Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
Ransomware is top of mind across healthcare these days, as institutions are attacked and forced to deal with unsavory negotiations. While healthcare delivery organizations often suffer financial, reputational, and patient impacts, we would be remiss to not think about how we got here. The requirement for connectivity in most settings is driven by devices or systems which require it. Below are 5 lessons we should all consider when choosing to connect a device or system in a healthcare setting:
Lesson 1: Connectivity requires security.
Telehealth services took center stage during COVID. Devices in healthcare delivery organizations (HDOs) became connected to deliver additional clinical functionality for patients who couldn’t see their doctors in person. Electronic health records can be rapidly shared across a care team, ensuring care is planned with all the data available. These have been incredible advancements for patients and clinicians. But this connectivity was not designed with security in mind.
Now don’t get me wrong - healthcare should focus on healthcare. Not on becoming security experts. But the reliance on technology will never go away - it has improved diagnostic capabilities, given us new treatment options, and reduced effort and risk for patients. Therefore, we must make the security component of this process a positive experience for the user and/or patient, as that can mean the difference between the success or failure of a cybercriminal.
Lesson 2: As attackers move up the supply chain, so must defenders.
Increasingly, there have been wide-spread, deeply embedded vulnerabilities emerging from the hacker community (ex. Ripple/20, Bluekeep, WannaCry). If we think of hacking as a business, the return on investment for a systemic issue that spans devices and industries vs. an idiosyncratic hack in a single device in a single instance, is obvious math.
Attackers have seemingly limitless budgets, as spending is estimated to reach $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. We see defenders' security investment around $100B, with pretty steady increases by 10%. Recent news of Solarwinds by Microsoft showed it took more than 1,000 engineers to create. Is there ANY organization that can compete with the resources attackers have?
Lesson 3: Plan. Practice. Persist.
Prior to connecting anything to a network, we have to understand the impact of that decision. By understanding the potential threats based on the attack surface, whether as a device manufacturer, healthcare delivery organization, or vendor of security services, this will enable building a plan of action to mitigate potential threats.
Once a plan has been developed, it is equally important that it be understood, ingrained in day-to-day operations, and regularly reviewed. As attackers change, so must the defense. And we must be honest with ourselves - things aren’t going to be perfect. Where there are setbacks and misses, take the opportunity to build, enhance, and re-educate.
Lesson 4: Design with security in mind.
The danger I see is that healthcare constantly blames the user/patient. Whether it’s patient adherence, login/password management, or phishing failures, this isn’t an industry that has historically optimized for easing the user experience. It goes to my earlier point - we optimize for patient outcomes.
Therefore, we must design devices to be secure, starting at the inception of the device. The best systems are those which do not rely on the user as the detector, and more importantly in patient care, the efficacy of a device. We must be intentional and prioritize designing security into devices if we are to ever change the landscape of cyberthreats in healthcare.
Lesson 5: Don’t go at it alone.
Medical device security is a unique environment - with complex networks, various entities involved, and complicated asset management requirements.
Relying on a third-party can address core cybersecurity requirements, but some may argue there are too many tools that insufficiently “solve” a problem. I agree - more tools doesn’t equal better security. Similar to the hospital setting, alarm fatigue from too many tools can result in missing an important alert. However, that doesn’t mean everything should be built in-house and no experts should be used.
Once upon a time there was one mainframe, green screen, and a printer; there are now innumerable client access methods, networking, remote connectivity, security, storage, server infrastructures, virtualization, and so forth. As the range of technical needs has grown exponentially, it is increasingly difficult to secure it all.
Leveraging an expert in security built for healthcare can relieve the mounting necessity for devices secure by design.
Conclusion
We’ve seen progress to date, but we are not moving with sufficient urgency.
Cybersecurity costs are managed most efficiently when integrated into core business decisions. In an efficient economy, access to cybersecurity expertise is the way to ensure efficient and effective solutions that persist the lifetime of a device.
On net: there are truly impactful ways to create more good with less; but to get there, we have to do things differently than we have in the past.
Contact Vidya at: [email protected]