When we speak with our medical device customers around the world, one of the issues foremost in their minds is the potential for intellectual property (IP) theft. In an industry so heavily dependent on innovation, device companies go to great lengths to safeguard their competitive advantages as each passing year brings new rivals, novel solutions, and greater potential for theft. Whether entering a new market, incorporating connected products to their existing solutions or expanding their distribution network, IP concerns are ever present.
It’s a valid concern, as the economic damage of IP theft is estimated at over $300 billion per year. This total includes software piracy, counterfeiting, trademark violations, and other forms of purloined IP. A significant amount of theft comes from China, according to the IP Commission Report, as well as from other countries that lack judicial infrastructure to enforce existing laws. In addition, there have been some cases of government-sponsored efforts to acquire trade secrets in order to facilitate economic growth. The exact figures for each industry and type of theft are hard to estimate because many companies are reluctant to report instances, due to concerns about the effect on valuations or stock prices. One thing is certain: medical device companies need a multi-faceted approach to protect their IP.
Theft via hacking has become a real threat for IP-driven industries. In 2014, medical device giants, Medtronic, St. Jude, and Boston Scientific, were all infiltrated. These attacks did not result in any compromised patient information, suggesting the aim was stealing intellectual property. That same year, for the first time, known state actors were charged for hacking, according to the Department of Justice. The defendants allegedly conspired to steal information from U.S. companies that would benefit their competitors in China, including some Chinese state-owned enterprises. In 2015, the Obama administration made a pact with the Chinese government to reduce the amount of hacking. This curtailed activity from China to U.S. companies, but resulted in an increase from China into other countries, according to reports from cybersecurity leader FireEye.
These cases suggest that IP cyber threats are a major source of concern, not only from established competitors or agents working on behalf of foreign entities, but also from within. As recently as last year, the FBI indicted a man of stealing secrets from Covidien and Edwards Life Sciences. According to news reports, he allegedly stole more than 10 trade secrets on medical devices, and cost millions in research and development while employed by the companies. His alleged approach was to download documents from a work computer, and then send them to his personal email account, with the intent of establishing his own company in China.
A similar case in 2014 involved an Indian national who worked for CR Bard, and later Becton, Dickinson (BD). According to the FBI, through his work at Bard and BD, he was able to steal secret information related to the companies’ products, including Bard’s development of the first implantable port used for power injection of drugs throughout the body. He also had access to secret information related to a self-administered disposable pen injector still under development by BD, but not yet available for commercial sale.
The approach in this case was similar, in that he downloaded product information from company computers and forwarded it to his personal email accounts. He downloaded approximately 8000 files, enough information to mass produce BD’s new pen injector. His hard drives were discovered in a rental car and a hotel room where he stayed while planning to move back to India, according to the FBI.
Theft of trade secrets by employees isn’t limited to foreign nationals. In 2015, a former St. Jude vice president was charged with stealing trade secrets in Minnesota. After being put on administrative leave by St. Jude for allegedly misappropriating more than $10,000 via a corporate credit card, he allegedly downloaded onto personal devices more than 4600 work files, including St. Jude’s highly-sensitive 2014-2018 strategic plan, marketing planning documents, and new medical device concepts.
These cases illustrate the fact that medical device manufacturers need to take precautions to defend themselves from all types of IP theft. Focusing on cybersecurity without taking precautions to guard against internal theft would be like locking your front door, and leaving your back door wide open. In truth, cybersecurity is only the first step to protecting precious IP.
Companies also need procedures for identifying and securing sensitive data or information, especially if they have complex supply chains that could render that data vulnerable. It’s not uncommon for organizations to have documents, patents, design drawings, and other confidential data reside across multiple servers or computers that are accessed by dozens or hundreds of employees, each of which is a potential point of risk. There are a number of commercially-available data protection solutions to ensure corporate IP safeguarding policies are enforced.
Personnel screening is critical as well, and should include performing background investigations on anyone hired for positions that involve proprietary information. Organizations can also add independently-validated integrity tests to their hiring processes. These are personality assessments, administered electronically in the employee application process, that measure traits such as conscientiousness and emotional stability. Another way to prevent theft is to run credit checks on employees before they are hired to ensure they don’t have dire financial situations that could push them to steal.
Whatever strategy is chosen, IP security and protection should be foremost in the minds of medical device executives. Their very future could depend on it.