Christopher Gates, Director of Product Security, Velentium02.28.24
The medical device industry has traditionally been subject to a very active mergers and acquisitions environment. Last year, however, the volume of M&A activity was down significantly as demonstrated by the third quarter, which fell by 74% compared to the year prior. In 2024, we should see a rise in M&A due to several factors—an upswing in the economy, a lack of the anticipated impact on the medtech business from GLP1 medications, and the amount of excess capital many larger medtech firms have in their coffers. As a result, substantial “due diligence” will be required from cybersecurity personnel. These additional tasks are divided into two distinct areas: infrastructure due diligence and device due diligence.
It was explained, in the case of an acquisition, employees of the company being purchased often have a defeated attitude, which needs to be nurtured back to health before they can be integrated into the acquiring company’s team. With a merger, members from both organizations may have a negative perspective or be adversarial to those from the other firm. This can result in a damaging, long-term impact for the new organization and cannot be left uncorrected to fester.
In either scenario, one cybersecurity team may be trying to hide any serious concerns. However, the senior leadership team will likely want 100% insight into any issues to provide confidence about the strategic transaction. While multiple rounds of questionnaires may unearth potential problems, reality will more likely enable one team to infer the status of security provided by the other team and make approximations regarding what is missing. Specific answers are rarely available. The goal is to understand the gaps and estimate the costs to bring the other organization up to the existing cybersecurity standards. This breaks down into three phases:
Phase 1: Pre-Acquisition
Use questionnaires to gain insights into the following questions and leverage others in your organization to ask these questions if the security team isn’t yet invited to contribute.
This is often when you will experience the most attacks; it has been seen that the volume of attacks may increase as much as six times compared to the previous day. Expect to run in crisis mode; get the edges protected first and then focus on the endpoints. The smaller target is assumed (by the attackers) to be an easy one that could serve as a portal into the organization.
The answers from Phase 1 will dictate the questions/actions for Phase 2. There can't be a pre-defined playbook without an understanding of the answers from Phase 1.
Phase 3: Integration
The answers from Phase 2 will then dictate the steps for Phase 3. Again, there cannot be a plan without the lessons learned from the prior phase. For the long-term, run security scorecards on the other firm (now all one company). This is when the cybersecurity team should start addressing the gaps and known issues not corrected before the M&A activity occurred.
Oddly, while infrastructure security team members may rarely be asked to evaluate the incoming infrastructure, the product security team is never asked to evaluate the incoming product line. If the product development team is made aware of its organization’s interest in acquiring the target firm, it will be up to the product security team to inject itself into the process by lobbying (e.g., through emails, texts, calls, etc.) the acquisition team to raise awareness of the risks posed by not evaluating the target’s products.
Many examples of a failure to evaluate acquired product lines exist, but probably, the most notable one is the 2016 acquisition of St. Jude Medical by Abbott Labs. During the transaction process, Muddy Water Capital—an investment house—and medical device security firm MedSec made claims publicly about the vulnerabilities in St. Jude’s implantable heart devices. In addition, Muddy Waters had sold short St. Jude stock in an attempt to make money from this disclosure of vulnerabilities.
Abbott was the victim in this case as it had no idea there were known vulnerabilities (yes, plural)1-4 in the St. Jude implant. This caused the firm to lose time and money responding to the accusations and implementing mitigating controls to the implant’s firmware.
Had Abbott known about the vulnerabilities, would they have continued with the acquisition? While we will never know, they should have had the information available to them to help de-risk the acquisition and evaluate the target’s true value.
Similar to infrastructure security, there are phases involved with device security.
Phase 1: Pre-Acquisition
With medical devices, these phases are a little more compressed than with infrastructure. Start by performing your best current cybersecurity testing practices on all acquired products. The results of this will help inform the next step—determining which products to mitigate, which products to replace with new similar devices, and which products to declare as being at “End of Support.” There are many factors to consider in these decisions, but the cybersecurity status of each device should be part of the process.
References
Christopher Gates is the director of Product Security at Velentium. He is the current co-chair for H-ISAC’s MDSC. Gates has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.
Infrastructure Due Diligence
In November 2023, I attended a roundtable session on the topic of M&A and cybersecurity at the H-ISAC Fall Summit in San Antonio. It was a fascinating discussion led by Phil Englert from H-ISAC with medical device firms and health delivery organizations in attendance.It was explained, in the case of an acquisition, employees of the company being purchased often have a defeated attitude, which needs to be nurtured back to health before they can be integrated into the acquiring company’s team. With a merger, members from both organizations may have a negative perspective or be adversarial to those from the other firm. This can result in a damaging, long-term impact for the new organization and cannot be left uncorrected to fester.
In either scenario, one cybersecurity team may be trying to hide any serious concerns. However, the senior leadership team will likely want 100% insight into any issues to provide confidence about the strategic transaction. While multiple rounds of questionnaires may unearth potential problems, reality will more likely enable one team to infer the status of security provided by the other team and make approximations regarding what is missing. Specific answers are rarely available. The goal is to understand the gaps and estimate the costs to bring the other organization up to the existing cybersecurity standards. This breaks down into three phases:
Phase 1: Pre-Acquisition
Use questionnaires to gain insights into the following questions and leverage others in your organization to ask these questions if the security team isn’t yet invited to contribute.
