Healthcare is currently the industry most susceptible to hacking. According to Gemalto’s Data Breach Index, healthcare came first in having the most data records (~ 386 million) stolen in 2016. According to a recent British Medical Journal article, 81% of 223 organizations surveyed, and >110 million patients in the US had their data compromised in 2015 alone; only half of these healthcare providers think that they are capable of defending themselves from cyber attacks, and there has been a 300% increase in attacks in the past three years.
What's unique about Healthcare cybersecurity?
1. #1 Health Technology Hazard:
The ECRI Institute releases top 10 health technology hazards every year to inform healthcare facilities about important safety issues involving the use of medical devices and systems. They consider variables (defined by the ECRI team) such as:
Severity: What is the likelihood that the hazard could cause serious injury or death?
Frequency: How likely is the hazard? Does it occur often?
Breadth: If the hazard occurs, are the consequences likely to spread to affect a great number of people, either within one facility or across many facilities?
Insidiousness: Is the problem difficult to recognize? Could the problem lead to a cascade of downstream errors before it is identified or corrected?
Profile: Is the hazard likely to receive significant publicity? Has it been reported in the media, and is an affected hospital likely to receive negative attention? Has the hazard become a focus of regulatory bodies or accrediting agencies?
Preventability: Can actions be taken now to prevent the problem or at least minimize the risks? Would raising awareness of the hazard help reduce future occurrences?
According to the institute's report for 2018, the #1 tech hazard is the cybersecurity threat impacting patient safety. Interestingly enough, the #4 (Missed Alarms May Result from Inappropriately Configured Secondary Notification Devices and Systems) and #9 (Flaws in Medical Device Networking Can Lead to Delayed or Inappropriate Care) hazards also can be exploited via cyber-attacks or inadequate management of Internet of Medical Things (IoMT) i.e. underdeveloped clinical network management practices.
2. High Financial Stakes:
Risk is uncertainty associated with an event that can be quantified on the basis of empirical observations or causal knowledge. Quantifying the risk in financial terms allows healthcare business leaders to make appropriate decisions.
The annual cybersecurity risk per bed is about 44% higher than the operating profit per bed. So, if an adverse cyber event were to happen in a hospital, the costs would far exceed what could be covered through the operating income in that year. The health systems must have either strong balance sheets or scale (i.e. multiple facilities) to bring natural hedge like an insurance company to manage such risks. Hospitals will have to invest in various risk management practices including insurances to bring balance.
The cybersecurity risk in healthcare is higher than many other industries (e.g. financial, retail, etc.) because of the patient safety concerns.
3. Underdeveloped Risk Management Practices:
According to Alexander Cole and Quoc-Dien Trinh, both physicians in the Division of Urological Surgery at Brigham and Women’s Hospital and Harvard Medical School, most IT decision makers in hospitals incorrectly think that the same cybersecurity practices used to safeguard IT devices also work for medical devices. Furthermore, there are 2-3x more medical devices than IT assets in a hospital adding to the challenge. Consequently, hospitals will have to develop new risk management practices that work for both IT and clinical assets.
In summary, while cybersecurity is the #1 health tech hazard with very high financial stakes, the health systems have not fully developed their risk management muscles yet.
MediTechSafe has developed a proprietary solution to help hospitals manage their cybersecurity, medical devices and clinical networks related risks. As a healthcare provider (or a biomed services provider or a cybersecurity insurance provider), if you are interested in learning more about MediTechSafe’s solution, you could reach us at info@MediTechSafe.com.