Navigating New Forms Of Volatility
Cyber Security of Medical IoT Devices
Managing Risk in the Digital Health Age
The Current Cyber Threat Landscape for Medical IoT Devices
How might an attack play out?
A December 2018 report published by the US Department of Health and Human Services identified the following events as “the current most impactful cybersecurity threats” in healthcare:
How Might an Attack Play Out?
Contact Us
Legal
Privacy
Cookie Notice
Explore aon.com
With a new European Medical Device Regulation that will apply from May 2021 and the recent appointment of Medtech Cybersecurity chief at the US Food and Drug Administration (FDA) in February 2021, cyber security of medical IoT devices is now the centre of attention for the entire healthcare industry and has witnessed a number of innovative revolutions to address the coronavirus.
This new regulation aims to improve the safety, security and traceability of devices. While the onus is principally on manufacturers to ensure compliance, healthcare providers are obliged to adhere to general cyber security best practices and report any serious safety or security issues to the manufacturer and to the local regulator.
Explore the Report
What
Section 1
Why
Section 2
Find
Section 3
Close
Visit the website
Why Attack Medical Devices?
Network-connected medical devices are typically both easy and valuable targets for hackers. Devices are naturally assumed by people to be secure and organisations rarely understand the attack surface. The hardware itself is virtually impossible to patch over the air due to the type of connectivity used, the fact it is often low powered or as a result of a general lack of thought in the design. This means any issue will lead to replacing the devices or patching the software.
Insurance, cyber and intellectual property
“Managing risk through a carve-out is critical,” says Nick Lupica, Executive Director of Aon’s M&A and Transaction Solutions practice.
Insurance is a typical risk-mitigation tool in carve-outs, but it is difficult to get suitable coverage in place in a tight timeline under difficult market conditions. It will demand considerable time and attention: not having insurance coverage on time will delay close.
The main risk for day 1 placement today is cyber insurance. TSAs for information technology (IT) are typical, but insurers are becoming much more restrictive, either not offering capacity if they are on the seller programme or requiring tie-in-limits (reducing the seller’s capacity), which may impact the terms of the deal. Deal parties need to get ahead of this risk.
Forensic cyber due diligence will be seen by the insurance market in the best light possible. Carve-outs have come unstuck due to cyber-attacks during and after transition. Cyber underwriters therefore need to see the IT transition plan. Getting external guidance on this is important, says Mr Lupica, as too often the drafting is left to a small group within the new business.
Careful negotiation of liabilities and requirements within the share purchase agreement (SPA) is critical to reducing day 1 costs. Requirements for directors’ and officers’ liability (D&O) insurance run-off and other pre-close coverage will quickly add significant cost.
“Sellers typically underestimate the costs for day 1 as their experience and rates in the market are dissimilar,” says Mr Lupica. “The larger the seller, the more pronounced the underestimation.”
Intellectual property (IP) separation is another carve-out workstream demanding careful attention. Decisions must be made about the ownership and future use of IP – particularly patents. IP portfolio analysis should be conducted to ensure the new entity gets precisely the assets it needs to create value, while the parent’s multiple business units retain solid IP protection.
Home
The medical IoT market is seen as a hyper growth area for many of the major tech players, bringing with it the menace and opportunities of new market disruptors. Added to the fact that 27.4% of worldwide cyber-attacks targeted the healthcare industry until now (Verizon Data, 2019), the new European Medical Device Regulation is likely to play catch up, creating uncertainty; with issues such as data ownership, assignment of liability and data usage likely to dominate discussions. Increased interconnectivity of devices and reliance on IoT data will increase the danger and opportunities of risk aggregation as new forms of ransomware, data breach and business interruptions emerge.
The Cyber Impact Landscape
There has rarely been a more favourable time to carve out a business. The pandemic has helped to highlight the aspects of the group operations that are most in need of shoring up, at the same time putting a spotlight on the parts of it that could generate more value through divestment. Potential buyers, meanwhile, are flush with cash and actively looking for deals.
