Posted: 15 Oct. 2019 5 min. read

Six degrees of IoT: In a hyper-connected world, how can health care and life sciences firms keep data safe?

By Amry Junaideen, Risk & Financial Advisory Life Sciences and Health Care leader, Deloitte & Touche LLP

Remember six degrees of separation? This is the idea that every person on the planet is no more than six social connections away from each other. If each person on the planet knows at least 44 others, the number of potential contacts tops seven billion in just six steps (44 to the sixth power).1

Similarly, the Internet of Things (IoT) can connect people, their devices, and their data to clinicians, health systems, pharmaceutical companies, researchers, medical device manufacturers, and other stakeholders via the internet. While this emerging era of interconnectivity could be a huge step forward, it also creates a substantially larger attack surface for cyber-attacks.

I recently moderated a webinar that looked at some of the potential risks created by this cyber-everywhere environment. We also discussed strategies life sciences and health care companies can use to identify and safeguard their digital crown jewels. During the presentation, my colleague John Lu explained that cyber is evolving into a living, learning, interconnected system where all players in the health ecosystem are beginning to work collectively toward a common objective of seamlessly trading information back and forth.

Just a few years from now, as many as 20 billion devices could be connected to the internet (personally, I think this estimate might be a bit low).2 In health care, the information generated by connected devices could generate meaningful data that might help improve medical devices and pharmaceuticals, our level of understanding, and the health of consumers. A digitally enabled pacemaker, for example, could transmit a patient’s data to a physician’s office, which might be integrated with a health system. The data generated by the device might also be collected by the manufacturer, and at some point, that information could become part of a database tapped by researchers or other stakeholders.

Breaches can be disruptive, expensive, inevitable

In 2017, hackers gained control over an internet-connected fish tank in a Las Vegas casino and used it as a backdoor to enter the casino’s high-roller database.3 Internet-connected sensors regulated water temperature, food, and the cleanliness of the tank. The unprotected device allowed the hackers to access the casino’s database and transmit information to a device in a foreign country. While this might seem like an Oceans 11 plot, it is not. It illustrates that any unsecured internet-connected device could be an unlocked door for someone with criminal intent. This is even more critical as the costs associated with cyberattacks continue to escalate.

The cost of a cyberattack in life sciences and health care can be particularly devastating—especially in markets where revenues are flat or declining—and costs can add up quickly. Across all industries, the average cost of a security breach is about $3.9 million. This assumes an average of 26,000 records per breach multiplied by the average cost of each record, which is about $150. The costs are dramatically higher in health care and life sciences where the average cost of a breach tops $6.5 million.4 That’s 65 percent higher than other industries. This is because patient records contain quite a bit of valuable information that can be exploited.

As I noted in My Take last May, electronic health records (EHRs) can contain a wealth of exploitable information—everything from demographic information to work history to financial information. This information can be worth substantially more on the black market than financial records and other types of data.5

Additionally, the cost of a breach can be felt for years in terms of fewer patients, lost revenue, and recovery costs. Moreover, in a heavily regulated sector like health care, the costs to respond to questions can be dramatic.

Cyber should not be seen as an IT issue

Life sciences and health care organizations have historically viewed cybersecurity as an issue relevant only to the IT department. But as data becomes increasingly interconnected, cyber should be considered a first-order enterprise risk. Moreover, the cyber landscape appears to be evolving more quickly than cyber defenses. During the webinar, we discussed the following topics life sciences and health care professionals should consider when evaluating their cyber strategies:

  • Define your most valuable digital assets: Organizations need to identify and prioritize their most valuable data that would likely disrupt the business if stolen. This can include patient data, applications, and systems. For hospital systems and health plans, this might be patient/member data. In life sciences, it could be intellectual property.
  • Keep up with cyber-related regulations: Several federal government agencies have taken a renewed interest in cyber and have engaged the assistance of medical device manufacturers and other stakeholders within the health care community. For example, in October 2018, one agency released a revised draft guidance on premarket considerations for medical device cybersecurity.6 The guidance refines expectations related to the cybersecurity considerations a manufacturer should adhere to during the design and development of a medical device.
  • Build threat intelligence and analytics capabilities: Stakeholders should understand potential threats and develop plans for responding. Consider penetration testing when designing devices or implementing new IT systems. The idea is to try to hack a device or system before it becomes connected to the internet to make sure it is resilient.
  • Minimize internal threats: Health care is an industry where people inside the organization pose a bigger threat than outsiders. Nearly 60 percent of cyber-related incidents in the health sector involve someone from inside the organization. According to our research, Communicating the value of cybersecurity to boards and leadership, organizations identified hosting regular cyber threat simulations as a top practice for educating employees.

The internet is making the world a much smaller place by connecting all of us (and our devices and data) in fewer than six steps. While the benefits of a cyber-everywhere environment are enormous, cyber risk is now one of the biggest threats our health care and life sciences clients face. Once stakeholders understand the potential risks in this digital world, they can be better positioned to safeguard their data, their customers, and consumers.

Endnotes
1. Are we really all connected by just six degrees of separation?, Science Alert, August 27, 2015
2. Ericsson Mobility Report, November 2017
3. Is your fish tank listening? A roadmap to dipping your toes in the IoT waters, TechTarget, November 10, 2017
4. Cost of a Data Breach, IBM and the Ponemon Institute, 2019
5. Security trends in the healthcare industry, IBM X-Force Research
6. Statement on FDA’s efforts to strengthen the agency’s medical device cybersecurity program, October 1, 2018

 

Return to the Health Forward home page to discover more insights from our leaders.

Subscribe to the Health Forward blog via email

Get in touch

Amry Junaideen

Amry Junaideen

Managing Principal | Deloitte & Touche LLP

Amry is the managing principal of Life Sciences & Health Care for the Risk & Financial Advisory business for Deloitte & Touche LLP. Amry has over 26 years of diversified global experience in the private and public sector having served large multi-national and public sector clients on many risk management and information technology related initiatives. Amry has extensive international experience including in-country leadership roles in Australia and India. Amry has had numerous client and practice leadership roles, having worked on Pfizer, Amgen, Beyer Pharmaceutical, Genzyme Corporation, Astra Zeneca, the Centers for Medicare & Medicaid Services, and the Australian Regional Public Health System. He was also the National and Global Security & Privacy leader for life sciences. Amry’s specialties include risk management, systems integration, internal controls transformation, and talent management. Amry has a bachelor of science degree in accounting and also is a certified information systems security professional, certified in risk and information systems control, a certified information systems auditor, and a certified practicing accountant (Australia).