- Do you have a dedicated security program or team? If so, what size is the team?
- Do you have a patching and/or vulnerability management policy and program?
- Are you operating an SIEM? Is it operated internally or through an external third party?
- What is the history of cybersecurity incidents?
- Do you have a cybersecurity insurance policy? Have you had any claims?
- Are you compliant with any existing standards/certifications? If so, what? And for how long have you been compliant?
- What has been your cybersecurity budget over the last several years?
- How much of the cybersecurity budget is going to third parties?
- Do you have a third-party security risk program?
- Are all purchased cybersecurity solutions being fully utilized?
- What gaps within your security program are you currently aware of or working on?
- When did the last external cybersecurity assessment take place? What were the results?
This is often when you will experience the most attacks; it has been seen that the volume of attacks may increase as much as six times compared to the previous day. Expect to run in crisis mode; get the edges protected first and then focus on the endpoints. The smaller target is assumed (by the attackers) to be an easy one that could serve as a portal into the organization.
The answers from Phase 1 will dictate the questions/actions for Phase 2. There can't be a pre-defined playbook without an understanding of the answers from Phase 1.
Phase 3: Integration
The answers from Phase 2 will then dictate the steps for Phase 3. Again, there cannot be a plan without the lessons learned from the prior phase. For the long-term, run security scorecards on the other firm (now all one company). This is when the cybersecurity team should start addressing the gaps and known issues not corrected before the M&A activity occurred.
Device Due Diligence
Device cybersecurity could potentially have a greater impact on the purchasing organization than infrastructure security, as the acquisition target company has potentially spent years “polishing” the appearance of its product line to be an attractive M&A target. This effort usually results in not implementing effective security mitigations across its catalog, but instead, obscuring and hiding known issues. The target company is not being acquired for its security mitigations in its infrastructure; rather, the perceived value of its product offerings and intellectual property is typically the prize.Oddly, while infrastructure security team members may rarely be asked to evaluate the incoming infrastructure, the product security team is never asked to evaluate the incoming product line. If the product development team is made aware of its organization’s interest in acquiring the target firm, it will be up to the product security team to inject itself into the process by lobbying (e.g., through emails, texts, calls, etc.) the acquisition team to raise awareness of the risks posed by not evaluating the target’s products.
Many examples of a failure to evaluate acquired product lines exist, but probably, the most notable one is the 2016 acquisition of St. Jude Medical by Abbott Labs. During the transaction process, Muddy Water Capital—an investment house—and medical device security firm MedSec made claims publicly about the vulnerabilities in St. Jude’s implantable heart devices. In addition, Muddy Waters had sold short St. Jude stock in an attempt to make money from this disclosure of vulnerabilities.
Abbott was the victim in this case as it had no idea there were known vulnerabilities (yes, plural)1-4 in the St. Jude implant. This caused the firm to lose time and money responding to the accusations and implementing mitigating controls to the implant’s firmware.
Had Abbott known about the vulnerabilities, would they have continued with the acquisition? While we will never know, they should have had the information available to them to help de-risk the acquisition and evaluate the target’s true value.
Similar to infrastructure security, there are phases involved with device security.
Phase 1: Pre-Acquisition
- Do you have a dedicated product cybersecurity team? If so, what is the size of the team?
- What formal training in cybersecurity do the team members have?
- Are you in compliance with the FDA’s premarket cybersecurity guidance (Sept. 27, 2023)?
- Are you in compliance with MDR’s cybersecurity requirements, including all postmarket testing and reporting?
- Do you have a CAPA process for managing postmarket vulnerabilities?
- Do you have a Coordinated Vulnerability Disclosure procedure?
- Is the product development process based on a standard for secure product development, such as IEC 81001-5-1?
- Is there a history of product cybersecurity incidents?
- How do you notify and support end users of vulnerabilities in your medical devices?
- What has been your product cybersecurity budget over the last several years?
- Which of the products in your portfolio have been developed in accordance with secure development procedures and which are considered “legacy devices”?
- What are all the known vulnerabilities in your entire product line?
- Is there a supply chain cybersecurity procedure that is followed for all software components used in medical devices?
- What gaps within your product security program are you currently aware of or working on?
- List any regulatory issues with the FDA regarding the cybersecurity of your products.
- Do you perform postmarket cybersecurity testing of all existing products?
With medical devices, these phases are a little more compressed than with infrastructure. Start by performing your best current cybersecurity testing practices on all acquired products. The results of this will help inform the next step—determining which products to mitigate, which products to replace with new similar devices, and which products to declare as being at “End of Support.” There are many factors to consider in these decisions, but the cybersecurity status of each device should be part of the process.
Conclusion
Realize the answers to these questions will likely not be perfect; it is unrealistic to expect any organization to have completely accurate responses for all of them. However, it may provide a better understanding and more thorough knowledge of the issues at hand. This can inform the decision to terminate a transaction or continue with it and leverage the information revealed to determine which issues need to be addressed immediately versus those that can wait. Good luck with your future M&A activity, as it promises to be an exciting 2024 for medical device cybersecurity.References
Christopher Gates is the director of Product Security at Velentium. He is the current co-chair for H-ISAC’s MDSC. Gates has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.