Healthcare Cybersecurity Insights + Tips
Listen in to hear detailed data from a research study conducted for CyberMDX and Philips examining the attitudes, concerns, and impacts on medical device security, as well as cybersecurity across large and midsize healthcare delivery organizations.
Healthcare is one of the most targeted industries for cyberattacks. A recent report from HHS cited a total of 82 ransomware incidents so far this year worldwide with 60% of them impacting the U.S. health sector. Whether the hack is committed by notorious gangs or lesser known hackers, hospitals now account for 30% of all large data breaches and at a substantial cost of billions.
The Ipsos study surveyed 130 hospital executives in Information Technology (IT) and Information Security (IS) roles, as well BioMed technicians and engineers. The respondents, who averaged 15 years of experience in their fields, provided insight into the current state of medical device security within hospitals as well as highlighted the challenges their organizations face.
During this session, our guest speakers, Joe Scotto (Chief Marketing Officer at CyberMDX) and David Phillips (Senior Director of Marketing at Philips), join us to discuss key insights from the study:
- The lack of automation for medical device inventory
- The impact of device shutdowns on hospitals
- The low prioritization of cybersecurity investment
Speakers :
- Max Och, Ipsos Healthcare Advisory Consultant
- Joe Scotto, CyberMDX Chief Marketing Officer
- David Phillips, Philips Senior Director of Marketing
AI-generated audio transcript is offered below. Apologies in advance for inconsistencies that have been included.
0:04
Thank you for joining us for today's Ipsos Healthcare Webinar featuring cybersecurity insights and tips.
0:12
Today we'll be joined to industry guests and you can read more about our speakers on the slide in front of you.
0:20
Throughout today's session, you will remain in listen only mode, however, throughout the webinar, you may submit questions online using the Q&A feature.
0:30
Time permitting, we will answer questions at the end of today's session. However, if time run short, then your question will be answered by e-mail.
0:40
Today's webinar is also being recorded and will be directly e-mailed to you.
0:46
So now without further ado, it is my pleasure to introduce today's first speaker Max Och, a consultant with the Ipsos Healthcare Advisory Team. Max. You have the floor.
1:00
Thank you.
1:01
And hi everyone and welcome to this webinar on Cybersecurity in the Healthcare Space.
1:06
I'm Max Och as our Presenter Member of the Ipsos Advisory Services Team.
1:12
And we're really excited to share and discuss the findings from our recent study.
1:17
And I'm joined today by two folks that are heavily involved in the hospital's security base.
1:22
That said Joe Scotto, the Chief Marketing Officer for Cyber MDX and David Phillips, who's the North American Business Market Leader for Services and Solutions for Philips.
1:34
So, a quick discussion on the methodology of our study. So, this was a double blinded study that we conducted online quantitative survey that took about 20 minutes.
1:45
We had 130 total respondents, 100 fell into the category of information security respondents, and then the other 30 were biomedical technicians and engineers.
1:57
And the goal here was to kind of understand the differences and the concerns and practices between those IT and biomed coke's across environments and Roles.
2:08
Now, before we get into the data, Joe and David, do you have any comments on the research objectives as a whole? Joe, I can start with you.
2:17
Sure. You know, I mean, the objectives were obviously learning. We were wanting to learn about, you know, the more attitudes or concerns less about specific data, Which is, sort of, typically what you see in a lot of cybersecurity research. I think this, the surprising aspect for us was, when we looked at the data and started to analyze it, there were a lot of things that seemed a bit disconnected.
2:45
So, you know, without kind of getting into that, we'll, we'll cover the details. But, but, you know, as an example, there were things that they were really, really concerned about yet, in terms of how they were reacting to the concerns and what they were telling us, it didn't seem like it made a lot of sense.
3:02
So, I think, overall, it's a frame, it, what we kinda looked at, was the learning, and then try to create some meaning out of it.
3:14
I think this is a highly emerging topic, right? Cybersecurity in health care, particularly with connected medical devices, is a little different than Banking, Security, or hotel Security.
3:24
So, when we talk about connected devices, are connected, medical devices, right, you can think in terms of cloud, you can think in terms of network, you can think in terms of the computing environment, in a health system.
3:35
Then, there's this specialized area called Medical Device, where you have a number of vendors with different products out there that have different levels of cybersecurity built into the installed base and different strategies for cyber moving forward. So, again, this is a highly emerging field.
3:50
Some of the differences in attitudes and attitudes and opinion, I think, reflect the emerging increase in attacks but also reflect the emerging awareness.
4:01
Thoughtfulness around medical device cybersecurity.
4:05
Thanks, guys. And with that, I'll get into a little more information on the types of respondents we had.
4:12
So, if we start on the bottom left, um, you can see the breakdown of the specific role. So as I said, the most were, we'll call them IT folks. That was split roughly evenly in information technology and information security respondents, and then we had and, you know, biomedical engineers and biomedical technicians and all with an average tenure of about 15 years in this field.
4:35
Then, if you look at the top, you'll see their level of influence on purchasing decisions.
4:39
So, if you look at just the top row, looking at the percentage of folks who were primary decision makers for purchasing these products, we can see that for internet of things, medical device security. about 60% of them were the primary decision maker.
4:53
And then 40% were the same for compliance and governance, and then almost 60% for overall IT and our cybersecurity.
5:01
And one thing you'll notice here is that the percentages along that top row add up to more than 100%, much more than 100 clinically.
5:09
And this indicated to us that these IT environment respondents are juggling multiple roles as the primary decision maker. You know, they're wearing my hat.
5:18
And then if you take a look about a Hospital Systems, ISO, mid-size, which we've defined as under one thousand beds, that made up almost two thirds of the respondents.
