As an industry focussed on innovating for improved health outcomes, cyber security and data protection haven’t always been top of the agenda for life sciences. Yet the recent NHS global ransomware attacks are a clear demonstration that no industry can be exempt from taking security seriously. Arguably, with lives at stake, life science companies have a greater responsibility than any other. We talk to Caroline Rivett, Director of Cyber Security and Privacy at KPMG, to explore the landscape and uncover the key issues that medtech companies need to consider

MTE: Can you tell us a bit about your role?

CR: I work with large global companies and lead consulting projects that involve assessing organisations’ cyber security. We help them to become more secure and we help them with privacy too – understanding how to treat people’s personal data. We also help and enable organisations to comply with the forthcoming regulations.

Do you think cyber security and data privacy differs in life sciences? Or do you think the issues that companies face are pretty universal irrespective of industry?

That’s a good question. I think there are some fundamentals for cyber security and privacy that are true across all organisations – irrespective of size, industry and geography. There are basic elements that all companies need to get right. Those cover things like passwords, access, setting up your network securely, understanding what the change process is and how security is built into that, and ensuring people are aware and educated around security and privacy.

Where the differences come in relates to the types of risks that the industry is dealing with. There are three key areas of difference:

• In terms of personal data, almost by default, companies in healthcare will be holding an individual’s highly personalised information, including medical records, genomic data, genetic data, sibling data, potentially their insurance details and their bank details. Most of the organisations will have mechanisms to protect personal information.
• Secondly, the use of the internet of things or the industrial internet of things poses a different threat for life sciences: that is, having systems which are not pure IT systems, but are being used as a core part of the business and the organisation and the company. In hospitals you have got large, electronically enabled medical devices that are increasingly connected on to networks, the internet and mobile devices. In life science companies, you tend to find production, manufacturing, lab, and research systems – all of which are electronically enabled – but at the same time, none of which have previously been a core part of security remediation. And in addition, you’ve got an increasing use of mobile and tech within healthcare where there are also risks.
• Last, but by no means least, life science is an industry focussed on people and patients. People are relying upon these devices to stay alive, to be treated. Here is an industry where, perhaps like no other, you’ve got people’s lives depending upon systems and technology, so security over these systems therefore has to be strong to maintain the integrity of the data and the systems operations

I’m sure you’ve been asked more than once about the infamous episode of Homeland where the President’s pace maker is hacked. Is that a real risk?

Indeed! Well it’s entirely plausible – these devices can and have been hacked. The FDA in the US issued a warning about 18 months ago about certain medical devices that could be hacked. Having said that, there are underlying controls around most of these medical devices such as needing to be Bluetooth-enabled with a specific serial number to access the device. A number of my colleagues work in this area in terms of securing medical devices and working with the manufacturers to actually help build in cyber security. In essence, many of these devices use quite old technology which has been built to last, where the design of the chips might not have been updated for 10, or more years and cyber security has not been built in.

Does the hacking of medical devices pertain to particular medical specialities and/or medical conditions?

No, I think it is one of those underlying infrastructural aspects that has been an issue across the whole sector. So these devices have been built with inadequate security architecture and are then used to help patients with certain conditions. Nothing I’ve seen or indicated shows that it will pertain to a certain part of healthcare or certain conditions.

What do you think has changed in the industry in the last couple of years?

Caroline Rivett

What I’m certainly seeing is that life science companies and health organisations have really woken up to the fact that security and privacy are major issues. Part of that is driven by the sophistication of break-ins – whether by criminals, kids, nation states or governments and the impact such as in the recent WannaCry ransomware. This is driving a greater awareness of security such as for users not to click on links in emails from unknown senders and performing back-ups, especially as company systems are taken down, key intellectual property is taken, or organisations suffer frauds and theft. But I think there’s another key driver – the European Union’s General Data Protection Regulation which is coming next year. This will fine companies between 2-4 per cent of global turnover if they don’t comply with the strict regulations around protecting people’s personal data. A year ago, life sciences companies were starting to work on this and now they’re really increasing the vigour and rigor with which they are doing so. We’re now seeing a lot of healthcare organisations really biting the bullet and pushing forward very quickly to try to comply.

If you were going to give advice to early-stage startup companies in medtech about security and privacy, what would it be?

On the privacy side, many of these companies may well be looking to monetise data – so they need to understand what responsibilities they have for:

• Getting people’s consent for their use of their own personal data: Consent can’t be totally open, giving the company permission to use of data for anything and everything. It needs to be very defined, with a planned usage, stating ‘this is how we plan to use your data’ and ‘do you consent to this’? The consent aspects are certainly becoming a lot stricter under the new regulation. There is, of course, a more practical aspect to all this. Do people read the consent wording – do they care about the consent processes when they want to interact with technology? Many people will often just sign whatever the wording is – this is their individual choice.
• Protecting data: Companies need to understand how they store data, where it goes and how they are protecting it. They need strong security over any personal data. And, if it is being transmitted across international borders, such as to Cloud service providers situated in other geographic regions, they might need to indicate this is to the people whose data they are collecting. It’s not just about adhering to the regulations though – it’s about the value of the business both from a reputational point of view of protecting individuals’ data, but also because many smaller organisations in their early stages might look to collect data which will be part of their valuation when they’re sold. The purchasing company may look to understand how they’re protecting this data and whether or not they have got consent for its usage. If they don’t have those aspects in place, then this might well impact the underlying valuation because they might not be able to use the data.