Cybersecurity was a big theme at this year's HIMSS expo. Beckers' summary is nice.
On the one hand, everybody wants their healthcare organizations to act faster on cybersecurity. The drumbeat keeps getting louder, and everyone hopes they won't be the next to be in the news. Some analysts say the reputational cost of a breach can be ten times the size of initial fines over an uncomfortable period of years.
On the other hand, organizations of every size are having a hard time getting started. The number one reason? Budget. Security ROI arguments are famously hard to make, because what's the monetary value of something bad not happening, when it might not have happened anyway, for free? In the battle of abstract versus concrete, concrete always wins.
Medical Device Security Has an ROI
Along with the release of our BlueFlow asset security software, we've worked very hard to come up with some solid, road-tested ROI arguments that hospitals can use to drive budgets in the right direction. We're making it easier for people close to medical devices to advocate for the kind of work we all know is necessary. We couple our ROI explainer with a calculator that helps hospitals figure out the true cost of the status quo by plugging in their own numbers.
The upshot is that real ROI comes from preparedness: being proactive lowers the panic level of all security activities and helps everyone involved do a better job. We've been advocating an "eat your vegetables" strategy for a long time, but a strong story around ROI that customers can share with management makes those vegetables super tasty as well. Like kale chips (pro tip: 300ºF for 25 minutes).
Medical Device Security Has a Map
The number two reason our customers report it's hard to get started in medical device security is that there's no roadmap. This makes it hard to get started, hard to evaluate one's own maturity, and hard to justify budget requests for future efforts. You can piece together your own plans based on a cybersecurity framework, and you can watch peer organizations struggle and try to learn from their challenges, but what we really need is a no-nonsense way to lay it out. We've seen this over and over again and we hear our customers loud and clear.
This month we'll release a security program design overview to help hospitals get started with security or advance to the next maturity level. It mentions BlueFlow, but as we've been saying forever, we're just a part (admittedly a big one). The guide lays out the rest in vivid detail.