In my last post, I discussed how the transition that we’re observing to digital manufacturing (especially additive manufacturing) means medical device manufacturers are confronted with a new set of risks related to the management and control of the engineering and manufacturing data of their products. I identified five key risk areas that manufacturers must secure in order to safeguard their brand value. In this post, I’ll focus on three of them: IP risk, liability risk, and confidentiality risk.
Loss of control over intellectual property
As the digitization of manufacturing explodes and additive manufacturing becomes more prevalent, most medical device companies will be forced to consider the implications of the loss of control over the digitization of their assets. Just as the music industry suffered major revenue loss when its IP became digital (and was therefore easy to share or distribute illegally), the digital information that describes the design and engineering medical parts data will be a target of counterfeit operations.
The economic damage of IP theft is estimated at over $300 billion per year. [Ref 1] This total includes software piracy, counterfeiting, trademark violations, and other forms of stolen IP. Medical device companies need to take IP protection especially seriously because they are so heavily dependent on innovation and the value-add embedded in their product makes the industry a good target for IP theft. Today’s medical devices embody millions of dollars of research, design, testing, development, manufacturing, and marketing — and can take years to get to market.
In an industry that is at the forefront of rapid innovation, medical device companies must implement stringent and rigorous measures to protect their competitive advantages. Every year brings new rivals, novel solutions, and greater potential for theft. Whether entering a new market, incorporating connected products into their existing solutions, or exploring new manufacturing processes, medical device manufacturers must implement impregnable techniques coupled with legal strategies and a top-down risk awareness culture that protect their IP while enabling the transition to distributed manufacturing.
Liability risk may increase if a product’s design is not secure
Beyond the business and brand reputation risks of a counterfeit product are considerations of the ramifications of the effects of a counterfeit product. From a legal perspective, manufacturers must protect consumers from harm caused by their product and are liable for injury or property damage caused by any defect. In defense to such claims, the manufacturer could plead that it was not the producer of the counterfeit product, or that the product included a component that, unbeknownst to the manufacturer, was in some way defective. Either way, this is likely a lengthy and expensive legal headache.
Due to the personal-injury implications of a defective medical device, there is a heavy burden on every medical device manufacturer to ensure the integrity of all parts along its supply and manufacturing chains. In practice, this means it is essential to be 100% confident that the digital information that describes a product’s design and manufacture cannot be stolen, modified or corrupted. Absent a secure method to protect this information, a manufacturer is exposing itself to enormous potential liability risk and legal costs. The integrity of the medical device digital supply chain is, more than ever, a key priority for the industry.
Loss of control over confidential/personal data
One essential characteristic of the medical industry is its responsibility for PII (Personal Identification Information) and PHI (Personal Health Information), which require HIPAA compliance. Due to the life-critical nature of the services it provides, the healthcare industry is continually under attack by cyber terrorists. Ransomware is the top threat to healthcare organizations. In 2016, this industry suffered at least one breach every day, affecting more than 27 million patient records.
One contributing problem is that most healthcare facilities and organizations are vulnerable to these attacks because they have failed to implement the latest measures to prevent intrusion of hackers and malware. Meanwhile, media reports tend to focus on the personal healthcare records that were held for ransom (or, in some cases, stolen).
However, a recent Washington Post article highlights the fact that medical devices themselves are frequently not secure.
Cybersecurity researchers have also raised alarms about vulnerabilities in implantable medical devices that hackers could exploit to injure or even kill patients. Former vice president Dick Cheney famously had his internal pacemaker taken offline because of hacking fears. [Ref 2]
This highlights the need to ensure that access to, and the data produced, by a medical device cannot be compromised due to a counterfeit product. For example, an individualized medical device may contain personally identifiable information and a data breach may trigger security and privacy laws. Again, this points to the need to ensure that every medical device that is manufactured and released for sale is authentic and includes all the safeguards designed into it by the original engineering team.
Another example would be the prosthesis industry: additive manufacturing is a perfect technology to generate on-demand customized prosthesis. Some of the data contained in the technical data package necessary to manufacture the part may fall under HIPAA scope and as such must meet the most stringent security and privacy requirements.
In my next (and final post), I’ll focus on two cybersecurity risks associated specifically with manufacturing of medical devices: production risk and traceability risk.
About the Author:
Stephan is currently the Co-founder and Chief Strategy Officer of Identify3d, a software company that develops software solutions for Digital Manufacturing, in charge of Strategy and Business Development. Identify3d enables the Digital Thread through design protection, manufacturing repeatability, and traceability. Stephan has more than 25 years of experience in Operations, Supply Chain, M&A and Restructuring with companies such as EY, Alvarez & Marsal and REL Consultancy. He holds an M.B.A. from Baruch College’s Zicklin School of Business and a Master in management from Dauphine University (France). Stephan also lectures at the Berkeley-Columbia Executive M.B.A. on performance improvement topics. He is a board member of 3D4pro, an Additive Manufacturing Saas company.
You may also like:
- Five Reasons Cybersecurity Will Play a Critical Role in 3D Printing in Healthcare – Part I, by Stephan Thomas
- 3D Printing Poses Unique Security Risks for Medical Devices by Farah Tabibkhoei
- Cybersecurity for 3D Printed Medical Devices, Less Crazy and More Useful Than Bitcoins by Jenny Chen
- Decentralized Healthcare — Part II: Breaking It All Down by Jenny Chen