Healthcare is moving away from hospitals into a variety of distributed settings. According to McKinsey, the areas expected to see the most growth include telemedicine, retail clinics, ambulatory surgery centers, urgent care and dental clinics. Retail clinics in particular are gaining considerable momentum. The use of retail clinics grew at a rate of 28% per year between 2013 and 2017. Walmart and CVS both are experimenting with retail models through which consumers can get access to broader healthcare services including primary care, dental care, eye care, lab work, and some basic imaging. Retailers such as Publix have set up telemedicine kiosks in some of their locations to connect consumers with clinicians in an effective and cost-efficient manner. This trend toward more distributed healthcare, however, also brings increased cybersecurity risk.
Even during the COVID-19 pandemic, cybersecurity risks have shown no signs of abating; if anything, attacks have only increased. Czech hospitals, heavily engaged in caring for COVID patients, faced disruptive ransomware attacks. Hammersmith Medicines Research’s COVID vaccine testing labs were also breached. Large public sector organizations with ample security resources such as the US Department of Health and Human Services and World Health Organization have been attacked recently. Hence, cybersecurity is a risk area that organizations must address without delay.
Smaller distributed care settings present unique challenges in ensuring robust cybersecurity:
First, as described in a recent DentistryIQ article, they are increasingly incorporating advanced technologies and the use of Internet of Things (IoT) devices in their practices. Many of the connected medical and IoT devices (e.g. security cameras, facility controls, etc.) are vulnerable to cyber-attacks. In various MediTechSafe engagements, between 15% and 20% of connected medical devices in physicians’ offices and labs have found to have known security vulnerabilities.
Second, they rely heavily on technology to address cybersecurity risk. That is a route often suggested by their IT service providers. In reality, however, more than 83% of cyber breaches in such distributed facilities are human-enabled according to last three years of claims by Chubb policy holders. These cyber beaches arise mostly from people, process and policy related factors. Further, more than half of cyber breaches are insider-led, requiring a “trust but verify” mindset with a heightened degree of governance by the leaders themselves.
Third, they often have insufficient resources and expertise to manage all aspects impacting cybersecurity.
Even larger organizations with multiple distributed facilities face similar challenges at the local level where each facility is a P&L and acts as a small business. Walgreens, for example, has experienced at least one breach every year since 2012.
The cost of cyber incidents can be significant for these entities. The average annual revenue of a physician’s office is about $2 million and dental clinic is $0.75 million. The cost of a cyber incident can exceed an entire year’s worth of revenue, mainly driven by fines and penalties. According to Chubb and NetDiligence, the estimated cost of a cyber incident in a physician’s office is close to $2.1 million. Similarly, the estimated cost of an incident in a dental clinic is about $1 million. There could be additional patient safety related risk if medical devices are breached and malfunction.
Clearly, managing cybersecurity related risk ought to be one of the key priorities in these distributed settings of care. The organizations must take a holistic approach to cybersecurity with special focus on a culture of security in addition to technology. A culture of security is established by paying close attention to people, processes, policies and governance.
MediTechSafe has developed a simple, operationally focused, cost-effective, and easy-to-use platform that these organizations can use to manage their cybersecurity related risks. Using the platform, they can uncover all cyber related risks and determine the most effective solution, providing holistic risk management with an ROI mindset. To learn more about MediTechSafe’s solution, please reach us at email@example.com.