Some Aussie biotechs are getting their cyber sec on - but a lot aren't

The burgeoning market for medical devices is opening up a smorgasbord of potential cyber-security vulnerabilities for hackers to exploit.

Australian health technology is a mixed bag when it comes to security, but new tech companies tend to be more aware of the issues, while the risk may come from more established companies, says James Wootton, head of cyber security strategy at data specialist Intalock Technologies.

“[Health devices] is a marketplace that is burgeoning at a very fast pace, so [cyber security] is not really as well-considered as it should be,” he told Stockhead.

Older devices, such as insulin pumps, are not well-protected and a “surprisingly large” number of devices are not up to par. But there are standouts such as Cochlear, says Mr Wootton.

“Cochlear (ASX:COH) for instance take it very seriously. They have staff in place, they understand there is a security risk for their implants.”

Wootton didn’t want to publicly identify companies or products he views as cyber security health risks.

Getting the right systems in place is critical from the beginning, but it’s people who present the “penetration opportunity”.

Arik Anderson, the new chief of gamified smart inhaler maker Adherium, says his products have stood up to internal hacking tests — and they are testing potential human weak points.

“That’s the next level of vigilance that we need to always keep in mind,” he told Stockhead.

“We work with firms that test our resistance… to protect our patients.”

Adherium’s (ASX:ADR) inhalers are connected to an app which can tell if a person is using it correctly, or at all.

Health tech companies dealing in data must have cyber security at the center of their systems from the beginning, building it in from “the ground up” as pain detection app ePAT (ASX:EPT) has done.

Yet patients are still not demanding security as a key feature of high-tech medical products.

Patients often don’t consider that aspect, and medical staff just expect a device to work, Mr Wootton says.

“It’s something that you wouldn’t consider as an end-user,” he said.

ePAT chief technology officer Scott Robertson says while all of their cyber security is self-driven, it dovetails with institutional clients’ obsession with privacy.

“The initial discussions we had with public clients are more around [the Privacy Act] and whether we have a privacy policy,” he told Stockhead.

That means restrictions on who can access data and requirements for how it’s stored, which ties in nicely with cyber security arrangements to encrypt data in transit and store it on secure servers.

ePAT did its first commercial deal earlier this month with Dementia Support Australia, which raises another question: what if a device is used by someone who might forget their password, or can’t be as security conscious?

Robertson says that’s not an issue for ePAT, which is used by carers and institutions.

“The app is designed for people who can’t communicate their pain, so mid-to-late onset dementia,” he said. “[Users who] are not taping the password to the device.”