How competition in cybersecurity can positively impact your bottom line
January 24, 2020
By Mike Kijewski
This fall I had the fortune of attending a cybersecurity strategy meeting taking place at the headquarters of a major medical device vendor. One of the speakers mentioned that "medical device vendors should not be competing with one another on security." This sentiment has been shared many times before, by both medical device manufacturers and hospitals. But, as we will discuss, there is rationale in support of this argument, yet, we need to also be aware of potential negative effects and competitive disadvantages as a result of a lack of security.
The argument against competition in cybersecurity is, of course, valid and does reflect the general industry sentiment, as manufacturers, hospitals, security researchers, and regulators are always collaborating at conferences and sharing best practices with one another. Information Sharing and Analysis Organizations (ISAOs) have been formed to facilitate vulnerability and threat analysis and sharing in a trusted environment. The assumption is simple - if one device gets compromised, potentially leading to patient harm, then everybody loses out - including the hospital and manufacturer, but also their industry peers and competitors.
An analogy I often hear is that of the airline industry, where a single accident impacts every airplane manufacturer and airline. Open cooperation around safety benefits everybody. Similarly, it is in everyone's best interest for every piece of healthcare technology to be as secure as possible. But saying that cybersecurity is not an important aspect of healthcare's competitive landscape may ultimately undermine the patient safety we are all working to ensure.
Healthcare technology companies best serve patients when they are developing innovative new technology. This is difficult to do when your company is in the middle of an involuntary recall caused by a product cybersecurity vulnerability. The number of resources that a new cybersecurity vulnerability may consume can be staggering. A company that doesn't prioritize a proactive approach to cybersecurity during the product development phase will face longer sales cycles with healthcare delivery organizations (HDOs), lost sales, potential product recalls, delays in market approval, and possibly even brand reputation loss.
This leads to an interesting dichotomy where cybersecurity as a business and design objective should not be a competitive differentiator (as discussed above), yet poor cybersecurity practices and resulting regulatory implications, or even security events, can very well lead to significant business impact and competitive disadvantage.
HDOs spend millions of dollars implementing security controls on their hospital networks in order to safeguard patient data and ensure clinical uptime. When the inevitable cybersecurity incident takes place, patient treatments are frequently impacted. In July of 2018, Cass Regional Medical Center was forced to divert trauma and stroke patients to competing hospitals after their network was brought down by a ransomware attack. While patient welfare is any healthcare professional's first priority, diverting patients means lost revenue. Even cybersecurity measures put in place in response to or to prevent security incidents have been shown to adversely impact patient outcomes.
Hospitals need cybersecurity to be addressed proactively, and effectively, and this is best accomplished if the manufacturer designs security into their devices. While cybersecurity should not be a competitive differentiator, it will influence buying decisions and reputation, and therefore needs favorable consideration in a manufacturer's budget. The strategic prioritization of cybersecurity within the manufacturer's organization is ultimately a C-level responsibility and must become a strategic business objective to protect top-line revenue and bottom-line profitability.
The healthcare industry needs to take a comprehensive approach to cybersecurity, not because they will face HIPAA fines if they don't, or because the FDA will recall their device, but because it's the only way to remain relevant and competitive in today's hyper-connected technology market. It's in everyone's best interest for cybersecurity to enable safe reliable care delivery. But it's particularly important for stakeholders in medical device companies, healthcare software companies, and HDOs to understand how addressing cybersecurity proactively can benefit their firms.
About the author: Mike Kijewski is the CEO of MedCrypt, a San Diego-based medical device cybersecurity software provider that ensures medical devices are proactively secure by design and in compliance with the FDA's cybersecurity guidelines.