Med-techs have become a gold mine for hackers nowadays given the amount of information they collect and store. Nearly every piece of medical technology is now connected to the Internet. From diagnostic equipment like MRI, CT or ultrasounds to patient monitoring, infusion pumps and hospital equipment, everything is now exposed to the internet. The connectivity of smart, IP addressable devices, opens them up to remote access and manipulation paving the way for data theft or denial of service that can have consequences that go beyond financial loss. Innovation brought by Medtech companies is driven by major advancements in technology over the last decade. These innovations result in larger and more complex attack surfaces that are harder to control.

1. Implement proactive and layered defensive systems

Having a layered defence simply means having multiple steps in place before someone can access your data and includes measures that provide protection across the following layers of the traditional communication network model:

Network access layer: Network security measures control access to your network and operating systems. When you connect your network to the Internet, you need to ensure that you have adequate network-level security measures in place to prevent any access to confidential/private data and intrusions. Common network security measures include:

• Firewalls
• Network segmentation — This allows you to define boundaries between network segments between assets within have common functions and those that hold privilege and sensitive information.
• IDS — Intrusion detection system or IPS — Intrusion prevention systems
• Sandboxing of relevant data

Internet and transport layer security: You cannot control how your traffic flows from source to destination when you communicate across an untrusted network like the Internet. Unless you set up the right security measures, such as configuring your applications to use SSL or use setting up a VPN for example, your routed data is available for anyone to view and use. Internet layer security measures can be put in place to protect your data as it flows between the other security level boundaries.

Application layer security: Application security measures refer to the features within applications that prevent security vulnerabilities against threats such as unauthorised access and modification. Multi-staged attacks are often staged at this layer and can be a way to gain access to your network systems. The application layer security measures that you can put in place need to include both server-side and client-side security exposures. Common security measures include:

• Strong authentication such as MFA.
• Encryption if your network traffic contains sensitive data. Encryption is one of the most useful data protection methods for medtech companies as it provides an added layer of security by protecting data both when it is transferred and when it is stored (at rest).
• Application security testing
• Logging to visualise who accessed which information at what time

​A layered defence approach is a strategy in which your security policies define what you want to protect and what you expect of your system users. However every network is different so it is important to really understand your attack surface before making heavy investments of time and money in a panel of security measures. Know what data is at risk and how it is accessible in order to make smart investments that will improve your cyber resilience.

2. Have a strong authentication mechanism in place

Regardless of the type or operating system, a password should be required to log into a system. Although it may seem pretty obvious, cyberattacks targeting the authentication mechanisms are all too common. Any initial access allows an intruder to move deeper into your network in search of more sensitive data and other high-value assets. Although a strong password will not prevent attackers from trying to gain access, it adds an extra layer that can discourage or slow them down. The combination of good passwords with strong authentication mechanisms adds up to an effective framework for the protection of medical and personal data. As a system administrator, here are the steps you should take when setting up your authentication mechanisms:
Password policies need to be set and agreed upon by every member of your organisation

• Passwords need to be sufficiently complex within the standards of the ANSSI or ENISA
• Your passwords should be changed routinely and never be reused
• You should always check for default passwords when purchasing any kind of equipment/software. Change them immediately if it is the case.
• Use multi-factor authentication where possible

As a developer, you should pay particular attention to:

• Never store a password, whether it is encrypted or not.
• Use secure, known hashing algorithms like SHA
• Salt and pepper your passwords for maximum security for you and your users

3. Secure your IoT devices

Major advances in wireless technology like IoT are driving innovation, especially in Medtech. The increase in connected devices renders attack surfaces more complex that are consequently a lot harder to control. Securing IoT requires a multi-faceted approach that can start with reading our guide on IoT security.

Conclusion

As a MedTech company, there is a high chance that you are dealing with sensitive information that is a prime target for malicious actors. Your first step towards cyber resilience should start with understanding what is at risk and where in order to put in place the right controls and mechanisms to maximise the security of your data. Be proactive and conduct regular assessments of your security posture from a hacker’s perspective to identify where your security gaps lie and how they can be secured.
​
| “To know your enemy you must become your enemy”