Between the medical device vulnerabilities and cybersecurity challenges discussed in news this week, it’s clear hospitals and health systems across healthcare have their work cut out to shore up their defenses and stay in business.
On one front, the Diligent Institute and Bitsight looked at the cybersecurity ratings of thousands of midsize-to-large companies trading globally and found the healthcare organizations included in the study had the highest cybersecurity ratings.
For low-resourced and nonprofit hospitals that are a critical part of the healthcare system, MedSec is offering a new cybersecurity support program the vendor says can help strained hospitals meet voluntary federal cybersecurity performance goals while a federal threat-intelligence partnership aiming to protect medical device security is renewed.
MedSec offers a cybersecurity roadmap
On Monday, the medical device cybersecurity firm announced a new Hospital Roadmap to Resilience Program that could help hospitals improve their cybersecurity postures and better protect their patients.
“One aspect of patient safety involves taking actions to protect against cybersecurity threats,” Debra Bruemmer, senior director of clinical security at MedSec, said in a statement.
MedSec said the new program can help struggling hospitals make informed risk decisions, understand their assets and recovery needs, and manage basic network risks.
“Many hospitals lack a meaningful cybersecurity program to protect patients from malicious cybersecurity events,” she said, pointing to the lack of resources and funding many hospitals experience.
The resilience program provides an actionable set of foundational policies, processes and procedures aligned to meet industry best practices, the company said.
Tying cybersecurity ratings to profitability
A recent report from Diligent and Bitsight said companies with stronger cybersecurity performance deliver four times higher financial performance.
In their analysis of more than 4,000 mid-size to large companies trading on public indexes across Australia, Canada, France, Germany, Japan, the U.K. and the U.S., the average total shareholder return for companies with advanced cybersecurity performance ratings over a five-year period was 71%, and 67% over a three-year period. Companies with basic performance ratings delivered 37% TSR over five years, and 14% over three years.
“These findings show that cybersecurity is not just an IT problem – it is an enterprise risk that has material impact on a company’s near-term performance and long-term health, and one that management and the board needs to be up to speed on,” Dottie Schindlinger, executive director of the Diligent Institute, said in a statement.
“With increased pressure from regulators for organizations to demonstrate how they oversee cybersecurity, now is the time for boards and leaders to build their competency around cyber risk,” she added.
Interestingly, the mid-to-large publicly traded healthcare sector had the highest average security ratings, according to the report.
“The research shows that market leading companies that prioritize cyber risk management outperform their peers,” Derek Vadala, chief risk officer at Bitsight, noted. “This cannot be achieved without a strong understanding of cybersecurity performance and clear benchmarks shared across the executive team and board.”
CloudWave, FDA on medical device threat intelligence
The U.S. Food and Drug Administration’s Center for Devices and Radiological Health and CloudWave’s Information Sharing and Analysis Organization have “a shared interest in encouraging the identification, mitigation and prevention of cybersecurity threats to medical devices,” according to an updated memorandum of understanding.
By enabling the rapid sharing of medical device vulnerabilities, threats and mitigations within the healthcare industry, the partners aim to reduce cybersecurity risks to public health.
The medical device cybersecurity partnership between CloudWave’s Sensato Cybersecurity team and the FDA began in 2016.
The new memorandum continues FDA and CloudWave ISAO’s efforts to improve the healthcare sector’s awareness of cyber risk-management resources produced by the Health Sector Coordinating Council.
The partnership encourages hospitals, health systems and other providers to successfully adapt and operationalize these resources and develop strategies to assess and mitigate their cybersecurity vulnerabilities and other threats that affect their products and medical devices.
With the partnership extended, CloudWave-ISAO’s base cybersecurity medical device policy and vendor assessment framework will be freely available under an open-source license to the healthcare and public health sector, the FDA said in the memorandum.
“More than ever before, medical devices are being targeted, and we are focused on developing innovative strategies to assess and mitigate cybersecurity threats,” John Gomez, chief engineering and security officer for CloudWave, said in a statement Tuesday.
“By proactively sharing information regarding cybersecurity vulnerabilities within the healthcare and public health sector, we can gain the timely situational awareness needed to reduce the attack surface and take appropriate measures to help protect patient safety,” he added.
In addition to supporting threat mitigation intelligence and awareness, the agency has been working to shore up medical device requirements.
Last month, the FDA proposed an update to its “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” guidance, adding vulnerability disclosure requirements and making recommendations for cyber-device-maintenance plans and patch timelines. The deadline for public comments is May 13.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.