5:28
And then, the large hospitals, or hospital systems, I should say, are over a thousand beds. And that's about 50 of them.
5:35
And then, lastly, out and reflected in the hospital, ties to see the number of medical devices in the hospital.
5:42
And you can see it's roughly roughly a bell curve.
5:45
Most of them are clustered in those middle 2 or 3, buckets from 11,000 to 11,000 to 25. And then, we have a few edamame either ends of either fewer than a thousand, or more than 50,000.
5:58
So, the first, kind of real data that we got from, from the study. So, this was talking about shutdowns of medical devices. And here, we're looking at the split between IT and biomed respondents, And, I think, a few things to look at here, if you look at the very top row, right? That's cool, shut down to devices by external attacks. And you can see here that the IT folks, they reported these shutdowns is laughing much longer than the biomed. And if you look, unfortunately, due to small sample size, we couldn't get dollar amounts for for all the biomed categories.
6:37
But, if you look at the fourth shutdown of extra devices by external attacks on the right-hand side, you can see that the IT respondents reporting almost eight or $80,000 per hour as a cost.
6:48
Um, and so, Joe, there seems to be some sort of disconnect going on here between the IT environment folks.
6:57
Yeah. I mean, clearly, when you look at the ex channel, attacks those numbers there, where you have biomed saying, it's about four hours. And then you have IT saying it's almost 13.
7:10
Both numbers can't be right.
7:12
So, that's, that's something that just, sort of, illustrates maybe, a need to, To make sure everybody's talking about the same things, get everybody aligned, to make sure everybody's using the same set of data points.
7:26
I think that's kinda one thing that jumped out at me.
7:29
The other thing, when you look at the right side of this chart, is just the potential bite that device shutdowns take to the bottom line for a hospital.
7:43
Obviously, we've read about this, and, you know, whether the number is, you know, 80,000 or $40,000 an hour, or, you know, whatever it might be. That's still a sizable number for any 24, 7 type of operation, which all hospitals are, 24, 7. And.
8:00
So, if that shutdown is lasting a day, you're looking at, you know, a million to $2 million in revenue loss. And, of course, we've read some of these shutdowns have lasted days and weeks. So you can see how that really can add up very quickly and really, just a tremendous impact.
8:24
When I think about the challenge of protecting these, an endpoint devices, great.
8:28
So when we talk about connected medical devices, the definition that comes into play, so as a connected medical device or patient monitor or an ultrasound system, or an MRI scanner, is the computing station that I sit at it to document my case findings or documented patient care. Is that computer a medical device?
8:48
In some level, even a cell phone that has theirs call capability is actually a medical device.
8:54
So I think the definition comes into play here, as well, that IT may have a broader definition, but what is a connected medical device?
9:02
I think, that plays into the longer time horizon.
9:05
But, Joe, I completely agree with you, just multiplying 12.8 times, $80,000.
9:10
You're at a little over one point one million dollars.
9:13
So, significant cost associated with a forest, shutdown, regardless of how you define medical device.
9:20
Absolutely.
9:23
Can we can take a look at the same data through the lens of hospital size.
9:29
So, just out here, we asked about these shutdowns on on two different axes, so to speak.
9:33
So the first was an external attack versus an attack initiated an internal action such as phishing. And the second was whether those shutdowns are forced or proactive.
9:45
I'm an overall, we saw that the course shutdowns and external shutdown, because we're the ones that contributed to kind of higher numbers, whether that's a length of time for more money. So, here, let's take a look at the third row, right, that's, that's the shutdown to external attacks. Altogether proactive or force.
10:03
And, on the left-hand side, you can see, on average, the mid-size hospitals reported about a 10 hour shutdown compared to just six for large hospitals.
10:11
And, in terms of the cost, and this is something that surprised, me personally, initially, it's about 45,000 an hour for the mid-sized hospitals, compared to a little less than half that on July 21,000 for the large hospitals.
10:25
So, Joe, do you think there's something about the different hospitals sizes that is leading to this to this big difference in the reported cost and time?
10:36
Well, I mean, I think the implication is that the mid sized hospitals are feeling a lot more pain, and logical, uh, thought about that is if they have, they probably have less resources.
10:51
And it just takes them longer to recover.
10:54
And so when you look at how much they're saying, it's costing them, which is more than double what large hospitals are saying.
11:04
Know, it's probably because they're they're resource strained. And it just takes a lot to get everything, get the operations back and running.
11:13
I don't know, David, what are your thoughts?
11:15
Her question really comes back, or mid-size and large comes back to health systems, as opposed to individual hospitals. I think.
11:21
And so the question is, for me, at least when I look at the large health system, can they divert patients more effectively to available resources when there is a forest shut down?
11:33
So, within my own health system, the good point, yeah, because the biggest cost here, my loss of patient revenue.
11:39
And this much more expensive than the cost of remediation, which in and of itself is a huge cost.
11:45
But I think if I can continue to manage patient care, right, then my cost is going to be lower if I'm a small, smaller organization that has to divert patients to other institutions that are not part of my health system. That I'm actually double whammy.
11:58
It's great, the cost of remediation plus the loss of patient revenue, Yeah, it makes sense.
12:04
Yeah, absolutely, guys.
12:06
And so, now we move to talking about the concern for cybersecurity attacks.
12:13
So, a few things to point out here, first, the nature of the question, so, this is an Ipsos best practice where we asked Respondents to rate something on a scale of 1 to 7. So here that scale from 1 to 7 is how concerned they are. And the percentages you're seeing in front of you are the percent of respondents that picks the top two boxes. So 6 or 1, meaning, you know, most concern.