Carve-outs are inherently complex transactions, however, and not all offer lessons that can easily be applied to others. “It is difficult to speak of a ‘typical carve-out’—they are different each time, but if you create a compelling process you can close a carve-out efficiently and effectively without value leakage,” says Jannan Crozier.
In this article we have shed light on those practices that sellers and buyers in carve-outs can apply to reduce the likelihood of delays and execution problems that drive up costs and diminish value. Paramount among those practices is advance and thorough preparation.
Our carve-out experience has demonstrated that significant value can be unlocked with thoughtful preparation and with effective use of existing structured instruments.
Conquering complexity
Explore the Full Interactive Report >
The hardware and software used in these devices do not normally have the same security controls as general computing hardware. Additionally, open source software is often used as part of the development process and Software Bill of Materials (SBOM) is most of the time overlooked. This makes it more likely that the development of these devices only integrates some generic packages which are then not monitored and reviewed. The lack of monitoring and visibility can lead to unknown vulnerabilities within the software package installed on these network-connected medical devices.
Connected medical devices are attractive to attackers for several reasons:
Large aggregation of medical data: places where network-connected medical devices are used are usually places where a large amount of medical data are aggregated such as hospitals and health centres. The impact of a data breach or a denial of access are considerable.
04
The potential fear-factor from an attack on critical devices: medical IoT devices such as pacemakers or health monitoring devices are life critical. Hackers are aware of the impacts that would result from attacks (potentially deaths) and therefore make this type of devices an attractive target.
05
01
Inherently valuable and sensitive data: Medical IoT devices store and transmit sensitive data that can be held to ransom, sold in underground marketplaces, or used for espionage, identity theft or targeted phishing.
Potential for business disruption:
the devices themselves can be compromised and incorporated into a network of threat-actor-controlled machines known as a botnet, to be used for further nefarious activity such as distributed denial-of-service (DDoS) attacks.
02
Stepping-stone for far-reaching attacks: they can be a useful stepping stone for lateral movement within a network, paving the way to other valuable targets or enabling an attacker to accrue compromised devices for leverage in a ransomware attack or a tactical political manoeuvre.
03
Threat actors motivated to carry out such attacks might be profit-seeking criminals, or nation states gathering strategic intelligence – such as COVID-19 research – or looking to acquire and maintain access to an adversary nation’s critical infrastructure. If used for a botnet or as a stepping-stone, a medical device could be a gateway for an attacker to expand the scale of an attack, resulting in greater damage to the device, distributors, healthcare providers and patients. A compromised medical device where the functionality is interrupted or uncontrolled could have fatal consequences.
Therefore, it becomes essential for all healthcare players to understand the risks derived from the cyber security of medical IoT Devices and to implement and maintain processes to mitigate those risks.
The medical device industry is growing and has become an essential element linked to the healthcare domain given rising incidence of chronic diseases and surging geriatric population. It is forecasted that, by 2030 the medical devices market will be worth $795 billion, based on a compound annual growth rate of 5.2 percent for the 2015-2030 period1. Market research firm IDC estimates close to 42 billion connected devices will generate 79.4 zettabytes of data by 2025. To compare, 1 zettabyte is equal to as much information as there are grains of sand on all the world’s beaches.
Discover More
42 billion connected devices will generate 79.4 zettabytes of data by 2025.
“
Ransomware attacks cause organisations to face a fraught cost-benefit analysis of whether to accede to the demands of the hackers (with no guarantee to get the control of your IT/OT environments back following the payment of the ransom) or attempt to recover and rebuild. Ransomware attacks are themselves evolving – many are coupled with actual theft of data, which the attacker may threaten to release to put pressure on the organisation to pay.
