IoT Cybersecurity Startup Landscape Part 2: Medical Devices
State of the market
In the last several years, there has been a large-scale adoption of medical devices due to the growing need of cost-effective and efficient healthcare services and solutions. Medical devices play a very important role in monitoring patients, tracking activities and gathering data to ultimately help deliver the best possible healthcare service. Medical IoT has unfolded a myriad of possibilities to improve the continuum of care and allows the creation of ecosystems comprised of different components, technology applications, programs and gadgets. Even though this proliferation of medical devices has improved the delivery of end-to-end healthcare services and overall our living standards, it has also created a new and unique set of critical security challenges.
Security issues in healthcare
Healthcare is the one of the biggest targets for cyber criminals. While hacking databases and medical management networks can result in the compromise and exposure of highly sensitive information, hacking smart medical devices can have disastrous health and safety concerns.
In a recent survey, researchers found that 82% of healthcare organizations have experienced a cyberattack focused on IoT devices, with 30% of those providers admitting that patient safety was compromised at some point. Cybersecurity breaches has many consequences, including operational downtime, data theft and reputational damage, and the mitigation of healthcare IoT cyberattacks are very costly — an average of $346,205 per attack.
It is imperative for global healthcare provider organizations to continue to improve their security approach to ensure protection of their whole networks and facilities. Examples of catastrophic cyber risks include distorting imagery devices to malfunctioning of pacemakers, potentially resulting in the loss of life.
Healthcare providers are unprepared
Increased financial expenditure due to security breaches has forced lots of healthcare organizations to seek cybersecurity protection. Without effective cybersecurity measures in place, the number of cyber attacks on the healthcare ecosystem will keep increasing at a very fast pace. Unfortunately, many of the networks that healthcare organizations manage today still operate in organizational silos, leaving gaps in security. Clinical engineers often focus on securing connected medical devices while facilities and operations teams concentrate on securing building automation systems. Given siloed priorities, there needs to be solutions that look for security holistically. Healthcare organizations can start by being aware of the IT, IoT and OT devices connecting to their networks.
Nowadays, ~48% of all hospital equipment is connected, and this number will reach 68% by 2023. Nevertheless, only 18.6% of organizations feel very prepared to address these security challenges and only 51% of medical device manufacturers follow FDA guidance to mitigate risks. According to Palo Alto Networks, over 83% of medical imaging devices run on unsupported Operating systems, which further exacerbates the problem.
Regulations
Several healthcare regulation policymakers have released pre-market and post-market cybersecurity requirements for medical devices to better address and manage security risks for users and patients.
For instance, the FDA offers guidance addressing device security across the medical device product lifecycle. This has propelled many manufacturers to look at potential supply chain security issues, and medical device users to implement medical device cybersecurity solutions across the entire device lifecycle. The upcoming EU MDR Cybersecurity Requirement lays down new essential safety requirements for all medical devices to ensure that devices are secured from within, emphasizing the incorporation of security best-practices throughout the product lifecycle
What are the solutions offered by startups?
There’s a wide range of startups working to improve the security of Internet of Medical Things (IoMtT), and they can be categorized into the following sectors:
- Identify & Detect: solutions that provide inventory and network monitoring, continuous identification and classification of all devices as well as detection of cyber attacks
- Protect: solutions that secure data and network integrity, while limiting the impact of cybersecurity breaches and ensuring resilience of systems.
- Audit & Compliance: solutions that help simplify regulatory compliance for healthcare organizations, while providing quality management to medical devices
- Security services: solutions that provide healthcare providers and device manufacturers with software and services to secure medical devices throughout the device lifecycle
Some of the critical security capabilities for organizations to ensure effective IoT cybersecurity measures are in place include device visibility with network monitoring, improved overall security posture, response automation and orchestration and continuous exchange of contextual insights. Effective security protection would address the different stages of the medical device lifecycle, including the development procurement, deployment, operations and disposal of these devices.
Ending Remarks
Healthcare providers and medical supply chains will increasingly incorporate a wide range of segmentation, automation and analytics capabilities across a multitude of environments to achieve greater effectiveness against an ever-increasing cyber threat landscape. Successful startups will have effective models to sell into these more traditional players while conveying a clear ROI for the solution buyers.
As competition increases, we will increasingly observe a drop in the average sale price of cybersecurity solutions for medical devices. Profit margins will be reduced and smaller vendors will find it more challenging to compete. There will also be consolidation of the market in the upcoming years, as we’ve already seen so far. MedCrypt acquired MedISAO in Aug 2020 for its information sharing capabilities as well as their Software Bill of Materials tool to better serve device manufacturers. Alternately, Palo Alto Networks acquired Zingbox in Sept 2019 to expand its existing platform offerings for healthcare providers to gain more visibility into their connected devices at scale. This has helped these vendors expand their customer bases and offer new cross-selling opportunities.
In Part 3 of this four-article series, I’ll be covering the state of the critical infrastructure cybersecurity startup market.
Special thanks and shout-out to my colleague Ravi Mulugu, who provided me with insights to bring this piece together.
Disclaimer: This blog represents solely my own opinions, not my employer’s.
