Hacks are like a “non-natural” disaster
Hospitals and life sciences companies should prepare for cybersecurity incidents to happen more often and invest in the planning, defensive measures and personnel required. They can do so by preparing as they would for a natural disaster. They should create and test cybersecurity breach and remediation plans. Facilities should be prepared to respond if their devices go down, or even if they suspect that their network has been breached. And they should create business continuity plans that are accessible offline.
Understand the risks to your organization
Security failure can mean devices rendered inoperable, critical patient records being stolen or unavailable, and even facilities being shut down as a precaution. The financial and reputational cost of a breach affecting patient health can far exceed the lost revenue from business disruption. Twenty-six percent of consumers affected by a hacking incident say they’ve decided to change doctors, hospitals, insurers or medical organizations because their medical information had been stolen in a hacking incident. Thirty-eight percent say they would be wary of using a hospital associated with a hacked medical device. The increasing use of connected devices in EHR systems means companies’ value-based payments also could be at risk if there’s concern about the collected data’s integrity.
Providers should strategically consider how they manage internet-connected devices
Cybersecurity risks can be managed using a layered approach, including limiting who has access to devices and limiting what the devices can do. While 95 percent of provider executives think their practice is secure against cybersecurity threats, just 36 percent of providers and payers have access management policies in place, and 34 percent have a cybersecurity audit process in place. Many companies also lack in-house cybersecurity expertise and will need to find it externally. Companies can also use language in vendor contracts to establish what device manufacturers are responsible for, including security updates and security support. The Mayo Clinic, for example, requires its vendors to adhere to security standards before Mayo will purchase their products.