Protecting innovation: cyber risk in MedTech and life sciences

Australia’s life sciences and MedTech sector has experienced impressive growth in recent years. 

Numerous research and commercial endeavours have positioned us as a serious global contender – catching the attention of international investors and collaborators alike.

Unfortunately though, these aren’t the only ones paying attention. Organisations in the sector have also become a target for threat actors seeking to steal sensitive data and disrupt operations. This is driven not only by the high value of confidential personal and commercial information, but also by the strategic importance of research data in Australia. Such research often includes intellectual property, clinical trial data and nationally significant research outcomes, making it a high value target for cyber espionage, financial exploitation, and deliberate operational disruption. 

With artificial intelligence (AI) pushing the boundaries even further, it’s critical for all businesses in the sector – from start-ups to multinational entities – to ensure their defences can effectively manage the risks posed by the emerging cyber threats.

 Cyber security challenges in MedTech and life sciences 

Medtech and life sciences operate in a unique space, often involving widespread collaboration and complex supply chains. Data ranges from patient and clinical information to drug formulations, trial results, research findings, genomic data, manufacturing processes, trade secrets, and so much more. In an instant, a single cyber incident can irreversibly compromise intellectual property worth billions and undermine years of research and development. 
There are many real world examples of data breaches in MedTech and life sciences, and the consequences that can ensue such as:

• 23andMe – a US-based genetic testing company which was affected by attackers who scraped data from user accounts, including genetic ancestry and health-related information. The company has since filed for bankruptcy.
• Medlab – part of Australian Clinical Labs, fell prey to a ransomware attack that compromised the personal information of over 223,000 people. The company was ordered to pay $5.8m in civil penalties.
• Genea – one of Australia’s largest IVF providers, who reported that an unauthorised third party had accessed its systems and sensitive medical information (clinical history, diagnoses, test results, and prescriptions). This data was subsequently found on the dark web.

There are multiple other examples that have played out in the research space worldwide where medical trials were compromised, in pharmaceutical manufacturing where production was disrupted, and in hospitals where critical surgeries were impacted. Even medical devices now carry a cyber risk.

At the heart of these attacks lies highly motivated attackers and a lack of effective controls. Together, they make MedTech and life sciences organisations particularly vulnerable to: 

• Ransomware: where files or systems are locked or encrypted until a ransom is paid. Attackers may also threaten to release sensitive information to the public.
• System compromise: where medical devices, operational technology (OT) environments, and lab systems running on legacy or embedded technology with limited security controls could be compromised and affect device integrity, data accuracy, or patient safety.
• Internal threats: such as disgruntled staff or human error leading to IP theft, fraud, shared sensitive information, or even accidental deletion.
• Third-party systems: including issues with third-party software, or gaps in an external partner’s cyber controls, allowing sensitive data to be compromised. 

Increasingly, we’re also seeing AI manipulation play a greater role in cyber-attacks. This includes nefarious actors seeking to accelerate theft of IP and research data, introduce risk of model manipulation or poisoning, rapidly correlate exposed datasets, and actively use the AI to exfiltrate data. 

 7 key questions for assessing cyber risk 

Leaders in life sciences and MedTech are often highly focussed on the science and innovation rather than the cyber security around it. Fortunately, we’ve seen a marked increase in companies with dedicated cyber security roles. Even for those where the brunt of cyber security falls on the IT manager, the focus on cyber security is understandably strong. 

The challenge lies in managing the inherent complexity of operations alongside the rapidly evolving cyber risks affecting the life sciences and MedTech sector. While effective controls are often embedded in operational functions, comparable safeguards are frequently less mature across research environments and specialised domains such as OT. Cyber security leaders also find it difficult to protect data they don’t know exists. Yet it’s this visibility of data which is most important to control and mitigate the risks. 

 Here are 7 questions to start assessing your organisation’s cyber risk: 

1. What are our critical data assets? Where do they sit?
2. Who should and should not have access to this data?
3. What controls do we have in place now to ensure data integrity and encryption at rest and in transit?
4. How are we enforcing and governing our controls. Is there continuous monitoring in place?
5. Are we moving towards zero trust across research and collaborative environments?
6. How secure are our partners and have we properly vetted our software providers and supply chain?
7. Do we align with industry standards and guidelines? 

Keep in mind that not all industry standards and guidelines will be relevant to your business.

While many exist – such as the SOCI Act, NIST Cybersecurity Framework, ISO 27001, Essential Eight, VPDSS guidance, and ISM – it’s important to focus on those that align with your operations.

 Working with a cyber practitioner  

MedTech and life sciences firms don’t want to be so stringent with cyber measures that it creates bottlenecks and impedes progress. However, they do want to direct their investment and capabilities to the areas that are critical. 

Balancing asset value with cyber security investment is an area where a skilled cyber practitioner can assist you.

They can also help you run cyber-attack simulation exercises to understand how your organisation would fair during a cyber incident. You can have the best laid plans and controls in place, but unless you know how stakeholders will respond in the moment then you’re flying blind. In a sector where patient health and outcomes are at stake, this type of testing and validation is vital. 

In running these exercises with clients, we find they deliver immeasurable value – allowing for fast identification of gaps and weaknesses in risk and business continuity planning. 

Most importantly, a skilled cyber practitioner can work with you to achieve full visibility of your threat landscape. This includes:

• legacy and new equipment
• third-party systems
• role based access controls
• governance frameworks, including around AI
• compliance with relevant standards

They’ll assist you to uncover risks you might not see, and understand how to leverage emerging technologies (including AI) for advanced threat intelligence.

Combined, they give leaders in MedTech and life sciences organisations confidence in the controls already in place and a path to strengthen cyber maturity and capability.

For a free initial consultation with a highly skilled cyber specialist from RSM, please contact our RSM Cyber specialists.