“We estimate spending by healthcare providers and OEMs on healthcare cybersecurity to reach $5.5 billion by 2016,” says Michela Menting, Research Director at ABI Research. “However, only $390 million of that will be dedicated to securing medical devices.”
This, Menting adds, is a mistake. Healthcare stakeholders have to understand that there is a new hostile environment that will emerge around networked medical devices and that threat actors have multiple levels of skills and diverging motivations for attacking the medical IoT.”
The money spent on securing medical devices will primarily be due to OEMs embedding security in the hardware, reviewing, analyzing, pen testing, developing patches, and performing OTA updates, among other functions, write ABI. The rest of the expenditure will focus on data protection.
Numerous vulnerabilities
But medical devices suffer from numerous vulnerabilities, and many often compound several critical vulnerabilities: code errors in software, use of hardcoded passwords, disabling of firewalls, lack of authentication mechanisms, unencrypted communications, among many other issues.The possible results: badly secured connected medical devices can be used by hackers to penetrate hospital systems and steal patient data, or put in place ransomware so the devices can only be used when money is paid. It could even be possible to hack medical devices so that patients could be administered wrong dosages of medication. Recently news came out that an insuline pump made by Johnson & Johnson was vulnerable to hacking.
Protecting devices requires addressing technical issues, healthcare delivery, and business challenges. To do this, collaboration across the various stakeholder silos is necessary. The industry, however, is at the beginning stages of the discussion. Globally, the efforts are poor, and the U.S. is the only country currently putting significant energies into the matter.
Awareness is growing
However, awareness is growing, which will push spending on devices to triple globally by 2021, resulting primarily from dynamic U.S. public and private efforts in the space. A few companies are already fully embracing medical device cybersecurity, including Battelle, Coalfire, Dräger, Extreme Networks, Sensato, Synopsys, UL, and WhiteScope.“Investment in medical device cybersecurity is critical in order to deliver the full promise of next-generation healthcare technology,” concludes Menting. “OEMs and healthcare providers taking part in the discussion today will be the pioneers forming the foundation of future cybersecurity for medical devices.”
Investments in security
Healthcare is the fastest growing industry when it comes to investments in security, market research firm IDC recently stated. In the coming five years, healthcare organisations will grow their spending on IT security with a CAGR (compound annual growth rate) of 10.3 percent. Total worldwide spending on IT security will top 100 billion dollars in 2020, growing with a CAGR of 8,3 percent (more than double compared to overall IT spending growth). IT security spending in 2016 will be 73.7 billion dollars."The pace and threat of security attacks is increasing every year, especially across compliance-driven industries like healthcare, telecom, government and financial services," said Eileen Smith, program director, Customer Insights and Analysis.
IDC also published research which found that that healthcare is also the fastest growing industry when it comes to spending on mobility. The industry that will deliver the fastest revenue growth in mobility over the 2015-2020 forecast period is healthcare (5.1% CAGR), followed by telecommunications, professional services, and utilities. "Worldwide, the healthcare provider industry is expected to have the fastest growth in mobility spending over the life of the forecast," said Jessica Goepfert, program director, Customer Insights and Analysis.