By Scott Trevino, senior vice president of cybersecurity, TRIMEDX
Medical Device Cybersecurity: Medical device cyber risk is mounting while hospital financial pressures are rising. Although bolstering medical device cybersecurity defenses can require further investment, doing so also can lead to savings beyond the costs avoided by thwarting an attack — and in less obvious ways.
According to cybersecurity provider Check Point Research, global cyberattacks reached an all-time weekly high in the fourth quarter of 2021, with the healthcare industry sustaining an average of 830 cyberattacks per week. Healthcare cybersecurity is imperative as the costs of data breaches, reputational harm, and insurance premiums rise while patient safety remains the chief concern.
The proliferation of connected medical devices has heightened the potential risks. The global market of connected medical devices, such as cardiac event monitors and insulin pumps, is projected to reach a value of nearly $140 billion by 2028, a nearly 400% increase from its 2020 mark of about $27 billion, according to a report by Verified Market Research.
Often overlooked in the cyber-risk assessment of medical devices is the evaluation of replacing, disposing, or purchasing new medical equipment. With medical devices accounting for about 25% of capital expenditures, it’s prudent to add this to the list of considerations.
The importance of visibility in medical device cybersecurity
Both objective medical device capital planning and cybersecurity hinge on complete and accurate inventory visibility, which helps guide decisions related to device lifecycle management.
Knowing precisely the quantity and type of assets you have, how they are being utilized, and the status of each are the right steps to objectively plan and assess organizational risk. Factors include whether any devices have an FDA recall or alert, which devices have a known vulnerability, and if a vulnerability is found, whether a patch or compensating controls are available.
A comprehensive clinical engineering solution that provides a technology-enabled assessment of recalls, alerts, and vulnerabilities is invaluable in understanding the entire scope of risk. And a deep understanding of risk should drive capital planning.
How cybersecurity influences capital planning
Think of any big personal purchasing decision, say buying a new car. What steps can you take to ensure you are making a smart decision? You consider the history of the car and its manufacturer to better understand how prone the vehicle is to problems, problems that in the long run add to the overall cost of ownership. You consider how long the car is expected to last. You check on its safety ratings. And you may read reviews of the manufacturer’s responses and remediations to such issues. Does the manufacturer respond quickly? Are the resolutions free, or are they provided as an additional cost? Would you buy a car if it were in a major accident? And typically, the more your monthly budget goes toward the car payment and expected maintenance costs, the bigger the purchase decision is for you.
Medical device capital planning should be similar, though certainly more complex because the stakes are much higher. Comprehensive medical device cyber-risk assessment can inform capital planning by changing the traditional mindset from replacement planning to inventory optimization that drives financial savings.
Steps to include in a cyber-risk assessment include the following:
- Evaluate the cyber-risk history of any device before purchase.
- Assess the responsiveness of vendors. Cybersecurity performance of medical equipment manufacturers is an often-overlooked factor in capital planning. Assess the initial cost versus the ongoing expenses based on how responsive manufacturers are in responding to cyber vulnerabilities affecting their devices.
- When determining whether to replace, relocate, or keep a device, weigh cybersecurity factors into the overall lifecycle management. Like other device lifecycle management factors such as device utilization, parts availability, and repair events, an objective cyber-risk assessment of each device is among the critical criteria to drive strategic decision-making. If a device is considered “cyber dead” without an OEM patch or alternative compensating control, an organization should prioritize its replacement.
- Consider a technology solution that scores the degree of risk with other objective factors such as utilization and service history to ensure the evaluation is objective.
Based on such lifecycle management criteria including cyber-risk, hospitals can objectively determine whether a device should be replaced, upgraded, disposed of, or reallocated. And when a new device does need to be purchased, you can use objective historical data to identify preferred vendors.
Without such a comprehensive assessment, unnecessary or potentially unwise capital expenditure can occur. Many medical devices, for instance, are either kept using standard useful-life calculations or replaced before they have exceeded the end of their useful life based on decisions made from single data points such as depreciation or downtime. Where cybersecurity risks are a factor, some devices may just need patches or other software upgrades to improve their risk exposure.
Extending the useful life of devices defers capital expenditures and maximizes capital investments. Conversely, keeping a device and only considering the manufacturer’s useful life may overlook a critical cyber vulnerability that could put your organization at unnecessary risk. Therefore, employing strategic replacement and capital planning policies that properly weigh cyber-risk is prudent.
Cybersecurity: The new pillar of capital planning
The state of healthcare cybersecurity is drawing heightened attention from hospital IT departments to the C-suite to Capitol Hill. Health systems, a frequent target of attacks, are understandably fearful as the pace of attacks eclipses their budgets to defend against them. But comprehensive clinical engineering management coupled with robust cybersecurity assessment can recalibrate the equation.
Health systems can save money and ensure their assets are secure by optimizing medical device inventory and strategically planning capital expenditures with cyber risk in mind.
Editor’s Note: Scott Trevino is senior vice president of cybersecurity at TRIMEDX, and in this capacity, he leads efforts to define the strategy to deliver value, growth, and evolution of TRIMEDX’s cybersecurity solutions. He is responsible for identifying trends in cybersecurity technology, as well as recognizing and anticipating the evolution of clients, market, and industry needs to translate them into market-leading solutions that meet the needs of and bring value to clients.