Weighing Cybersecurity Risk Factors in Life & Healthcare

We don’t have to go very far back in time for a good example of one of these attacks on a healthcare or pharma organization. On June 27, 2017, Merck, one of the largest pharma companies in the world, and 2,000 other companies were hit with ransomware called Petya that infected employees’ computers across 65 countries and left a ransomware note demanding a bitcoin payment to decrypt their infected files. Weeks later, the pharma giant is still trying to get their infrastructure back on track.

So, before a company like Merck – or any company for that matter – can determine a plan of action to prevent the next cyberattack, it must consider why the attack happened in the first place. With that in mind, let’s explore a few narratives that could come into play in the process of becoming a cyberattack target.

Four Narratives that Could Explain Why

  1. A decade ago, cybersecurity was all about securing the perimeter to ensure that corporate IT systems were closed to outsiders. In the past five years, however, working remotely has become more and more ubiquitous with a high percentage of employees working outside of the perimeter, accessing sensitive data through the cloud and unsecured systems, and often doing it all via a mobile device. As a result, the entire enterprise has become fundamentally more vulnerable, making it difficult to determine where the perimeter ends and the outside world begins.
  2. Healthcare and life sciences companies have long been slow to innovate when it comes to digital, and this hasn’t been helped by the fact that technology is not their core business proposition. In fact, as other industries have had to adopt new business models to grow their revenues, which typically resulted in disproportionate investment into technology, healthcare and life sciences have stayed a little behind the digitization curve.
  3. For many organizations, being slow to innovate is not by choice. Instead, it’s often for compliance reasons, like in a scenario where a business has to choose between meeting the latest regulatory standard and rolling out a new technology. In this case, the company may stay in business without the new software component, but not without meeting the regulatory standard. Indeed, compliance has long been a burden to the CIO agenda.
  4. Finally, considering the above narrative about the ever-expanding perimeter and how the June cyberattack on Merck affected so many employees, it’s worth noting that the companies making headlines for data breaches aren’t small or even medium-sized. Instead, hackers go after the biggest and, by extension, most profitable targets – companies with the highest numbers of employees, locations, and potential entry points.

How to Plan for What’s Next

Considering the size and scope of the data breach against Merck, it’s hard not to start posing what-if questions. What if they had implemented better or more security controls sooner? What if they had run a mixture of Windows and iOS to stave off Windows-attacking viruses like WannaCry and Petya? What if they had identified the virus before it made its way across the entire enterprise?

There will always be what-ifs, but with so many possible access points for a data breach, it’s nearly impossible to ever be 100% uncompromised, especially when you’re a huge company trying to balance growth and revenue with compliance and security.

It’s not easy, but it is absolutely worth your time to not only determine a plan to improve your cybersecurity, but also create a plan for how to respond if your company falls victim to a cyberattack. The best way to get started is to assume you’re already compromised, or that you’ll be compromised tomorrow at the latest, and then find a partner who can help you. The faster you make cybersecurity a priority, the better off you’ll be.

Read More

Overcoming Healthcare’s Challenges in Design Thinking

In a recent posting we discussed “journey mapping” as a tool for improving customer experiences in the healthcare sector. This week, we share thoughts on “design thinking,” an approach that is described as “a human-centered way of innovation that draws from the designer toolkit to integrate the needs of people, the possibilities of technology, and the requirements for business success,” according to design thinking guru Tim Brown, Chief Executive Officer, IDEO.

Put simply, design thinking tackles problems with the objective of keeping peoples’ needs always in mind while working towards solutions that succeed from a business perspective as well. It does so by a process of divergent thinking – ideating, prototyping, testing – that ultimately converges on the most viable solution.

When it comes to the United States’ healthcare sector, however, applying design thinking to working with health plans and health providers is particularly challenging. Here’s why:

Firstly, the healthcare sector’s complex regulatory framework means stakeholders are sanctioned more for under-regulating than for over-regulating, so they tend to be cautious when design and regulation come face-to-face. One approach, however, is to brainstorm design challenges as if the rules simply don’t exist, and then to overlay them to see where they create pain points, adjusting the design as needed.

A second challenge when applying design thinking in healthcare is designing a service that works for an entire population. Most products and services are aimed at specific demographics. With healthcare, however, a true design solution must cater to people of varying ages, accessibility needs, income levels, language abilities, as well as housing and employment status.

One more major challenge for healthcare-related design is its multi-agency structure. A care plan for someone can involve several different providers, from a hospital to a physical therapist, all of whom need to be brought onboard during the design thinking process. Add in the growing importance of home care, the accompanying family & friends support network, and the ability to apply this concept at scale is apparent.

To combat the variables of design thinking in healthcare in the real world, it is critical that hospitals and healthcare companies prioritize prototyping and testing before implementing change. Focus groups enable concepts to be tested with a variety of patient demographics and, importantly, with service providers, sometimes overlooked in an increasingly patient-centric industry.

Real change requires stakeholders to work together, often necessitating a shift in culture and the willingness to reject “custom and practice.” For those willing to embrace change, design thinking offers a way to reconcile the needs of both patients and service providers.

Read More
We take processes apart, rethink, rebuild, and deliver them back working smarter than ever before.