CyberVitals:🎵Under Pressure🎵

 

Contributor: Vidya Murthy, WEMBA’42 
To learn more about Vidya, click here.

 

Hospitals have been in the headlines for nearly a decade for information security issues. While the baseline for information security knowledge has been steadily rising for all stakeholders, the price tag has followed suit, now averaging nearly $11M per breach. 

Government expectations have been changing and forcing healthcare to update de facto processes. This means business models must be updated to account for new risks, and teams staffed to meet growing demand.

While each of these facets in isolation requires dedicated efforts, healthcare is uniquely impacted in a couple of unique ways that should be highlighted:

Ability to continue delivering care

The very purpose of this industry is to support patient care. However, cyberattacks are now impacting the ability to even keep the doors open.  And while multiple attacks have anecdotally been attributed to security, the first legally attributed hospital closing has been tied to cybersecurity. It is no longer an academic case study in scenario planning but has a direct impact on the quality of care provided to patients.

Consumer awareness

The global COVID-19 pandemic accelerated the adoption of telehealth and devices being sent to patients directly. This exponentially increased the threat landscape for attack, which increased consumer awareness of their reliance on connectivity to receive care. Labeling initiatives have emerged as privacy concerns have increasingly taken hold in the U.S., following what has long been advocated for in the European Union.

While everyone intellectually knows security is difficult to achieve even with unlimited resources and the power of government, for consumers to see HHS, aka the watchdog, get breached, has heightened awareness of just how hard achieving baseline security requirements really is.

What's changed:

You may read this column every quarter and think this is more of the same, the sun still rises and the ability to do business has not been hindered. That is no longer true.

For medical device manufacturers that sell in the U.S., starting October 1 the previously voluntary electronic Submission Template and Resource (eSTAR) program becomes mandatory. This means submissions that do not present sufficient consideration for security will not be accepted into the review process. Delays to review, mean delay to market. Which means lost revenue opportunities.

For publicly traded healthcare companies, the Security and Exchange Commission (SEC) has adopted a requirement for four-day disclosure and personal accountability at the board level, which means this is no longer a $0 cost initiative. It now includes oversight, commitment, and culpability. 

Security has a horrible reputation for being hyperbolic and shouting the sky is falling. But being data driven, when there's little infrastructure to support gathering insights, is equally difficult.

Knowing data is the next wave of innovation is no surprise - we are all uniquely working towards that goal. But there can be no progress if one cannot depend on the integrity of data from the onset. As leaders in the healthcare industry, being future gazing is our superpower, and we must use that power for good. 


Contact Vidya at: [email protected]