From the August 2021 issue of HealthCare Business News magazine
It’s no secret that healthcare cyberattacks are on the rise. Last year, 599 healthcare facilities fell victim to ransomware, according to an industry survey from Bitglass. Data breaches increased 55% in 2020 from the previous year, impacting 26.4 million records at an average cost of $449 per record and a total cost to healthcare organizations of $13.2 billion.
Beyond the financial implications, a hospital breach can disrupt workflow and have dire consequences. Last year, a ransomware attack on a German hospital caused a standstill in patient care, resulting in what may have been the first death linked to a cybercrime.
To combat these threats, Philips provides Cybersecurity Services to its existing healthcare customer services portfolio. The solution is customizable to meet the unique needs of diverse facilities and supports all types of medical equipment and devices, regardless of manufacturer.
“Philips looks at hospital cyber health from a strategic perceptive,” David Franklin, the company’s director of business development for customer services, told HCB News. “Whether large or small, hospitals need to know their vulnerabilities.”
The solution stems from a partnership with healthcare cybersecurity company CyberMDX, which specializes in hospital digital environment mapping and evaluation, medical device risk assessment, security prioritization, threat detection and intelligence, intrusion prevention, and related support. Together with Philips, they provide a service that breaks down into four key components:
Consulting – Security experts provide risk and vulnerability assessments of medical systems, regulatory compliance support, and guidance for seamlessly integrating security response and recovery across suppliers.
Protection and Upgrade Services – Technology and service offerings work to keep systems secure through software upgrades to the latest security standards, medically validated OS patching, and network segmentation.
Detection and Recovery Services – Identifying and monitoring the security posture of medical assets and systems 24/7. When needed, these services trigger response and recovery workflows.
Access & Audit Services – Access and audit services help maintain control over employee and vendor system access and allow for streamlined/compliant auditing of procedures and data.
“Once connected after 30 days, Philips and CyberMDX review the vulnerabilities by modality and device and make a recommendation to improve cybersecurity,” Franklin explained. “This might include such security steps as antivirus, whitelisting, firewall, or OS patches.”
Cybersecurity starts at the top
Franklin has an extensive hospital background, beginning in management engineering and then managing nursing, imaging, and other departments at Ochsner Health and Vanderbilt University Medical Center. He has had first-hand experience with the growing threat of cyberattacks, and says these challenges should be seen as leadership issues.
“Accountability for cybersecurity has to commence at the board level,” Franklin said. “The board has to understand the threat, ensure funding, oversee policies, set metrics, and hold everyone accountable to these protections.”
That means recognizing the importance of security from all perspectives. From patient safety to the financial impact on the organization, Franklin believes that preventing a breach requires top level awareness and a cohesive overall strategy.
“Any hospital leadership needs to be honest with themselves and understand their cyber health across their entire network," he said. "We chose the CyberMDX platform because its sniffer feature can monitor the entire system without being intrusive to necessary interoperability functions among different vendor devices that are the baseline in hospitals today.”
Driven by artificial intelligence (AI), the CyberMDX solution is scalable for an enterprise and meets HIPAA compliance standards. The platform also meets the need for:
Confidentiality: Only staff who should have access to data can retrieve data;
Integrity: Information cannot be modified without detection;
Availability: Information can be accessed by authorized users when needed;
End-to-end “Security by Design”: Security is baked into the product design and development, not added as an afterthought.
Certification: Philips is the first medical device manufacturer granted Underwriters Laboratory product cybersecurity testing firm registration.
While cybersecurity has historically been provided by third-party companies, Philips believes its experience as an OEM for a range of medical technologies gives it unique value as a partner.
“Imaging, for example, is key to nearly every diagnosis and treatment,” said Franklin. “Physicians expect interoperability, that images will be delivered in the patient's medical record on time and securely, uncorrupted by malware or a virus. Hospitals use a lot of different brands they must protect operating together to keep the hospital network safe from cyberattack.”
By bringing all of that security under one vendor-neutral umbrella and leveraging an industry-leading OEM footprint, Philips aims to protect the entire medical equipment ecosystem.