Balancing innovation and cybersecurity: Medtech's challenge

For many medtech businesses, cybersecurity has become a critical balancing act between innovation and protection.

“While it is crucial to protect sensitive data and comply with regulatory requirements, dedicating excessive resources to cybersecurity can be unprofitable for lean medtech companies focused on cutting-edge innovation that drives the company's value,” says Amanda Laskey, a life sciences senior analyst at RSM US LLP. “Companies need to identify the most critical areas to protect, such as proprietary information and patient data, while also addressing regulatory compliance, all without overextending resources.”

Unused data

Many medtech companies are currently focused on securely storing vast amounts of data to meet cybersecurity regulatory requirements, such as those set by the U.S. Food and Drug Administration, Laskey notes. However, much of the data for many companies is just that: data stored. It’s not being used and analyzed, she says.

“There is a significant opportunity for companies to leverage this stored information to improve patient outcomes and device performance,” says Laskey. “This data can unlock other opportunities to address a multitude of health needs. Many companies are just sitting on top of unused information.”

Compliance and third-party collaborations

Regarding current and emerging regulatory compliance, Laskey notes that recent cybersecurity regulations have not posed significant challenges for most medtech companies, as many were already largely compliant. She predicts that the next regulatory focus is likely to be on medical devices that use generative artificial intelligence and machine learning, particularly concerning how data is collected, stored and used to provide health care advice. Laskey says ensuring that AI-generated advice is accurate and applicable to diverse populations is a critical challenge.

Another cybersecurity concern for medtech companies includes third-party collaborations, especially with health care systems.

“Health care systems have been particularly vulnerable to cyberattacks, and integrating with these systems requires careful legal and technical considerations to protect data,” Laskey says. “To mitigate risks, some medtech companies may prefer to avoid direct integration with health care systems and instead manage data independently.”

To address third-party security concerns, medtech companies should consider the following:

• Data integration and sharing: Implement robust encryption methods and secure transmission protocols to protect sensitive information. 
• Compliance requirements: Establish clear agreements that outline the responsibilities and liabilities of each party regarding data protection. This includes ensuring that third parties comply with relevant regulatory requirements and standards. 
• Risk assessment and management: Conduct risk assessments to identify potential vulnerabilities in third-party systems, and implement risk mitigation strategies like regular security audits and continuous monitoring of third-party activities.
• Incident response and recovery plans: Develop and maintain incident response and recovery plans that include third-party scenarios. Ensure that third parties are aware of these plans and can collaborate effectively in the event of a cybersecurity incident. 
• Continuous improvement and training: Regularly update cybersecurity policies and practices to address emerging threats. Provide ongoing training for both internal staff and third parties to ensure they are aware of the latest cybersecurity best practices and threats.

Lastly, medtech companies should keep in mind that cybersecurity is a constant and part of the organization’s entire lifecycle, from the research and development stage to commercialization to the eventual sunsetting of a product. There will be regulatory steps to address all along the way. Ultimately, while innovation and growth are essential for many medtech companies, organizations must balance these drivers with robust cybersecurity measures to safeguard critical data and maintain regulatory compliance.