Trust

Securing the internet of things and cybersecurity

Internet-connected medical devices and health system networks and systems are increasingly at-risk for cyberattacks and in some cases, ransomware and malware, such as the WannaCry malware attack in 2017 that affected 300,000 computers in 150 countries.

Implications

Understand the risks to organisations—the fallout from a breach could have a broad impact. The increasing use of connected devices in electronic health record systems means companies’ value-based payments also could be at risk if there’s concern about the collected data’s integrity. Organisations should measure the impact from threats and risks and allocate resources to the most critical needs. Risk measurement should include multiple factors, such as patient safety, financials, regulatory fines, brand and reputation, and operations.

Prepare for the inevitable. Forty percent of global CEOs now consider cyber threats to be a serious concern in 2018, compared with 24 percent in 2017. Executives recognize that improving cybersecurity should be a priority for all healthcare organisations, whether or not they have experienced an incident. Many healthcare payer and provider organisations worldwide have an information security strategy—but 34 percent of those surveyed say they don’t.

Providers should strategically consider how they manage internet-connected devices—and manage risks with a multilayered approach. Cybersecurity risks can be managed using a layered approach, including limiting who has access to devices and limiting what the devices can do. While 96 percent of provider executives think their practices are secure against cybersecurity threats, only 36 percent of providers and payers have access management policies in place, and 34 percent have a cybersecurity audit process in place. Many companies lack in-house cybersecurity expertise and will have to find it elsewhere. Companies should use language in vendor contracts to establish what device manufacturers are responsible for, including security updates and security support. The US-based Mayo Clinic, for example, requires its vendors to adhere to security standards before Mayo will purchase their products.

Call to action for policymakers and regulators

Make cybersecurity an expectation. Set an expectation in agencies and industries for securing data. After a cybersecurity attack, Mexico’s Central Bank issued a cybersecurity directorate to establish policies, guidelines and institutional strategies to protect data, setting a precedent for other industries.