Not a day goes by without hearing about a cyber incident in healthcare. Data breaches are projected to cost the industry $4 billion by year end. At the same time, these cyber-attacks are getting more sophisticated. According to a recent xtelligent media article, attacks using the encryption-based malware – often leading to ransomware - have already doubled relative to 2018. The resulting downtime from the ransomware attacks has reached an average of 9.3 days. At the same time providers are developing new use cases involving Internet of Medical Things (IoMT) to improve quality and cost of care, resulting in rapid increases in the number of connected medical devices. This increasing use of connected devices, with their associated cybersecurity vulnerabilities, is increasing the potential for cyber incidents. This creates a fundamental challenge - how do you balance the benefits of IoMT against the increased threat? ![endif]--
Insights from healthcare risk managers
Much of the cybersecurity discussion involves information technology and information security personnel. They play key roles in addressing technical aspects of cybersecurity. A group, however, that must consider all facets and all kinds of potential incidents is risk management. They go beyond technology to also coordinate the people, process and policy aspects. In a recent risk management conference, we polled the healthcare risk managers around four key themes: (1) culture of cybersecurity (2) new technology adoption, (3) technology management readiness and (4) medical device cybersecurity.
Nearly 60% of the respondents experienced at least one cyber-incident in past 12 months, demonstrating the need for organizations to take actions to mitigate risks and respond to breaches. Attackers are the only beneficiaries of organizational indecision.
While 69% of the respondents had received cybersecurity related training in the past 6 months, more than 70% of them felt neutral at best in their comfort level of leading cybersecurity related discussions. There is a need for more effective training and awareness programs.
Healthcare providers are moving forward with Internet of Medical Things (IoMT) applications to realize benefits in quality and cost. More than 70% of respondents can point to at least one IoMT application in their organization.
Development of risk management practices for IoMT significantly lags the rate of IoMT applications adoption, despite the inherent cybersecurity risks. Less than 15% of the respondents confirmed that IoMT risk management practices are in-place and none believe they are mature.
The overwhelming majority of risk managers indicated that IT should lead medical device cybersecurity risk management. While IT is essential to effective cybersecurity implementation, the risks and benefits of IoMT are at the business level in terms of cost, business continuity, and patient care and safety. IoMT cybersecurity should be part of overall risk management.
The results reinforce that more needs to be done to protect against cyber threats in an increasingly IoMT-connected world, but where to start?
The need for a new approach to IoMT cybersecurity
To effectively manage cybersecurity risk in the complex and dynamic IoMT environment, traditional approaches need to evolve in three key areas:
Managing cybersecurity risk as a fundamental business risk.
Implementing a risk-based approach to prevent attacks.
Developing the strong cross-functional governance essential for a strong cybersecurity culture.
IoMT cybersecurity risk is fundamentally a business risk. While information security is still important, connecting devices throughout a hospital creates the potential for operational and patient safety risks. Equipment malfunction or shutdown from a cyber-attack can impact business continuity and patient care, or worse. As mentioned previously, these same connected devices also bring benefits in efficiency and patient care. These tradeoffs cannot be made in isolation. To be successful, the organization must consider IoMT applications and cybersecurity holistically and determine the best approach for the organization.
Organizations should implement a risk-based approach to identify and target the most important risks. As highlighted in a recent McKinsey paper, maintaining a comprehensive view of the cybersecurity vulnerabilities enables cost-effective decisions on where to prioritize limited cybersecurity resources. Effective risk reduction does not necessarily require significant investment in technology. The overwhelming majority of all cyber incidents result from known vulnerabilities that were not addressed, including over 60% that result from human factors which can be mitigated by implementing effective cybersecurity training and awareness. Developing a comprehensive security posture, including these human-centric factors, ensures cost-effective decisions on how to protect critical assets.
MediTechSafe solution for IoMT cybersecurity
We at MediTechSafe feel that medical device cybersecurity requires a holistic approach involving technology, people, process and policies. Because of many involved patient safety implications, the clinical, operational, and legal background of risk managers serve them better