By Dan Czech

Healthcare security professionals all have one question on their minds: How can they protect patients in an increasingly connected world? Cybersecurity issues keep hospital officials up at night, and it’s not hard to see why. Even a cursory look at 2019 headlines reveals a steady stream of healthcare-data security breaches all over the nation. The risks from unknown threats loom large in healthcare.

Knowing the importance of protecting patient data and the risks associated with connected medical devices, we at KLAS have watched the medical device security market take off and have been amazed at the rapid adoption happening in the Internet of medical things (IoMT) space. In just a few years, it has gone from an almost unheard-of market to a space booming with new vendors offering IoMT capabilities. To explore what is happening in that space today, KLAS published the Internet of Medical Things 2019, which, among other things, looks at why some vendors are being chosen over others.

The Impact of Vendor Culture

We originally thought that the individual technology capabilities and how vendors uniquely approach discovering devices would be differentiators. But most healthcare organizations that purchase an IoMT product are actually fairly satisfied with the functionality of identifying devices, regardless of vendor. Instead, we found that how IoMT software solutions fit and integrate within the existing IT security environment is a critical factor. In particular, it is important that a vendor can support other security programs and technologies already in place, such as network access control and security information and event management systems. 

Beyond device identification and integration with other security systems, a decision factor that took us by surprise was the importance of a vendor’s culture. Healthcare organizations are quick to notice and even sometimes look for cultural attributes in an IoMT vendor. While culture is not simple to define, feedback from healthcare organizations about the culture of IoMT vendors did come up in the research. Organizations mentioned elements such as the vendor’s responsiveness, willingness to partner, staff friendliness, and desire to be flexible (even as a development partner). 

For more specific insights into the strengths or weaknesses and market energy of various vendors, I recommend taking a look at the full KLAS report.

Looking Long Term

KLAS is also looking at what is in store long term for the IoMT market. Many vendors currently seem to offer exceptional technology and service. Does that mean that IoMT vendors will be able to scale to meet growing expectations? Or are these unrealistic expectations that will only leave providers disappointed later? Additionally, who will be able to leverage their software to provide unexpected benefits and outcomes, such as utilization management information?

Interestingly, as KLAS researched medical device security and vendors, we found that some security leaders and their organizations are structuring their contracts to protect themselves from being stuck with a vendor who may not perform well in the future despite current high performance. We have talked to providers who have three-year contracts at an initial price, but they have out-clauses to be reviewed every year.

As the market changes quickly, providers do not necessarily want to invest in a long-term partner just yet. They are kind of investing with only one foot in the door. This gives them an opportunity to go elsewhere if the vendor doesn’t keep up or if the service starts to slip.

Taking Future Steps to Protect Patients

IoMT tools are being used mostly for identifying issues, though they are capable of more. However, identifying issues is just the tip of the iceberg. Healthcare organizations and their IoMT vendors will need to increase their efforts in medical device security in the near future. At the same time, we feel that expectations for the capabilities and uses of IoMT tools will only continue to rise.

Currently, medical device identification and other cybersecurity needs are mostly being addressed in large, acute-care organizations. These organizations have many more medical devices to secure than most clinics do; often 10,000 or more devices are connected to the network. But with the continued rise in costs, so much of healthcare is moving to outpatient clinics. Eventually, these smaller outpatient facilities will absolutely need to get involved. 

Despite the risks they pose, these connected medical devices are not going away; they are a need and also a problem that will only increase. The healthcare organizations facing these security risks head on right now are some of the brave ones; it is not easy to take the first step in identifying medical devices to find you have some major issues. 

Add on top of that HIPAA laws—if patient records are breached, the Office of Civil Rights can levy penalties on an organization, and the pressure to do something exponentially increases. But despite all that, these first organizations are taking admirable steps toward accountability and working to protect their patients. The broad scope of this challenge, combined with the need to overcome potential internal governance and organizational barriers, presents a daunting task for organizations going forward and organizations taking early steps down that path are already reporting positive returns.

Dan Czech is an analyst with KLAS Research. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].