Healthcare data is the number one target for cybercriminals and is 10 times more valuable than credit card data alone.
During the “Are your Medical Devices Cybersecure?” webinar on 14 July, moderator Andrew Pearce, Senior Digital Health Strategist of Analytics at HIMSS spoke with two subject matter experts on cybersecurity trends in healthcare, as they shared their recommendations on identifying and addressing gaps.
Contextualising the imminent threat of cybersecurity in healthcare, Richard Staynings, Chief Security Strategist of Cylera said, “These changes (in healthcare) have led to the emergence of a gap between advances in digital maturity and advances in security maturity, as digital transformation outpaces the industry’s ability to secure new technology.”
Staynings pointed out that most healthcare providers might have “at best a poor inventory of IoT assets”, with few understanding the associated risks. He said that this creates “massive gaps in security risk management just waiting to be exploited”.
Adding that providers cannot risk-assess what they do not know about, he shared that the industry needs better tools and processes to identify and assess growing IoT “connected” assets.
Jonathan Bagnall, Cybersecurity Global Market Leader of Philips shared a detailed look at how Philips integrates cybersecurity into product development and lifecycle management.
He shared the example of Patient Information Center iX (PIC iX), a Philips patient monitoring product. Philips reviews and validates security patches every 30 days, then provides the patches to customers to deploy the patches using automated tools. In addition to other security features with PIC iX, he also mentioned Focal Point, which provides visibility into cybersecurity and performance of Philips’ products.
“It really is a fundamental approach to be able to protect your environment… The expansion of technology within healthcare is so fast, it’s difficult for providers to understand what they have in technology and how to protect it,” said Bagnall.
“Security services are going to expand within healthcare to help them be able to shift their resources toward focusing on cybersecurity, and focus more primarily on patient care. It is a huge spectrum,” he added, sharing that Philips incorporates security into its device building process.
Staynings expressed concern with how the lack of disclosure provided to patients with regard to data breaches could lead to uncertainty for patients regarding where their information now exists.
“We’re not giving that level of breach disclosure information to patients who rightfully deserve to have that, since that’s their information.”
“Health systems are being brought down, and they’re being brought to the point that they’re incapable of providing services to their patients,” said Bagnall, agreeing with Staynings on needing better capabilities to respond and recover, rather than putting a “Band-aid” over broken processes.
Sharing more about the complexities in healthcare for providers, Bagnall said “some providers are very small, and don’t have the resources to initiate that long-term investment… Their focus is patient care and the resources they’ve shifted now from patient care, to security and the upkeep of devices and solutions. The balance for providers is very challenging.”
“We need to do a better job of security education training and awareness of staff. We have a large number of staff in hospitals, some of whom are the smartest people on the planet… and they plainly believe that cybersecurity doesn’t apply to them in some circumstances,” said Saynings, emphasising the room for growth.
Staynings and Bagnall both shared some key recommendations for healthcare providers to consider when creating or updating their cybersecurity policies. To get all the insights from this webinar, click here.