As egregious as they are, ransom demands – should the organisation opt to pay – are often outweighed by the indirect costs of a breach, resulting from downtime, reputational damage, regulatory fines and lawsuits. These indirect costs can be extremely high when patient data is exposed, making healthcare operators a popular target for ransomware as they are deemed likely to pay. There has been a dramatic increase in the number of healthcare sector data breaches in the past year, notably through attacks on web applications and privilege misuse.
Another alarming trend is the evolution of ransomware attacks to target not just IT systems, but the operational technology (OT) that is critical to the medical device supply chain. In 2020, multiple strains of malicious software, including ransomware, were observed targeting medical industrial control systems, such as those that control MRI scanners and dialysis machines. Tactics include infecting software products further up the supply chain and threatening to expose the data of non-paying victims. Targeted entities have reportedly included major players in the medical device field, resulting in suspended patient care and direct costs well in excess of a million dollars, without accounting for downtime, file recovery and potential penalties. Having proven effective and lucrative, such tactics look set to increase in popularity.
E-mail phishing attack
Ransomware attack
Loss or theft of equipment or data
Insider, accidental or intentional data loss
Attacks against connected medical devices that may affect patient safety
It is common for such attacks to combine multiple elements of these threats, as well. For example, a threat actor might gain access to a healthcare provider’s IT network through a malicious link or attachment in a phishing e-mail sent to a staff member. The attacker could then scan the network for devices and take command of a file server to which, for instance, heart monitors are connected, and access patient data or remotely control the devices, putting patients at risk first and foremost, but also triggering extensive remediation work and harm to the business.
In October 2018 and June 2019, respectively, the US Food and Drug Administration (FDA) recalled 34,000 implantable cardiac pacemakers and more than 4,000 insulin pumps due to cyber security flaws that would allow an unauthorised user to remotely alter the functionality or dosage. This concern is emphasised by the fact that it is found difficult to maintain an IT/ Operational Technology (OT) boundary when the IT environment relies on data from the OT and when OT represents a large part of the entire environment.
How?
From cyber-attacks leading to either ransomware, data breaches or business interruptions, the financial impacts are likely to threaten enterprises’ business continuity. It is then essential for companies of all sizes, to understand and assess how they could be financially impacted by such events.
Incident response costs include various types of costs and should be forecasted. Those various costs are forensic investigations, PR costs and others which could be linked to the recovery of data. In case of a data breach, notification, credit monitoring costs and call centres costs could be high especially if credit card and health data are stolen.
Maurizio M
STMicroelectronics
Increased costs relate to the processes and capabilities businesses will need to put in place to keep their operations running despite a ransomware, data breach or a business interruption. Those comprise increased cost of working, additional staff needed to operate,
cost of asset replacement, and goodwill payments.
Pete B
Dart Enterprises
Companies would likely need to revise their revenue forecasts in case of a cyber-attack as it might lead to a business interruption. However, it can go beyond the loss of income and would include abnormal customer churn which is related to the reputational impact due to a data breach.
Oriada G
Antea Cement SH. A. Titan Group
Costs associated to legal guidance, legal defence
and cost of pursuit could be significantly high, especially if they are linked to a data breach or the inability to fulfil orders or perform services to third parties. Depending on the potential number of victims, class action lawsuits may be considered.
Camilo B
Kruger Inc.
Liability costs include contractual penalties and other liabilities such as customer card replacement costs.
Tom C
Swire Pacific Limited
Companies affected by a data breach will face regulatory fines from privacy national enforcement bodies (e.g. GDPR in the EU). European General Data Protection Regulation (GDPR) empowers national regulators to fine up to 4 percent of the annual global turnover of the companies. Additionally, a new European Medical Device Regulation will aim to ensure that manufacturers and healthcare providers use cyber security best practices. Failure to demonstrate it may lead to the companies being unable to operate.
