From the September 2021 issue of HealthCare Business News magazine
By Vidya Murthy
In many ways, life in the U.S. is slowly returning post COVID-19.
Even with delta variants, unvaccinated numbers, and perhaps rushed openings, people are yearning for a semblance of normalcy. The same is true for our healthcare workers, systems, devices, and patients. But we would be fooling ourselves if we didn’t acknowledge that some things have been irreversibly changed.
This goes beyond day to day life and applies to the cybersecurity of our infrastructure, in particular focusing on medical devices. Below are 5 lessons that we should all consider in the new-way of operating:
Lesson 1: Connectivity requires security.
Telehealth services took center stage during COVID. Devices in healthcare delivery organizations (HDOs) became connected to deliver additional clinical functionality for patients who couldn’t see their doctors ini person. Post-COVID, clinicians can now track patient adherence using a phone-based app that syncs to a device while patients can receive care from the convenience of their homes without having to travel. Electronic health records can be rapidly shared across a care team ensuring care is planned with all the data available. These have been incredible advancements for patients and clinicians. But this connectivity was not designed with security in mind.
Now don’t get me wrong - healthcare as an industry should focus on healthcare. Not on becoming security experts. But the reliance on technology will never go away - it has improved diagnostic capabilities, given us new treatment options, reduced time, effort, and risk for patients. Therefore, we must make the security component of this process a positive experience for the user and/or patient, as that can mean the difference between the success or failure of a cyber criminal.
With every additional connected point, a potential new threat is introduced which must be understood, mitigated as necessary and managed over time.
Lesson 2: As attackers move up the supply chain, so must defenders.
Increasingly, there have been wide-spread, deeply embedded vulnerabilities emerging from the hacker community (ex. Ripple/20,Bluekeep, WannaCry). If we think of hacking as a business, the return on investment for a systemic issue that spans devices & industries vs. an idiosyncratic one in a single device in a single instance, is obvious math.
Attackers have seemingly limitless budgets as spending is estimated to reach $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. We see defenders' security investment around the $100B space with pretty steady increases by 10%. Recent news of Solarwinds by Microsoft showed it took more than 1,000 engineers to create. Is there ANY organization that can compete with the resources attackers have?