12:36
So, on the left-hand side, we went with ... concern levels. So from the top to bottom, we have the concern that cybersecurity attacks in the healthcare industry before coven. And then we have one of the respondents concern about cybersecurity attacks in their hospital before coven.
12:54
And then we zero in further asking about concern for medical devices.
12:58
Or IOT as a vector for cybersecurity attacks in your hospital.
13:03
And then on the right hand side, it's the same set of prompts, but just for after .... 19.
13:10
And I think the first thing that jumps out to me is that, you know, first of all, the statistics are quite similar, you know, Across the board, but they're all kind of 65 to 75% right, so that's roughly three quarters these respondents rated themselves.
13:23
I know highly concerned about these, about these types of attacks. And so, Joe, is that consistent with what you've been saying as well?
13:33
It is, It was, it was an encouraging stat to see that, you know, Everybody gets it. They are well aware of the problem, they are well aware of, the impacts of the problem problem.
13:45
And that, that's encouraging to see, because you want to make sure that, that, that kind of that level of awareness, and, you know, in cyber security awareness month exists, and, and so that was a good statistic to see.
13:59
The one that I thought was interesting, that jumped out to me.
14:04
You know, first of all, it was great that it didn't change a lot colvin and post called it because they were already very, very concerned. So that's good.
14:13
But I do know that if you look at the statistics in the pre versus post for medical devices as a vector, there's a pretty significant jump and I suspect that because of what we had, the situation we had with the pandemic where medical devices were.
14:33
So so critical and shortages of them were rampant, obviously that spilled into that and you can see that big spike, you know, in the difference.
14:45
Yeah, for sure, Joe, and we like to say the WannaCry changed everything before WannaCry. Of course.
14:52
Information security people knew about ransomware, and they knew about vicious malware attacks, but WannaCry really made ransomware in a household household word.
15:03
Prior to that, I don't think the use of malware for extortion from hospitals was nearly as rampant as trying to access patient records as you know, so steal patient records in order to get access to credit information.
15:15
Now you're outright extorted from hospitals and Health Systems through malware.
15:21
And so pre coven I'm not surprised by the high levels of concern in the first place.
15:25
The exacerbation that we see post code really is related to the creativity of the hackers, because of the ever increasing volume of attacks that we read about in the news.
15:36
So keeping track throughout.
15:38
By March, we had a list of 17 health systems that we knew had an active ransomware attack. That list doubled within a month.
15:46
It continues to double over and over again, with an exponential increase today.
15:52
So just the, the amount of attacks, the sheer volume, is driving that concern for sure.
15:58
Either way, I think, do I shut downs or a concern because of the impact on patient care or the potential to impact patient care.
16:07
Absolutely.
16:09
For sure.
16:09
And so, you know, this is concern about attacks on the whole, but now let's take a look at, you know, the perception of criticality of an individual attack.
16:20
All right, so this is asking respondents about, once again, that scale of 1 to 7, we're looking at the top two boxes of seven, or how critical they think act would be if a cyber attack, shut down, use of a connected medical device, right? And we can see here, it's not a lot of differences between the different roles and different hospitals sizes, but still all and those high 70 or low 80% percent.
16:46
So, if you look on the left-hand side, the question is, no, to it to the respondent. How critical do you think the impact would be?
16:54
And then, on the right-hand side, it's how critical, or, you know, C suite level management, I think the impact would be, and as you can see, there's a couple percentage point increase going from left to right, but overall, it's not the same.
17:09
Are you happy to see this, this level of concern about this?
17:13
Sure. You know, I mean, you can argue, why isn't it, Why isn't it 100%? But you don't see that they think this, their C suite, 80% of their suite, C suite, recognizes that medical devices just absolutely cannot be shut down, and we need to do what? You know, everything We can to make sure that that is something we prevent. I think that's highly, highly encouraging.
17:38
And, again, it speaks to everybody's well aware of what's important and well aware of the impact.
17:50
And so I think it was the previous data that said, the amount of time associated with an impact, and obviously, it's almost immaterial at this point.
17:58
The criticality here is you can speculate and say, the criticality here is tied to patient revenue, or tied to patient lives and livelihood.
18:07
It's also tied to clinician satisfaction and clinicians ability to treat patients with diagnostic tools.
18:13
So so all of the factors, financial, clinical, operational, come to bear when you talk about criticality of device shut down.
18:22
The question that I'd ask next is, sort of, to leave the witness max is, how prepared are we for various kinds of attack?
18:33
For sure, and as you get, you're saying, you know, you'd think that this level of concern, as we saw on the last slide, and criticality, that would be reflected in, you know, spending priorities, so, to speak. But as we take a look at this information here, you see that it's not quite the case.
18:49
So let me first kind of explain what we're what we're seeing here, so this is another scale of 1 to 7 question, where we talk about the question is, what is the priority of spending when it comes to budgetary planning? And on one end of the spectrum, cybersecurity is the higher priority.
19:06
And then on the other end, on the right-hand side, as you look at the screen, there, IT spending is higher priority am considering we were seeing kind of 60, 70, 80% of people being highly concerned about various aspects of cyber attacks. I see here that only 11% were kind of in the top two boxes for security being a higher priority, to me, was quite surprising.
19:30
And then that 75% there, that refers to everyone who prioritize other IT spending, as, you know, a higher priority, or it's an equal priority to cybersecurity spending.
19:42
So, Joe, what does this tell you about about people's spending priorities relative to their concerns.
19:49
I'm everything's up to interpretation. But this was certainly in talking about the disconnects.
19:55
This was one of the most puzzling ones, this really, after seeing the stats about, you know, the extreme concern, and everybody's saying, you know that, we want to make sure this doesn't happen, to then understand that 75% of their IT budget has a bigger priority.
20:16
It was a bit of a head scratcher.
20:18
And I can tell you that when the report was released, the report that we did on this research, we saw lots of social media posts where people widgets, you know, just really, really, actually. Yes. So especially people in the, in the security world, so it really caused a star.
20:38
And, yeah, I know a lot of different ways to cut it.
20:44
one of the potential explanations is, there are things that, you know, a mandate to spend on because they have an ROI.
20:53
And cybersecurity, right, obviously, doesn't have. And we can talk about value. That You get your protected, you lower your risk, but it's not a return on investment.
21:03
And so that typically could play into why spend goes one way or the other. The other thing, and I saw this in the comments was, Well, they just don't have enough dollars.
21:15
So, it could be just a matter of, you know, they have to spend on this, and then this is all they have left, which, you know, Max in the face of what's a priority, but that, that is what we, what we saw in some of the comments. David, any anything, you know, any other things you want to add to that?
21:34
And I'm like you, I'm speculating a little bit but what we didn't, we didn't ask was, is this the current priority or future priority, right?
21:41
So, as folks may have been responding from current, versus, Hey, we know we need to invest more in cybersecurity spend, it may also be, I'm gonna keep my IT operation up and running, Right? I've got data centers, I got me on my software.
21:57
I've got Microsoft contracts.
21:59
I have a lot of high priority IT spend, and so those are priorities.
22:04
Cyber is a, potentially a second priority today.
22:09
As these threats emerge, maybe that priority changes in the future. So, again, it's a little bit of speculation on my part.
22:15
But I think it's reasonable to say there could be a time element involved.
22:21
There also is a necessity of keeping operations running as a priority.
22:26
So, Joe, that's that's where I would speculate here.
22:29
Yeah, satellites, absolutely, still puzzling. Especially given the criticality to spend the ratio seems, seems off.
22:39
And so I don't think, personally, I don't think it's a challenge of ROI. And I think also prevention is worth a pound of cure.
22:49
And so there is a lot of recognition in the customers that we speak to at Philips. The medical device is a vector and that there is a protection absolutely required.
22:59
I think the difference between biomet in IT is it a difference between them.
23:04
It is. Joe, back to that point that you've made lots of times around a single source of truth.
23:10
Great, single source of truth for inventory, for risk assessment, for, you know, what does good look like, and you need a single source of truth for what good looks like in order to have an actionable plan.
23:21
Exactly, Everybody's on the same page, yep.
23:25
Yeah, absolutely, and that takes us to the next question we asked here, which was really drilling down some some specifics in terms of cyber, cybersecurity, and protection, right?
23:38
So, we asked here about six of the most common are well-known existing vulnerabilities that hospital can protect themselves against or protect our medical devices against.
23:51
And the percentages you're seeing here are the percentage of respondents that said, there are hospitals, we're not protected against these vulnerabilities.
23:59
Right?
23:59
So if you look at the bottom two, Apache struts and blue Keep, these were fairly well publicized and, you know, a few years back, I should say.
24:08
And you can see just about a half of respondents said their hospitals were, we're protecting them.
24:14
And then as you go up, you know, perfect WannaCry, then re-open empty hacks.
24:18
And not Petya you can see the percentages increase and you know for not Petya for example, three quarters of the IT Respondents. And, you know, three quarters of respondents overall, just about are not protected against it.
24:32
And the last thing I'd point out is to these, these almost the bottom here, This is the percentage of respondents that said they were not protected against any of these six listed vulnerabilities.
24:44
So, Joe, is this, is this surprising to you? It was, I didn't expect the numbers to be this high.
24:51
Um, the things I mean they're just really well known vulnerabilities. I mean not Petya and WannaCry even raju. That's huge.
25:02
I would, one thing I'd mention also is that MDX and MDX Ray were vulnerabilities in medical devices that cyber MDX actually had our research team had discovered. So it was just interesting to see that even, you know, in the mix here.
25:20
But I I just think that it, it's probably a resource issue. I don't know that. If they're extremely concerned, again, it's trying to apply the logic of the data, right?
25:34
If they're extremely concerned.
25:36
And they're there, they're, you know, driving, whatever they can to combat this, to prevent the, the attacks, and, and just monitor the threats.
25:48
It just would seem logical that some of this stuff would have have more protection on it.
25:58
I think it's complicated to write, because there are thousands of devices in an organization.
26:03
And so, in order to protect every single device, from the multitude of vendors, you'd have to collect every MDS, two document.
26:11
You'd have to collect all the vulnerability tables. You have to acquire all of the patches where vendors put them out and then actually apply those to the systems.
26:22
It is a monumentally large undertaking.
26:25
It's a pretty major process if you go up on a device by device basis.
26:32
Again, from a privileged perspective as an OEM, we take our obligation to test patches and communicate those to the market very seriously.
26:40
So within five days, we had our patches across the board communicate it to the market, and we were doing a lot of install base work with customers across North America, really helping them understand that. how do I protect each of these individual systems, within each modality, within a large, installed base of other vendors?
26:59
And so for customers, at that time, the data collection burden was incredibly high.
27:05
And I think you see that reflected here, that there's a resource need to collect all of this content, just in order to be prepared for, what can I patch? What can I protect?
27:15
So I think, Joe, the evolution here that I'm seeing is much more network based systems that have that collection completed to relieve the customer, the burden of collecting all of that content from all of the vendors.
27:28
Even if the vendors are doing a great job, putting out the vulnerability tables, there's still a huge data collection effort.
27:35
So I think that's where you see the emergence of, uh, a lot of strategies that are on a kind of network level as opposed to individual device level.
27:44
Yeah.
27:44
so probably this, this question could use a follow up where we could sort of drill down in terms of, well, what exactly have you done for you know, to help protect against not Petya because maybe they just were understanding while it were never completely protected. Right? So it could be just something as simple as that, and then these numbers would make a lot more sense. Sure.
28:05
And for the 20% that have no protection for any of the listed vulnerabilities.
28:10
I mean, that's, that's a little nerve wracking.
28:14
Hard, hard to believe, because semis, semis professionals will say, Look what's behind my firewall as my business?
28:23
My goal is to protect at that level.
28:25
That's certainly one strategy. But you see a multitude of strategies, again, without a clear definition in standard for what good looks like?
28:32
Yep.
28:35
Um, yeah, absolutely, and that's, that's an excellent insight.
28:39
And I wanted to, kind of transition into medical device inventory, right.
28:45
So, this, here, you'll see two different questions, right on the left-hand side, we asked them, the respondents how to best characterize their knowledge of the number of devices in their, in their hospital, right. So, you know, the exact number, If they don't know the number, but there's a dashboard of sorts that could tell them, or if they don't have a way to determine work.
29:05
And you'll see that about, you know, one in seven hundred and six.
29:10
And the bottom here did not have a wave number whatsoever, and I think there, their policy for device inventory may play a role there, right?
29:19
So, if we're looking at, on the right-hand side, what the inventory policy is for these respondents within their hospitals, for their, for their devices, we can see that, the, kinda, the third and fourth roads, right mix of automation and manual inventory and then fully manual inventory.
29:35
They account to arabica around 60% respondents. And that definitely surprised me when I saw that. You know, almost two thirds of these respondents had manual inventory involved.
29:47
In that process, we saw some number report, 20, 30, 50,000 medical devices in our hospital. So, to have a manual component there.
29:57
It's definitely, I'll say interesting. To say the least at, Joe, did you see that same way?
30:03
Definitely.
30:05
Then, coming from HIMSS, the HIMSS Conference this year, there was a big, a big focus on, on productivity, you know, people productivity, so, something like this, where you have more than 60% still doing sort of administration type work, and that's kind of my interpretation of this. When you, when you kind of look at manual inventory, I'm thinking they're doing this in spreadsheets.
30:30
When there's lots of different ways to automate this, that to me, it is, is, you know, interesting.
30:38
Given, again, another disconnect where we're We want to make sure everybody's as productive as possible. We're using our resources as efficiently and effectively as possible. And yet, it is, this big, you know, 60% plus, that are still doing things manually.
30:55
I think the other piece to that is when you look at cybersecurity expertise, and how sort of important, and critical, and precious it is today, you know, in the face of how many shortages there are, That would be problematic. If, if I've got my cybersecurity expert doing manual work in a spreadsheet? Do inventory when I can know, what I should be taking his brain and applying it to the things that I really need to, you know, prevent threats, and study and analyze.
31:36
That to me, would be, again, another place where no difference could be made.
31:41
If somebody takes this data, analyzes it in their hospital and within their own teams and, you know, take some corrective action.
31:53
For sure, most of our customers that we worked with Philips Healthcare have some form of CMS, some kind of computerized medical device management system where they are logging devices, you know, in some cases, log into the device comes with software version. They come with hardware version, make a model.
32:12
Obviously, Philipps offers a CMS, as well, within our multi vendor program, in particular, where we can chat a lot of things like, does the device have a hard drive? If the data encrypted at rest is encrypted in motion here, you can capture a lot of those cyber details.
32:27
But in the end, it's a, no, you can connect devices. You can collect from a network perspective, that inventory on a network basis if you have tooling for that.
32:37
Otherwise, you are no totally manual process, but not every device is connected.
32:42
Remember that a lot of devices are on wheels.
32:44
They're portable by definition of the device. And things do walk the walk from one location to another where they're needed, one department to another. And frankly, when equipment gets replaced. Sometimes the old one goes in a closet as a hot swap for that rainy day with the times need situation.
33:03
So it's very challenging to maintain an accurate device inventory from a network perspective or a manual perspective.
33:10
So we see that a lot.
33:14
For Philips, we also see that as we approach multi vendor situations, in the end, this is a huge manual effort just to collect inventory.
33:23
Now, on top of that, you're talking about assessing MDS two content and risk content through vulnerability tables for every single device from every single vendor.
33:33
Again, from a manual collection standpoint, it's a monumental effort.
33:38
Monumental effort, I mean, one thing I can click, Add is if the device is connected. We can you can get 100% inventory.
33:45
So, that's, that's good news there.
33:50
Sure.
33:51
Absolutely, and, we talk about how and how challenging, how time consuming it can be to manually inventory, all these medical devices, and that will surely have an effect on, on staffing needs for these hospitals. Which, you know, which takes us to our next question, which, first, on the left-hand side, just ask for the average number.
34:11
Uh, different types of staff. You have Enterprise Cybersecurity staff, and then Medical Device and IOT Security.
34:18
one thing to me was that the mid-size hospitals had just about the same average team size, as large hospitals back, slightly more, you know, about half a person more for a medical device, Anatomy Security.
34:31
And then, if we look at the middle table here, this is it asking about staffing adequacy, right?
34:36
So, we asked respondents, Which of the following best describes your enterprise security team? Do you need more staff? That's the gray bar on the left. Is the staffing adequate, that's the kind of a colored bar in the middle. and then are you overstaffed, that's these numbers? Now, not shocked to see that, most of them do not think there Overstaffed.
34:56
Um, but I think that's, you know, this IT stat here was, was quite a stand out, you know, given the lack of investment in cybersecurity and in lots of these places, to see that two thirds of IT respondents and about 64% of overall said that they weren't adequately staffed in that department.
35:16
Did surprise me a little bit, but if we farther to the right and look at the, the team size of the team adequacy for Medical device and Internet of Things security, we see that overall, the respondents were say less pleased with the number of staff with just about half across the board.
35:33
Saying, that they need more staff.
35:37
So, Joe, is this consistent with, with your experience here?
35:41
This was another disconnect. That's, oh, you know, I, again, I'm just looking at the aggregate data, right?
35:50
So, you look at in the health care vertical, you know, the ones getting in 80% of the attacks are happening to healthcare providers.
36:02
When you look at overall breaches, 30% of all sectors are happening to healthcare, so it's it's getting attacked repeatedly.
36:12
We know there's a pretty big shortage of cybersecurity, expertise across all verticals, and, of course, and including in healthcare. So it's, it's, it's really hard to hire, And in fact, I saw one statistic that it takes about 70% longer to hire a cybersecurity expert versus just someone, a general IT, so when you marry those statistics against, the fact that two thirds are saying, Well, no, I got what I need, or I got more than I need. I'm good.
36:49
It just is another head scratcher to me.
36:56
No surprise here to me actually job.
36:58
So, if I look at staffing adequacy for a medical device, an Internet of things, again, the volume of devices from the volume of vendors, it's not just about collecting the upfront data to assess risk.
37:10
You need people to get trained and deploy patches across the spectrum of medical devices.
37:17
Most of which require the OEM to validate the patch, or, in the case of some devices, you can apply the security patch directly without OEM approval.
37:28
But, again, you have to know per device, what are the regs? What are the capabilities? What are the vulnerabilities identified by the OEM?
37:36
So I'm not surprised that half of hospitals said, we're half the health system said, we don't have enough resources for a medical device and internet of things.
37:44
It is a, it is a huge undertaking.
37:46
And it's a problem that's as a, as an industry.
37:50
Right, as a biomedical device, imaging industry.
37:54
We're all working together to help health systems solve the problem, but I think it's ahead of us, not behind us.
38:01
Yeah, I mean, the other possibility here is people may be thinking of this within their own sort of department need.
38:10
So maybe they requested to headcount to do X, Y, and Z and so they got to headcount so they're OK, I have what I need, or understood, I think there's that, and then there's sort of like, how are you addressing the whole problem?
38:24
And those are two different things.
38:27
Fair enough.
38:29
Yeah, absolutely. And, again, this takes us to another aspect of cybersecurity, which is compliance.
38:36
So, yeah, we were trying trying to suss out the impact of compliance on, on two things right on the left. We have the impact of compliance on cybersecurity purchasing.
38:46
And then on the right, we have the impact compliance on, on the job, or roll off the respondent.
38:51
And the blue at the top is high impact, right, that's, that's almost always seeking and testing products to ensure compliance for on the right-hand side.
38:59
Working directly with the compliance team on purchases. And then as you go down to this, that we scale back the impact of compliance, you know, where low impact is.
39:09
You know, basically not seeing security is at the compliance, or not interacting with compliance, or any compliance requirements.
39:17
But overall, you can see for the impact on, on the roles, just about a half, or a little under half, on average.
39:23
I said that, they work directly with the compliance team on purchases.
39:29
So is this interaction with compliance? Was this a surprise to you?
39:36
I thought this was great news. I mean, It was, yeah, it was a surprise, but a very positive way. I think it's, it's really great to see both the level of awareness of how compliance is something that connects to me and my job role. And then also like when I make a purchase decision, I need to just make you know to spot checks with certain people and work with the compliance team.
40:01
That's I think, a I thought that that was really great to see this level of awareness.
40:10
Keep in mind what industry we're in, right?
40:13
I mean, target, right. We're talking about healthcare and health systems and health delivery so compliance is directly tantamount to patient safety.
40:23
Cybersecurity is directly related to patient safety as well. So the compliance number two didn't surprise me only that it's not higher.
40:32
Because it is so critical for me here at Philips, we have a lot of compliance involvement as well.
40:38
So we are measured by the FDA against our quality processes. All of our employees have to take certain trainings. We have to track that those trainings are taken.
40:47
So no, I think whether you're looking at sox compliance, sarbanes oxley, compliance on the financial side, whether you're looking at FDA compliance, Whether you're looking at compliance with Medicare and Medicaid, require less rain, You really have to think of this as tantamount to everyone's job because it ties directly back to patient safety.
41:07
Great.
41:10
Absolutely.
41:12
one more aspect of cybersecurity here before, before we wrap up, and that's cyber insurance. So here, we're looking at the split between mid-size and large hospitals. They're fairly similar, you know, more large hospital respondents said they, you know, quote unquote didn't know. If they had cyber insurance or not. You can read into that as much anymore.
41:32
But the I think the overall thing here is about 60% concretely said that they do have cyber insurance and the rest were split among not having it or I used to have it but could no longer get it.
41:43
Maybe, you know, after a data breach, or just unable to get cyber insurance.
41:48
And, once again, ask, is, this is a surprising, or are you happy to see this, this level, or, are you hoping for more more insured?
41:55
Hospitals, this one, I didn't really have an expectation on.
41:59
I think my takeaway on on this one is, when, when it comes to cyber insurance, what's their understanding of it. Because it's good.
42:11
It's good that this, many hospitals are looking to insure against something, it just means that they, they know this is a real problem.
42:18
If you didn't think it was a possibility, you wouldn't be insuring your hospital to be protected for it. Right. So that's, that's a positive aspect of it.
42:27
The, the, the question I've got is, how do people see it within the organization? And, in particular, when you look at like C suite, or are they sort of seeing this as, Oh, I uncovered, if this happens.
42:41
And are they walking away with potentially a false sense of security?
42:45
Because, you know, the level of what you get insured for it is, is, you know, going to vary.
42:54
And, and, in fact, there was a very high profile case recently, of, you know, where a breach, and they calculated total cost, said, I think, 113 million. It was, like, 90 million tied to revenue loss. Another 20 plus million dollars tied to the recovery costs.
43:14
So, you know, you're, you're looking at, you know, huge cost to the hospital and the insurance coverage covered less than 18 million of the 113 million.
43:28
So I guess my takeaway out of this is: if they're getting cyber insurance, are they understanding sort of what that means And if there is, you know, this sort of huge breach, This is what you're up against. So really, you always have to help the insurer.
43:43
You can't just, No, you even like with compliance, you can't just comply and think you're done.
43:49
Right, because that's really, they're recommending the bare minimum.
43:51
And similarly, with cyber insurance, you're, you're covered, but you still have to take care of your security, You have to be responsible for it. You have to make sure it doesn't happen if something does happen. You've got some no coverage here. But that would be my comment on this.
44:10
I just hope that there's an understanding of, of what it means is a direct linkage between compliance and cyber insurance. So in order to get cyber insurance, there are certain criteria you have to meet.
44:22
And it's certainly Windows compliance, Firewall compliance, whitelisting compliance are all coming to the fore cyber insurance agreements.
44:34
The two, the two run hand in hand, I think, very carefully, and, to your point, the more you comply with protecting yourself.
44:42
The less expensive and more coverage you get from the cyber insurance, TLS yourself, protect the more expensive and less.
44:51
Absolutely.
44:52
So, that wraps up the data presentation part of this, at this webinar. And, so, before we get to Q&A, I'd like to ask our guest speakers, you know, where do we go from here?
45:05
What's the kind of, next steps for, for improving, or, you know, improve increasing awareness of cybersecurity and hospitals?
45:13
Well, yeah, David and I have all been, sort of, echoing the need for the single source of truth.
45:18
And so, that alignment is really critical.
45:20
And so, it's, I think it is it for any manager reading this data, I think it's always good to go back and spot check that across your teams.
45:29
In particular, your biomedical and your IT teams as everybody defining things the same way as everybody's seeing the problem the same way as everybody aligning their KPIs against it the same way.
45:42
Those things I think are important.
45:44
I think those priorities show also touch clinical departments, because the new whiz bang Clinical Tool has to meet those priorities for cybersecurity, right?
45:57
So making sure those priorities are clear across clinical teams as well, I think, is really important there.
46:03
Yep. And then, point to here, ensuring resources focused on protecting critical assets.
46:10
I mean, for years, we've been speaking with CIOs, CISOs about categorization of systems, life critical, mission critical, tier three, tier four systems. So, a life critical system, obviously, is required for patient diagnostic and patient care in real time.
46:26
Whether that's a Cath lab or a patient monitoring system.
46:31
If you can prioritize assets based on their clinical requirement, I think you're, like, a leg up on understanding your medical device profile, and ensuring leader connected devices have a clear categorization.
46:44
So, you know where to put your investments, if you are resource constrained, which, frankly, we all are.
46:50
Absolutely, and then, you know, in an aggregate, and all the stuff that they're doing, Also, take a look at what they're doing manually. Now. Certainly there are some things that you're going to carve out and say, I really want this to manually, because I need somebody for a focused on X, Y, and Z, but there might be some things that are just administrative tasks that people are putting in an in an Excel and updating, and that exposes you to manual error. And it also exposes you to using somebody's talents for something that could be put too much better use.
47:24
Secure their inventory assessment, it needs to connect to your CMS with your risk posture for all of these.
47:34
And I think that's, that single source of truth really comes back to, I have the right critical criticality of devices, Angular criticality, cyber, I can link my CMS, I can link my risk posture, now I have an actionable paradigm to work in with the resources that I have.
47:51
Absolutely. Absolutely, and being able to see it all allows you to protect it. If you can't see it, you can't protect that. I mean, everybody says that over and over again, it's, it's absolutely true.
48:02
I think the final point is kinda tied to that, which is really to make sure everybody's focused on the holistic problem. And that could in sort of, the difference.
48:12
In terms of the responses From some of the individual where they were kind of looking at their department.
48:17
versus, hey, if if I had to go solve for this, this is what I would need.
48:23
I mean, that's what I would go do, and I think it's important in measuring it versus some sort of siloed target.
48:36
Yeah, absolutely, That makes sense. And it's, you know, even though I've been in this study, it's still interesting to hear about all of these takes on it.
48:44
And I'd like to, with that, I'd like to transition over to the Q&A section.
48:49
We have about 10 minutes left, and we have a few questions here.
48:55
The first one, which I'll read out now, is, do you have insight into C suite and, or IT leadership beliefs about who is responsible for remediation on medical device, cyber risks, IT, or biometric hybrid?
49:09
Or other? I wonder if some leaders think it is a priority that another group is handling that group may not actually be doing so.
49:18
That's a really loaded question.
49:22
As an, as an original equipment manufacturer are the first responsibilities with us.
49:27
Right, we have two design for security.
49:31
I mean, our initial product design has to cover security.
49:34
If you choose a Microsoft operating system, there are a lot of inherent features to that Microsoft operating system that expose risk. Is there a lot to protect risk?
49:44
And so, making decisions as an OEM about the initial Product Design is key, and then keeping up with the, you know, the Microsoft churn, Microsoft releases patches, security fixes, as well as their monthly cadence of patches. We'll look forward to Microsoft Tuesday.
50:02
So the OEM needs to clearly communicate vulnerability to the marketplace.
50:08
So, who's responsible for actual delivery of that remediation?
50:12
And, again, this comes back to understanding your install base posture by device, and really starting with that electronic inventory and knowing who's accountable for what, so in some cases, you can turn on the OEM to upgrade that system to patch it. And, again, that's a service level agreement.
50:30
If the in-house biomed team has taken responsibility and co-ordinated that with IT, I think that's really the key.
50:37
We talked about co-ordinating across departments but knowing, Hey, we're the biomed team we're accountable for.
50:44
I just want to take something out of a hat, we're accountable for an ultrasound service.
50:49
That means you have to keep abreast of the MDS two documents and the vulnerability tables coming from the various OEMs. You're providing that patch to that level and installing it.
51:01
If IT says, Hey, we have the responsibility, and we're going to co-ordinate with biomed to execute, or IT says, Hey, we're going to roll these patches out, VR, central deployment system, tivoli, SMS, whatever.
51:13
Sylvia, where you can apply central networking systems you do, and where you have to individually cache, you co-ordinate that, within your organization, so, actually, Sure. I took the only answer there, but I think That's what I see most often.
51:28
Right, is IT environment working together to co-ordinate a response based on the total inventory in the CMOS?
51:34
Then it needs to be collaboration, but but they own different things, right? Because biomed owns the management of the medical devices. They don't know security, and then security manages networks, and they don't, typically, they know, IT networks. They don't typically know how a medical device works. And so it really does need to be a collaboration.
51:53
But I think the security pieces is is probably moving more toward the the CIOs CSO organization.
52:05
Sure. We do see biomed setting a lot more into the gray space, which is what I call that. Yes, your face between biomed, an IT.
52:12
Yes, Bowman's aggressively stepping into that space and they need to as a profession is critical.
52:20
Yeah, so yeah, some of them are physically getting additional certifications and moving into cybersecurity from biomedical, which is going to be great, because now you're gonna have somebody that really understands both worlds, so the more that happens, the better, you know, for the future.
52:37
Really interesting, and I think we have, we got a couple more questions here, too. So, what would the panel recommend as particular facts and concepts that can be used to secure additional funding for cybersecurity programs?
52:49
Joe, you want to start with this one?
52:52
I mean, I think you have to make the case to your management, the, there's no shortage of statistics or proof points, to, you know, just look around and and see that there actually is a real ROI to this. And it's, it's just to prevent what could be significant losses. The numbers in healthcare are much higher loss wise from cyber attacks than they are for, you, know, across all industries. And then certainly some of these high profile ones are exponentially higher than the average and healthcare.
53:30
There's a lot, that's that is there to go make the case to your yours, your senior management team, and say, Hey, we really need to not just talk about this. We need to be doing stuff, And this is how much this costs.
53:45
And here, and, also, understand, if we have these dollars, they have to be prepared to say, this is what we'll get. This will be the result, And I think that's that those pieces all have to come together in order for some of these things to change.
54:00
I think we laid out into the street business case, actually, in the Where do we go from here, right, of aligning the impacts across departments. Ensuring resources are focused on the definition of critical assets, right? Assessing the manual work, certainly would be part of here.
54:16
Business case, it's the report of my business case, plus one million dollars per attack, that we described earlier in this study, right, 12.3 hours times, $80,000 an hour.
54:29
Right. That's another million dollars in, against that. I would say, OK, how do I measure that against the holistic problem?
54:37
That's where I would start my business case, and I'd be thrilled to see that, from the management or the board of directors, and make that pitch that we need additional revenue to prevent this type of exposure and cost exposure.
54:50
Absolutely.
54:52
And that takes me to our last question. The Q&A is still open for attendees, if you want to add more in.
54:59
That is where I work for a mid-size hospital, and I think we do feel stream I resources.
55:04
Are there any shortcuts you can demand so we can do more with less?
55:10
There are lots of shortcuts. Lots of ways to do more with less.
55:14
You know, for us, we are working on making it really easy at, first sight to use the, the, the solution in the sense that we're going to show the user where to start and then actually guide them.
55:33
With regard to art. If I want to mitigate this, give me some options and we'll be able to actually illustrate the options, show them where they are highest criticality risks are.
55:44
You should really kind of point them to the most important things. And then actually spoon feed.
55:50
This is how you can go do it.
55:52
So if you don't have something in place like that now, that's a real quick shortcut to make sure you know what you need to protect, and then we'll also have, like, real guidance on what to do, and where your most important things most most urgent criticality.
56:15
Our next. So, I think that's the last of the last question we had.
56:21
I would join data. I'd open up to you for any final remarks before wrapping up. But, yeah, if you have anything you want to say, please go ahead.
56:32
Just if anybody has any questions about the research, feel free to reach out.
56:37
And It's a pleasure to be here tonight.
56:40
Thank you, don't really want to see exactly that and say thank you, Max, thank you, Joe.
56:47
Really fun doing the research study, but also really pouring through the results with you, thanks all.
56:51
The attendees and listeners, this is really an emerging area.
56:56
We're excited to be part of it. Thank you.
57:00
OK, great. so with that I'd like to conclude this webinar on perspectives in Health Care Security. Thanks to all for attending and for your insightful.
![[WEBINAR] Dealmaking 2026: What’s Changing, What’s Not, and How to Position for the Next Wave](/sites/default/files/styles/list_item_image/public/ct/event/2026-03/deal.png?itok=NtU1lGCc)
