Medical device giant Medtronic confirmed over the weekend that its systems had been hacked by an unauthorized party. Here are six things to know about the cyberattack.
—Medtronic said that the cybersecurity incident did not disrupt its manufacturing, distribution or patient care. The breach was limited to corporate IT systems rather than Medtronic’s product or clinical infrastructure, according to a company statement published on April 24.
—Cybercriminal group ShinyHunters has claimed responsibility for the cyberattack. The group said it exfiltrated more than 9 million records, including patients’ personal data and Medtronic’s internal company data.
Inside an Automated Healthcare Practice: Redesigning Care Around People, Not Paperwork
By reducing administrative burden and redesigning workflows around human needs, it creates space for what matters most: connection between clinicians and patients.
—The big unknown is how much — and what exactly what kind of — data the hackers stole. Medtronic said it is still investigating the scope of the breach and has not yet confirmed whether sensitive patient or employee information was actually compromised.
—Medtronic did a good job separating its corporate systems from its product and clinical networks, which prevented the incident from affecting patient safety — but segmentation isn’t the lesson. ShinyHunters and similar cybergangs typically gain access through human tactics like phishing, fake login pages or manipulating employees, as opposed to advanced technical exploits, pointed out Christian Espinosa, CEO of medical device cybersecurity consultancy Blue Goat Cyber. He noted that ShinyHunters was able to hack Google, Allianz and Cisco this way.
“The medtech industry keeps treating cybersecurity as a technology problem. It isn’t. Medtronic almost certainly has world-class technical controls. So did Google. So did Cisco. None of it mattered because tools don’t defend against a convincing phone call or a well-crafted phishing page,” he stated.
—The attack shows that medtech firms may be becoming more vulnerable targets for cybergangs. It comes just weeks after Stryker, another medtech giant, suffered a massive cyberattack that knocked out its internal systems worldwide and caused delays to order processing and manufacturing. Intuitive Surgical was hit by an attack last month as well, with hackers gaining access to some of its internal systems.
Survey on the Healthcare Financial Landscape Offers a Roadmap for Stakeholders
Zelis highlights how employers, payers, and consumers are integrating digital tools to manage healthcare costs.
—Even if Medtronic says care wasn’t disrupted, stolen data could still be used for scams or other harmful activities. Hackers are increasingly prioritizing corporate IT environments as an entry point, knowing these often contain high-value data but are less rigorously segmented than the medtech company’s production or patient-facing systems, noted Ensar Seker, chief information security officer at threat intelligence platform SOCRadar.
“Even if Medtronic states there is no impact to products or patient safety, the theft of millions of records, if confirmed, still represents a significant risk, particularly for identity theft, targeted phishing and supply chain exploitation. In healthcare, ‘no operational impact’ does not mean ‘no risk’ — sensitive data exposure can have long-term downstream consequences,” Seker declared.
Photo: Robert Way, Getty Images