A new Moody’s report warns the medical device industry is highly vulnerable to cyber risks, largely thanks to the proliferation of insulin pumps, cardiac monitors and other devices that connect to the internet.
However, the credit rating agency thinks attacks would have just a moderate impact on the medtech sector and that it faces smaller overall risks than the broader healthcare industry.
The Moody’s warning comes against a backdrop of rising recognition of the cyber vulnerabilities of medical devices. Over the past year, FDA has proposed delineating medical devices based on whether they can directly harm patients if hacked and HHS has opened its cybersecurity coordination center.
The potential for cyber attacks to disrupt businesses and entire industries has caught the attention of ratings agencies such as Moody’s, which said the medical device industry has more than $200 billion of rated debt. The likelihood of creditors getting that money back rests, in part, on the ability of the debtors to avoid business-threatening events such as severe cyber attacks.
In analyzing risk in the medical device industry, Moody’s zeroed in on the increasingly widespread use of insulin pumps, defibrillators and cardiac monitoring devices that provide patients and remote caregivers with real-time information.
These devices send data over the internet, creating opportunities for hackers to intercept personal health information. The fact the devices are online also creates a risk that a hacker could remotely modify their settings.
Moody’s cites the 2017 recall of 465,000 Abbott pacemakers to make its case. The devices were recalled after Abbott learned of a vulnerability that could have allowed a hacker to modify the pacing commands or accelerate depletion of the battery. Exploitation of the vulnerability could have put patients at risk and, by extension, threatened Abbott’s ability to pay down its debt.
Even so, Moody’s thinks the impact of cyber attacks on other industries may be more severe, leading it to class medtech as a medium-high risk sector. Moody’s thinks the nine sectors in that group have some common features.
"These sectors have multiple vulnerabilities that make them cyber attack targets. They rely heavily on technology to operate, although they have some ability to reduce the operational impact of an attack through established manual processes. However, a significant data breach or prolonged disruption of operations would result in meaningful impact that reputational effects could further amplify," the agency wrote in its report.
Moody’s awarded its highest risk rating to healthcare and three other sectors. The agency classed healthcare as being both highly vulnerable to cyber attacks and likely to suffer major harm as a result of them. That view is partly based on the fact that "a breach of medical technology would pose an immediate threat that could harm the reputation of the hospital or lead to ransom demands."