By Mike Kijewski
This fall I had the fortune of attending a cybersecurity strategy meeting taking place at the headquarters of a major medical device vendor.
One of the speakers mentioned that "medical device vendors should not be competing with one another on security." This sentiment has been shared many times before, by both medical device manufacturers and hospitals. But, as we will discuss, there is rationale in support of this argument, yet, we need to also be aware of potential negative effects and competitive disadvantages as a result of a lack of security.
The argument against competition in cybersecurity is, of course, valid and does reflect the general industry sentiment, as manufacturers, hospitals, security researchers, and regulators are always collaborating at conferences and sharing best practices with one another. Information Sharing and Analysis Organizations (ISAOs) have been formed to facilitate vulnerability and threat analysis and sharing in a trusted environment. The assumption is simple - if one device gets compromised, potentially leading to patient harm, then everybody loses out - including the hospital and manufacturer, but also their industry peers and competitors.
Numed, a well established company in business since 1975 provides a wide range of service options including time & material service, PM only contracts, full service contracts, labor only contracts & system relocation. Call 800 96 Numed for more info.
An analogy I often hear is that of the airline industry, where a single accident impacts every airplane manufacturer and airline. Open cooperation around safety benefits everybody. Similarly, it is in everyone's best interest for every piece of healthcare technology to be as secure as possible. But saying that cybersecurity is not an important aspect of healthcare's competitive landscape may ultimately undermine the patient safety we are all working to ensure.
Healthcare technology companies best serve patients when they are developing innovative new technology. This is difficult to do when your company is in the middle of an involuntary recall caused by a product cybersecurity vulnerability. The number of resources that a new cybersecurity vulnerability may consume can be staggering. A company that doesn't prioritize a proactive approach to cybersecurity during the product development phase will face longer sales cycles with healthcare delivery organizations (HDOs), lost sales, potential product recalls, delays in market approval, and possibly even brand reputation loss.
This leads to an interesting dichotomy where cybersecurity as a business and design objective should not be a competitive differentiator (as discussed above), yet poor cybersecurity practices and resulting regulatory implications, or even security events, can very well lead to significant business impact and competitive disadvantage.