Six Degrees of IoT: In a Hyper-Connected World, How can Health Care and Life Sciences Firms Keep Data Safe? | Deloitte US has been saved
Limited functionality available
By Amry Junaideen, Risk & Financial Advisory Life Sciences and Health Care leader, Deloitte & Touche LLP
Remember six degrees of separation? This is the idea that every person on the planet is no more than six social connections away from each other. If each person on the planet knows at least 44 others, the number of potential contacts tops seven billion in just six steps (44 to the sixth power).1
Similarly, the Internet of Things (IoT) can connect people, their devices, and their data to clinicians, health systems, pharmaceutical companies, researchers, medical device manufacturers, and other stakeholders via the internet. While this emerging era of interconnectivity could be a huge step forward, it also creates a substantially larger attack surface for cyber-attacks.
I recently moderated a webinar that looked at some of the potential risks created by this cyber-everywhere environment. We also discussed strategies life sciences and health care companies can use to identify and safeguard their digital crown jewels. During the presentation, my colleague John Lu explained that cyber is evolving into a living, learning, interconnected system where all players in the health ecosystem are beginning to work collectively toward a common objective of seamlessly trading information back and forth.
Just a few years from now, as many as 20 billion devices could be connected to the internet (personally, I think this estimate might be a bit low).2 In health care, the information generated by connected devices could generate meaningful data that might help improve medical devices and pharmaceuticals, our level of understanding, and the health of consumers. A digitally enabled pacemaker, for example, could transmit a patient’s data to a physician’s office, which might be integrated with a health system. The data generated by the device might also be collected by the manufacturer, and at some point, that information could become part of a database tapped by researchers or other stakeholders.
Breaches can be disruptive, expensive, inevitable
In 2017, hackers gained control over an internet-connected fish tank in a Las Vegas casino and used it as a backdoor to enter the casino’s high-roller database.3 Internet-connected sensors regulated water temperature, food, and the cleanliness of the tank. The unprotected device allowed the hackers to access the casino’s database and transmit information to a device in a foreign country. While this might seem like an Oceans 11 plot, it is not. It illustrates that any unsecured internet-connected device could be an unlocked door for someone with criminal intent. This is even more critical as the costs associated with cyberattacks continue to escalate.
The cost of a cyberattack in life sciences and health care can be particularly devastating—especially in markets where revenues are flat or declining—and costs can add up quickly. Across all industries, the average cost of a security breach is about $3.9 million. This assumes an average of 26,000 records per breach multiplied by the average cost of each record, which is about $150. The costs are dramatically higher in health care and life sciences where the average cost of a breach tops $6.5 million.4 That’s 65 percent higher than other industries. This is because patient records contain quite a bit of valuable information that can be exploited.
As I noted in a My Take last May, electronic health records (EHRs) can contain a wealth of exploitable information—everything from demographic information to work history to financial information. This information can be worth substantially more on the black market than financial records and other types of data.5
Additionally, the cost of a breach can be felt for years in terms of fewer patients, lost revenue, and recovery costs. Moreover, in a heavily regulated sector like health care, the costs to respond to questions can be dramatic.
Cyber should not be seen as an IT issue
Life sciences and health care organizations have historically viewed cybersecurity as an issue relevant only to the IT department. But as data becomes increasingly interconnected, cyber should be considered a first-order enterprise risk. Moreover, the cyber landscape appears to be evolving more quickly than cyber defenses. During the webinar, we discussed the following topics life sciences and health care professionals should consider when evaluating their cyber strategies:
The internet is making the world a much smaller place by connecting all of us (and our devices and data) in fewer than six steps. While the benefits of a cyber-everywhere environment are enormous, cyber risk is now one of the biggest threats our health care and life sciences clients face. Once stakeholders understand the potential risks in this digital world, they can be better positioned to safeguard their data, their customers, and consumers.
1. Are we really all connected by just six degrees of separation?, Science Alert, August 27, 2015
2. Ericsson Mobility Report, November 2017
3. Is your fish tank listening? A roadmap to dipping your toes in the IoT waters, TechTarget, November 10, 2017
4. Cost of a Data Breach, IBM and the Ponemon Institute, 2019
5. Security trends in the healthcare industry, IBM X-Force Research
6. Statement on FDA’s efforts to strengthen the agency’s medical device cybersecurity program, October 1, 2018
Amry is the managing principal of Life Sciences & Health Care for the Risk & Financial Advisory business for Deloitte & Touche LLP. Amry has over 26 years of diversified global experience in the private and public sector having served large multi-national and public sector clients on many risk management and information technology related initiatives. Amry has extensive international experience including in-country leadership roles in Australia and India. Amry has had numerous client and practice leadership roles, having worked on Pfizer, Amgen, Beyer Pharmaceutical, Genzyme Corporation, Astra Zeneca, the Centers for Medicare & Medicaid Services, and the Australian Regional Public Health System. He was also the National and Global Security & Privacy leader for life sciences. Amry’s specialties include risk management, systems integration, internal controls transformation, and talent management. Amry has a bachelor of science degree in accounting and also is a certified information systems security professional, certified in risk and information systems control, a certified information systems auditor, and a certified practicing accountant (Australia).