Rethinking Medical Device Security: How to Increase Business Buy-in

Rethinking Medical Device Security: How to Increase Business Buy-in

Originally published on Forbes, November 19th, 2021

Healthcare-related breaches increased by 50% during the first year of the pandemic, bringing medical products’ vulnerabilities to center stage. But the dangerous impact of cyberattacks and the budgets of chief product security officers (CPSOs) have not increased reciprocally.

Do businesses need to change the way they manage security, or can CPSOs achieve more by baking security into the business plan? Let’s explore.

Mission-Critical But Highly Vulnerable

Medical devices are mission-critical for the ability of a healthcare delivery organization (HDO) to provide proper service. From patient monitoring and inhalers to automated surgery, medical devices are improving the quality of treatment patients are receiving, enabling people to manage their own health and even saving lives.

Therefore, HDOs need to be able to rely on medical device manufacturers to provide them with secure devices, both in terms of data privacy as well as device functionality.

Earlier this year, cancer care was disrupted across the U.S. when cyberattackers prevented the functioning of the machines that delivered radiotherapy treatment for cancer patients.

However, CPSOs at medical device manufacturers (MDMs), who focus on the security of the device’s development and design, are finding it challenging to get buy-in from their organizations.

While security is key to a product’s long-term success and for building trust in the healthcare manufacturer brand, it is still not considered part of the product DNA. In practical terms, this means security isn’t being sufficiently prioritized in the product roadmap and the development lifecycle, or included in cross-business initiatives.

While this all-too-common challenge puts users from all industries at risk, it is especially crushing in the healthcare industry. A passive approach to security will not just affect the MDM’s financial statement. Downtime due to a security breach could lead to loss of lives.

You need to find a way to make security a first-class citizen in the business plan to ensure the topic gets sufficient attention and engagement from all departments.

A Hidden Opportunity

What if device manufacturers would change their approach to medical device security? As most of us know, positive campaigns are more effective than negative ones. By turning security into an essential generator of business growth instead of a grim reminder of an inevitable doomsday, CPSOs could get the resources they need to ensure medical device security.

Security has business value that can fit into the product’s strategy and marketing positioning. It’s just a matter of changing the mindset.

Potential Sales Increases Based On Security

First and foremost, brand awareness of data privacy and product safety capabilities can turn security into an enabler for customer trust. With the growing number of attacks that are getting media coverage, it’s reassuring for customers (hospitals, clinics and patients) to be able to rely on a secure device.

Putting security capabilities front and center also positions the MDM as an industry leader and provides a competitive advantage compared to other companies that are lagging behind on their security measures.

Finally, promoting security values in marketing programs shows that these manufacturers are listening to the voices of customers and finding solutions to their concerns.

This is a sure way to long-term loyalty. By following these ideas, security can be treated as a core business pillar that contributes to the product’s ROI, instead of a painful line in the budget.

This is not just a thought experiment. A leading healthcare manufacturer I worked with was able to increase sales by 15%-20% annually in 2020, thanks to marketing campaigns that highlighted the data safety capabilities of its devices.

The Next Steps In Your Medical Device Security Business Plan

Building a go-to-market product security campaign is a company-wide effort that includes stakeholders from multiple departments. Here’s how to get this groundbreaking initiative up and running.

1) Mapping: Start by conducting an inventory count of your products and features. Include details about which security measures are in place and their effectiveness. You might already have this in place from when you built your security plan.

2) Identification: Identify your security strengths and create a list of successfully secured features, like maintaining data confidentiality and integrity or securing API calls. This list will be leveraged to empower the business.

3) Prioritization: Prioritize the list according to the positive impact these features will have on the business and patient well-being. When prioritizing, include feedback you’ve heard from customers about how security helps them feel safe. These capabilities will be communicated to your customers as part of your product positioning in the market.

4) Go-To-Market Strategy: Connect with sales and marketing and share your findings. Work together to build a strategy for promoting security features to your customers. Track results for at least three months.

5) Integration Of Product Security Into The Development Process: Following a successful campaign, leverage the ROI to introduce new policies and processes into preproduction and postproduction. Shift left security by integrating into the SDLC or your CI/CD pipelines. Then validate your SBOM and run a binary analysis. Finally, to detect and remediate vulnerabilities, analyze the OSS code and commercial packages engineering is using. After production, continuously monitor threats over time and respond to incidents immediately through your security operations center. In addition to raising brand awareness, these actions will also help reduce time to market.

By making security a joint marketing and sales activity, security teams can deliver positive ROI and make it a key component in the business strategy. Security advocates will be coming from product, marketing, sales and customer success teams to help leverage security for what it truly is — a strong enabler for business.