pacific Bridge Medical