As an industry focussed on innovating for improved health outcomes, cyber security and data protection haven’t always been top of the agenda for life sciences. Yet the recent NHS global ransomware attacks are a clear demonstration that no industry can be exempt from taking security seriously. Arguably, with lives at stake, life science companies have a greater responsibility than any other. We talk to Caroline Rivett, Director of Cyber Security and Privacy at KPMG, to explore the landscape and uncover the key issues that medtech companies need to consider
CR: I work with large global companies and lead consulting projects that involve assessing organisations’ cyber security. We help them to become more secure and we help them with privacy too – understanding how to treat people’s personal data. We also help and enable organisations to comply with the forthcoming regulations.
That’s a good question. I think there are some fundamentals for cyber security and privacy that are true across all organisations – irrespective of size, industry and geography. There are basic elements that all companies need to get right. Those cover things like passwords, access, setting up your network securely, understanding what the change process is and how security is built into that, and ensuring people are aware and educated around security and privacy.
Where the differences come in relates to the types of risks that the industry is dealing with. There are three key areas of difference:
Indeed! Well it’s entirely plausible – these devices can and have been hacked. The FDA in the US issued a warning about 18 months ago about certain medical devices that could be hacked. Having said that, there are underlying controls around most of these medical devices such as needing to be Bluetooth-enabled with a specific serial number to access the device. A number of my colleagues work in this area in terms of securing medical devices and working with the manufacturers to actually help build in cyber security. In essence, many of these devices use quite old technology which has been built to last, where the design of the chips might not have been updated for 10, or more years and cyber security has not been built in.
No, I think it is one of those underlying infrastructural aspects that has been an issue across the whole sector. So these devices have been built with inadequate security architecture and are then used to help patients with certain conditions. Nothing I’ve seen or indicated shows that it will pertain to a certain part of healthcare or certain conditions.
What I’m certainly seeing is that life science companies and health organisations have really woken up to the fact that security and privacy are major issues. Part of that is driven by the sophistication of break-ins – whether by criminals, kids, nation states or governments and the impact such as in the recent WannaCry ransomware. This is driving a greater awareness of security such as for users not to click on links in emails from unknown senders and performing back-ups, especially as company systems are taken down, key intellectual property is taken, or organisations suffer frauds and theft. But I think there’s another key driver – the European Union’s General Data Protection Regulation which is coming next year. This will fine companies between 2-4 per cent of global turnover if they don’t comply with the strict regulations around protecting people’s personal data. A year ago, life sciences companies were starting to work on this and now they’re really increasing the vigour and rigor with which they are doing so. We’re now seeing a lot of healthcare organisations really biting the bullet and pushing forward very quickly to try to comply.
On the privacy side, many of these companies may well be looking to monetise data – so they need to understand what responsibilities they have for:
You're the expert! Write for The Engine or share your articles, papers and researchAdd your content
Add your content
Sign up for Ignition, our regular, ideas-packed newsletter