Most of the dialogue on cyber risk focuses on the adversaries and the threats they pose, often highlighting their sophistication, resources, and connections to nation states and organised crime. These are serious threats to society and its citizens, leading to increasing regulatory pressure on organisations to enhance their security posture. While this is an important dimension of the problem, it’s only one side of the coin.
It’s all getting more connected and nobody is in charge
Businesses are embarking on a big shift to survive and thrive in a world that is changing exponentially by the accelerated development of digital technologies. They know if they do not adapt to this new reality they run the risk that someday their business, or even their entire industry, is disrupted by tech-enabled new competitors, as happened to other industries. This shift means embracing uncertainties, empowering people with user-centric information technology, going into the cloud, being hyper connected and getting the most value out of data. All of which creates exponential cyber risks.
In medical technology security, you are dealing with a complicated ecosystem with medical device manufacturers, hospitals and other health care organisations, pharmaceutical companies and US tech firms like Google and Apple entering the arena from the consumer’s angle. And it is all getting more and more connected and nobody is in charge.
Health care organisations are increasingly demanding security measures in their RFP’s and are actively lobbying for more regulatory pressure on medtech businesses to keep medical devices and diagnostic instruments safe and secure, leading to longer go-to-market cycles. What is the best strategy to deal with this problem? The first response is usually to just cover your back.
Covering your back strategy
You carefully limit your responsibilities contractually, make sure you understand the latest legal and industry requirements around security and safety of medical technology and make your products comply. That will keep you safe but it is not enough to ensure the safety of the patient. Because it is in the connection of the device with other technologies where the vulnerabilities are that an attacker can exploit.
So who takes responsibility for the security of the whole? Hospitals and health care organisations? We have researched the security posture of hospitals and it seems they are ill equipped and not ready to roll out advanced security operations. And there is also the connection of medtech devices with consumer technology. Who will take care of the associated cyber risks?
Apple has taken a pro-active approach towards security and privacy and sees it as the strategic enabler that differentiates them from Google. With all this sensitive information on your phone, who will you trust more with your quantified self; the company that sells your data for a living or Apple? Also in health care they use privacy as a unique selling proposition for their iPads and iPhones to empower medical professionals.
Cyber security as a strategic imperative
Losing sensitive personal information is bad and should be avoided, but in your businesses the safety of medical devices and integrity of diagnostic equipment is a matter of life and death. I would urge you to take a step forward, take care of the safety of the patient, which means viewing the security of the ecosystem as a strategic imperative, and provide advanced security operations as a service to the industry. You then turn a risk into a unique selling proposition.
The medtech industry has all the competencies in-house to develop and provide security services to the health care providers. And providers need help. Go beyond compliance and make cyber security an integral part of your strategy. Done right this will unlock the door to the digital promised land, unleashing the full potential of digital technologies for health care while ensuring the safety and security of the patient.
Please watch Roel’s presentation given at the European MedTech CEO Roundtable 2015: