Cyber risk, according to the Institute of Risk Management, means ‘any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.’
From mobile apps to insulin pumps, medical devices increasingly are connected to the internet. By 2020, internet-connected healthcare products are expected to be worth billions in economic value. But connectivity comes with a price – vulnerability to hackers and criminals.
As security breaches become more common and costly, medical device cyber security will emerge as a major issue, requiring device companies and healthcare providers to take pre-emptive action to maintain trust in medical equipment and to prevent breaches that could cripple the industry.
Regulators have taken notice of the risks. The FDA has issued warnings and guidance documents about cyber security, and says it expects, but does not require, manufacturers and healthcare providers to ensure only ‘trusted’ users can access devices. However, the agency does require vulnerabilities to be promptly corrected and reported.
While no hacked device is known to have caused patient harm to date, recent hacks of organisations from insurance companies to retailers show those unprepared to deal with breaches can suffer lawsuits, lost revenue and reputational harm. An estimated 85 per cent of large health organisations experienced a data breach in 2014, with 18 per cent of breaches costing more than £1M to remediate.
The Technology Risk Assurance (TRA) practice at RSM, who are specialists in cyber and data security, hosted an event in April 2016, chaired by Sheila Pancholi, a national partner, for healthcare clients and targets to discuss:
- why cyber risk management is increasingly challenging;
- how everyone has a role to play in cyber risk management;
- insight on cyber risks and its impact on cyber risk management; and
- cyber risk management – what does good look like?
During the seminar the TRA team also launched the RSM Cyber Security Health Sector Self-Assessment Questionnaire which we have developed specifically for our Healthcare clients and is based on industry best practice requirements for cyber security.
Key issues raised as concerns amongst the attendees included:
- how to handle a cyber security incident;
- support from national and regional organisations;
- monitoring and controls; and
Are you prepared?
A critical aspect of cyber security is preparedness. Defence against cyber risk comes in many forms, however a few tips to avoid being the victim of a cyber-attack include:
- get the basics right - understand your cyber risks so you can plan accordingly;
- educate staff on security policies;
- have clear and concise policies and procedures in place that are fit for purpose;
- develop response plans and regularly back up your data to prevent permanent loss; and
- carry out regular reviews to check your policies are adequate.
For more information, please get in touch with Sheila Pancholi.