A Growing Threat to Medical Devices: Cybersecurity Fraud

As we highlighted in last year’s series, Medicare paid a total of $13.5 billion for medical equipment. The billions spent on these multiple and single-use devices have proven to be a ripe target for fraud:

– In 2021, St. Jude paid $27 million for allegedly selling defective heart devices.

– In the same year, two medical device manufacturers paid $38.75 million to resolve allegations they billed Medicare for defective rapid point-of-care testing devices.

– And in 2017, Shire PLC subsidiaries paid $350 million to settle allegations they employed kickbacks and other methods to induce clinics and physicians to use or overuse a bioengineered human skin substitute.

These False Claims Act cases and hundreds of others involve mainly faulty manufacturing and kickbacks, but with the technological advancement of medical devices, there are brand new vulnerabilities to consider, such as cybersecurity.

Healthcare has become a prime target for cyberattacks, with more than 300 data breaches in the first half of 2023 alone.

A report released last month examined 993 vulnerabilities within 966 medical products in devices, showing a 59 percent year-over-year increase from 2022.

Most concerningly, the largest bucket of vulnerabilities (at 64 percent) are software applications, which most medical devices depend upon to function and, “can enable attackers to disrupt essential healthcare services, leading to delayed treatments or compromising the functionality of medical devices, potentially endangering patients’ lives.”

Devices at risk range from electronic records systems and ultrasound equipment to dialysis machines and anesthesia dispensing stations. With these types of cybersecurity risks, healthcare organizations and medical device manufacturers have a new frontier to protecting patients’ data and health.

The report recommends several steps healthcare organizations should adopt including penetration testing and vulnerability patching.

Utilizing the Department of Justice’s Civil Cyber-Fraud Initiative, whistleblowers also have a crucial role in exposing these schemes. The Initiative aims to hold entities accountable for, “knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

If companies allow vulnerable medical devices to flood the market, whistleblowers may prove to be the most important stopgap to ensure patient safety.

James King is the Director of Communications & Digital at The Anti-Fraud Coalition