In early February, San Jose, Calif.-based Internet of Things (IoT) security company Forescout Technologies acquired healthcare security provider CyberMDX. On the heels of this news, CyberMDX CEO Azi Cohen sat down with 24×7 Magazine to discuss how this acquisition will affect company operations and why medical device security is an issue that should concern all healthcare professionals—not just those in IT or HTM.
24×7 Magazine: How will CyberMDX’s acquisition impact operations?
Azi Cohen: CyberMDX will continue to operate as “A Forescout Company,” and will now be able to provide hospitals with a broader and deeper solution that covers the entire enterprise of things. We will, of course, be working together on both short- and longer-term transitions; for example, connecting the teams and our partners to leverage each other’s relationships with prospects and customers will be immediate. We want the market to benefit now.
People and culture, however, are very important to both organizations so those plans will be in no rush, and we will take time to determine what’s best for everyone involved. The goal is to synergize our people and their talents for optimal advantage to our customers. We also want to ensure the best alignment to address our growth targets.
24×7: Why is medical device cybersecurity such a pressing issue?
Cohen: For years, healthcare organizations spent a very small portion of their budgets on security, assuming medical facilities were safe from hackers. But the pandemic spotlighted the criticality of our healthcare system, and hackers have started to take advantage of the poor position the industry is in, exploiting hospitals’ inability to deliver on their core mission of patient care if their networks are shut down.
Last year, we worked on a joint study with Ipsos and gained a great deal of insight into the attitudes, concerns, and impacts of hospitals when it comes to cybersecurity. The research revealed that downtime costs hospitals up to $80,000 per hour—so when a cyberattack hits their 24/7 operation and shuts it down for days or weeks, it’s a significant hit to their bottom line. Beyond that, another recent study from the CyberPeace Institute found that almost half of the 122 attacks they recorded over a six-month period resulted in patients being redirected to another hospital or having their appointments canceled.
The most vulnerable link in a hospital’s network is the hundreds or thousands of connected medical and IoT devices. Many of these devices were designed without security in mind and continue to maintain out-of-date software, insecure protocols, misconfiguration, and password flaws. Security of medical devices is a serious concern for patients’ well-being, and pervasiveness of device vulnerabilities are an easy target for bad actors. Most healthcare IT security teams don’t have visibility and control of these, which limits the ability to identify critical events, pinpoint the source of the problem, and effectively respond.
Today, hackers routinely target healthcare organizations due to the industry’s relatively low level of security. Securing our most critical devices will go a long way toward improving the overall security posture of healthcare organizations and the industry at large.
24×7: A recent CyberMDX report, conducted in conjunction with Philips, revealed that although nearly half of hospitals surveyed experienced an externally motivated shutdown in the previous six months, only 11% have cybersecurity as a high-priority spend. What’s your response to this?
Cohen: Hospitals have very tough decisions when it comes to their IT budgets. Critical healthcare initiatives like telehealth and remote patient care, for example, are always competing for those dollars. In the past, the decision was easier because the healthcare industry was not under attack by cybercriminals, but today, the continued scale and sophistication of cyberattacks against healthcare have caused the math to change. A successful attack against a healthcare organization can cost millions in lost profits.
Beyond that, it can also shut down patient care. While the dangers of directly impacting the operations of an infusion pump or anesthesia machine are obvious, attacks can also prevent access to patient history/medicine and significantly delay healthcare when it’s needed most (e.g., cause cancellations of critical treatments or cause emergency patients to be redirected to other facilities).
Leadership teams need to shift their mindsets to reflect the new reality, and focus resources on protecting the most critical assets and vulnerabilities to keep the delivery of healthcare continuous. It’s important that at the highest levels of the organization, measurement is being done against the holistic problem, not just the needs of individual teams or departments. In the end, cybersecurity is the responsibility of every person in the organization.
24×7: What do you want to tell HDOs that claim that they can’t afford to invest in cybersecurity?
Cohen: Hospitals are in a very difficult place with regards to their budgets. With only so much funding to go around, choosing to upgrade their cybersecurity could come at the expense of investing in new health technologies or in purchasing a new device for direct patient care.
Understanding the dilemma and the restrictions many healthcare IT and biomedical professionals have on their time and budgets, CyberMDX has created new offerings that leverage the capabilities of our Healthcare Security Suite and empower them to start now. This includes Freemium Edition, a single-user edition that provides immediate access to a view of a hospital’s IoT and medical device inventory at no cost.
For hospitals that have limited funds, we have also created a Basic Edition, which gives them access to a live and continuous device inventory. With it, they can automate asset tags, access asset level threat analysis, and get basic threat detection and response capabilities at an economical price point that any hospital can afford.
24×7: What else should 24×7 readers know about the medical device cybersecurity sector and CyberMDX, in particular?
To start, they should know that security risks are not only here to stay, but likely to grow more challenging. Telehealth and remote patient monitoring will expand the threat surface and attackers will continue to think of new ways into your network with thousands of new choices. It’s also worth noting that after years of underinvestment in cybersecurity, healthcare organizations must now work harder to close the gaps and prepare responses.
CyberMDX was founded as and continues to be a mission-based organization. That mission is to enable healthcare delivery organizations worldwide to provide quality care by securing and protecting the systems and devices they rely on every day to treat illnesses and save lives.
Connected medical and IoT devices present a massive challenge for hospital security personnel, but our track record for innovation and leadership position in the IoT security space is helping hospitals around the world secure their devices and ultimately drive patient care and safety. CyberMDX protects the things that protect human lives. Now, as a Forescout company, we are far more empowered to extend our reach and resources to deliver that mission with greater benefit and efficiency. We’re very excited to serve them and keep them safe.