Juuso Leinonen, principal project engineer at ECRI, an independent nonprofit healthcare research organization, captured OR Business Management Conference attendees with this message: cybersecurity is a patient safety issue. Each year, ECRI produces a list of 10 health technology hazards, and in 2022, cybersecurity attacks topped the list.
During his keynote, Leinonen defined these two key concepts:
According to the 2021 HIMSS [Healthcare Information and Management Systems Society] Healthcare Cybersecurity Survey Report, phishing (45%) and ransomware (17%) are the most significant security incidents for healthcare organizations, with impacts comprising disruption of business operations (32%), data break/leak (22%), and disruption of clinical care (21%).
Cybersecurity incidents are impacting healthcare globally. “Incidents are not every once in a while, they are pretty frequent,” said Leinonen during his keynote. “People oftentimes tend to be the weakest link in cybersecurity.”
Another door to vulnerability is medical devices, which are increasingly more network connected and difficult to maintain updated with security measures. “Medical devices are expected to last upwards of 10 years, partially because of the significant cost associated with them,” Leinonen explained. “But that is counterintuitive to keeping them secure.”
As reported in a 2021 OR Manager article, titled Patient safety and the “Internet of Medical Things (IoMT),” 60% of medical devices are at end-of-life, meaning there are no patches or upgrades available for them. The Windows 10 end-of-life is 2025; in other words, tech support for devices running with this operating system will become obsolete in just 3 years.
His keynote also cited information from the 2021 Cost of a Data Breach Report, published by IBM Security, which said that the “average total cost for healthcare (data breach) increased from $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase.”
“Recovery costs from cyberattacks are expensive, and healthcare leads the pack of any industry,” Leinonen emphasized before discussing some simple but effective preventive best practices that facilities should implement. This year’s OR Business Management Conference attendees walked away with actionable intelligence on how to advocate for security measures with vendors and work with IT departments to protect their systems—and patients—from cyberattacks.