Marissa R
Hinduja Global Solutions Ltd
Incident Response Costs
Increased Costs
Loss of Revenue
Legal Costs
Liability Costs
Regulatory Fines
Identify cyber risks and quantify the impact
To help manage risks that could be generated from medical IoT failure or data breach, companies should start by articulating these cyber risks. Companies should identify key assets owned by the business which are linked to medical IoT devices or upon which the business is dependent (e.g. supply chain). It is then important to assess maturity of controls in place related to these assets and devices in order to assess the current cyber exposure. This gives companies a clear picture of current vulnerabilities and allow them to invest appropriately in resources to mitigate them.
What Should Organizations Do
to Help Manage These Risks?
The next step is to develop and analyse severe, yet plausible cyber incident scenarios related to the critical IT assets of the company. This helps understand how attackers could be harmful to the business. Once the scenarios are developed, it is essential to understand the financial impact of what the cyber risk related to medical IoT and the scenarios could lead to by performing a cyber impact analysis. It determines the balance sheet exposure from cyber risk; to inform risk management strategies and optimise the Total Cost of Risk associated with the cyber exposure. It is important to achieve the following objectives:
Both cyber risk identification and cyber impact analysis can help the business to take the appropriate further steps. At this point, they would have established the context, identified, analysed and evaluated the risks. Further steps will involve applying risk management options available such as:
Achieve an improved understanding of the cyber threats facing the business and the Healthcare sector
Analyse cyber triggers and events causing potential 1st and 3rd party financial loss
Quantify the financial impact of cyber risk
Provide clarity to senior management on the financial impact of the medical IoT cyber risks
Risk treatment (i.e. invest in security spend)
Risk transfer (i.e. engage in insurance)
Risk tolerance (no further action)
Terminate (cancel the process of implementing IoT)
01
Conduct cyber due diligence on vendors, including a scan of underground forums and marketplaces, to uncover existing vulnerabilities or potential targeting. It is advisable to perform initial supply-chain vetting as well as periodic threat monitoring.
02
Implement processes that allow post market surveillance and communication with subject matters experts on reporting vulnerabilities (e.g. Heartbleed vulnerability: in August 2014, the US Community Health Systems have lost 4.5 million patient records).
03
Establish a rigorous software update and patch management programme and maintain dialogue with device manufacturers regarding safety and security issues.
04
Train staff to recognise and respond to potential cyber security issues, for instance by running through attack scenarios in a table-top exercise. Embed secure development lifecycle processes into your development framework.
Further measures that medical IoT devices companies should take:
There are some simple steps medical device operators can take to help protect themselves against cyber-attacks:
Further Measures
If you would like to discuss any aspects of these insights, or to better understand our capabilities in this area, please do not hesitate to get in contact with our team.
Christopher Scott
UK Deputy Practice Leader, Cyber Risk
christopher.p.scott@aon.co.uk
Adam Peckman
Global Practice Leader, Cyber Solutions
adam.peckman@aon.co.uk
Andrew Mahony
APAC Head of Cyber Solutions
andrew.mahony@aon.com
Matt Summers
Business Development Leader
matt.summers@aon.co.uk
Talk With Us
Contact Us
Website
Legal
Privacy
Cookie Notice
CJ Dietzman
Managing Director, Aon Cyber Solutions
cj.dietzman@aon.com
Share the Insights
Home
Sign Up to Receive Insights
Sign Up to Receive Insights
*This article was written by Longitude, a Financial Times company, in partnership with Aon.
The medical IoT market is seen as a hyper growth area for many of the major tech players, bringing with it the menace and opportunities of new market disruptors. Added to the fact that 27.4% of worldwide cyber-attacks targeted the healthcare industry until now (Verizon Data, 2019), the new European Medical Device Regulation is likely to play catch up, creating uncertainty; with issues such as data ownership, assignment of liability and data usage likely to dominate discussions. Increased interconnectivity of devices and reliance on IoT data will increase the danger and opportunities of risk aggregation as new forms of ransomware, data breach and business interruptions emerge.
The Cyber Impact Landscape
Sign Up to Receive Insights