How shelfware contributes to ineffective cybersecurity efforts

TRIMEDX Vice President of Cybersecurity Dennis Fridrich recently contributed an article to 24X7 Magazine detailing why visibility into vulnerabilities isn’t enough to protect health systems from cyberthreats. The full article, as it appeared on Jan. 2, 2024, is below.

Healthcare organizations are facing more cyberattacks than ever before. Attacks on healthcare organizations were up 86% in 2022, compared to the year prior. Because of this, health systems are investing substantial resources in cybersecurity tools like medical device security platforms (MDSPs) to protect themselves and their patients. However, Vigilor from TRIMEDX has found health systems often underutilize or don’t even use these technologies.

Software that is unused or underutilized is known as “shelfware.” Accumulating cybersecurity shelfware can be a costly problem resulting in serious consequences for health systems. To avoid shelfware, make use of the valuable insights MDSPs provide, and guard against cyberattacks, hospitals should establish a comprehensive medical device cybersecurity program.

Visibility Isn’t Enough To Protect Against Cyberattacks

Businesses around the globe are spending more on cybersecurity in the face of growing attacks. Worldwide spending on cybersecurity solutions and services is expected to reach nearly $300 billion in 2026, according to the International Data Corporation. Healthcare is no exception.

Health systems are wisely becoming more focused on strengthening their cyber-risk posture. Often, one of the first steps is to purchase an MDSP. These platforms give the health system visibility into the vulnerabilities that exist in their medical device inventory. However, knowing the problems exist isn’t enough to stop cyberattacks before they happen.

Vigilor frequently speaks with health system executives who have invested in MDSPs and now have a slew of information about their cybersecurity risks—but they don’t have a comprehensive solution to address these risks. Sometimes health systems won’t act at all, allowing the possibility of a cyberattack to grow while MDSPs become shelfware.

When investing in MDSPs it’s critical to have the people and processes in place to make use of the insights the platform provides. For example, Vigilor recently worked with a client who knew they had roughly 36,000 potential vulnerabilities on their medical devices. While that knowledge was a good first step, they didn’t know what to do next. The sheer volume of vulnerabilities was startling for the health system.

However, the Vigilor team was able to examine the vulnerabilities and determine 49% of them were not impacting medical devices, meaning they did not need additional attention and could be resolved within the MDSP. Thirty-three percent had a known risk treatment and could be addressed right away by clinical engineering and IT teams. Eighteen percent of the vulnerabilities were waiting for original equipment manufacturer (OEM) responses. That means Vigilor, working with the health system, was able to immediately address 82% of the vulnerabilities, drastically reducing the health system’s risk as well as executives’ anxiety about looming threats.

This illustrates the importance of working with a trusted partner who has the necessary people, processes, and technology to take advantage of MDSP insights.

The Financial and Reputational Costs of Shelfware

At a time when hospital margins are very thin, shelfware can be a significant source of wasted spending. Underutilizing security platforms or even letting them go unused can have both immediate and long-term financial consequences. If a health system purchases an MDSP, but does not have a closed loop vulnerability management program addressing the risks, that money invested in the MDSP is going to waste.

Most importantly, when cybersecurity software becomes shelfware, it could contribute to ineffective cybersecurity efforts leaving health systems vulnerable to cyberthreats. The average cost of a healthcare cybersecurity breach is nearly $11 million. In the worst-case scenario, a cyberattack can interfere with life-saving patient care—the cost of which can’t be calculated.

In addition, the long-term reputational damage to a health system cannot be covered by any insurance payout. Health systems can also open themselves up to potential liability by neglecting to act, when they are aware their medical devices have vulnerabilities.

Establishing a Comprehensive Cybersecurity Program

A leading way health systems can avoid shelfware and protect themselves from cyberattacks is by building a comprehensive closed loop medical device cybersecurity program. A health system’s cybersecurity program should include inventory reconciliation, a current state assessment, and a closed-loop action plan aligned with the organization’s risk tolerance and priorities to manage vulnerabilities.

Health systems often lack visibility into their inventory, which can make tracking cyber threats extremely difficult. Establishing an accurate medical device inventory and reconciling it with data from an MDSP is critical. Once that information is available, a health system can properly assess their current risk and develop a plan to harden their defenses. A health system then needs to put people with a high-level of expertise in place to continuously monitor risks, provide strategic insights, make recommendations, and track results. Seamless integration between people, processes, and technology will take the guesswork and confusion out of medical device cybersecurity.

Partnering with a team who has medical device and cybersecurity expertise, a comprehensive library of industry data, and certified processes in place will ensure hospitals are making the most of their cybersecurity investment— ultimately lowering patient risk and improving patient safety.