Medical device giant Medtronic confirmed this weekend that its systems had been hacked by an unauthorized party. Here are six things to know about the cyberattack.
—Medtronic said the cybersecurity incident did not disrupt its manufacturing, distribution or patient care. The breach was limited to the company’s IT systems rather than Medtronic’s products or clinical infrastructure, according to one company. statement published on April 24.
—Cybercriminal group ShinyHunters claimed responsibility for the cyberattack. The group claimed to have exfiltrated over 9 million recordsincluding personal patient data and internal Medtronic company data.
“The big unknown is how much data the hackers stole, and exactly what type of data. Medtronic said it was still investigating the extent of the breach and had not yet confirmed whether sensitive patient or employee information was actually compromised.
“Medtronic did a good job separating its business systems from its product and clinical networks, which prevented the incident from impacting patient safety – but segmentation is not the lesson. ShinyHunters and similar cybergangs typically gain access through human tactics such as phishing, fake login pages or employee manipulation, as opposed to advanced technical exploits, pointed out Christian Espinosa, CEO of medical device cybersecurity consultancy Blue Goat Cyber. He noted that ShinyHunters was able to hack Google, Allianz and Cisco this way.
“The medtech industry continues to treat cybersecurity as a technology problem. That’s not the case. Medtronic almost certainly has world-class technical controls. So does Google. So does Cisco. None of that mattered because the tools don’t protect against a convincing phone call or a well-crafted phishing page,” he said.
— The attack shows that medical technology companies could become more vulnerable targets for cybergangs. This happens just a few weeks later Strykeranother medical technology giant, suffered a massive cyber attack which took down its internal systems worldwide and caused delays in order processing and manufacturing. Intuitive surgical was hit by an attack also last month, with hackers gaining access to some of its internal systems.
—Even if Medtronic claims that care was not interrupted, the stolen data could still be used for fraud or other harmful activities. Hackers are increasingly prioritizing enterprise IT environments as an entry point, knowing that they often contain high-value data but are less rigorously segmented than the medtech company’s production or patient-facing systems, noted Ensar Seker, chief information security officer at threat intelligence platform SOCRadar.
“Even though Medtronic states there is no impact to product or patient safety, the theft of millions of records, if confirmed, still poses a significant risk, particularly for identity theft, targeted phishing and supply chain exploitation. In healthcare, ‘no operational impact’ does not mean ‘no risk’: exposure of sensitive data can have long-term downstream consequences,” Seker said.
Photo: Robert Way, Getty Images
