The Detrimental Impact of Tech Debt in the Healthcare and Life Sciences Industries

The following is a guest article by Mindy Herman, Managing Principal, Health & Sciences at Crowe, and Jasmine Fransen, Consulting at Crowe
Medical devices are foundational components to providing exceptional patient care and helping healthcare and life sciences organizations achieve amazing feats of discovery, research, and problem-solving to save and improve lives. An organization’s investment in a piece of technology such as the latest MRI machine, a patient monitoring platform, or a laboratory instrument is meant to improve patient care opportunities and advance the organization’s capabilities to serve its community and customers. Once these technologies are adopted, organizations rely on them and expect them to function consistently and with integrity.
How the Industries got into Tech Debt
Medical devices and custom medical processes undergo strict scrutiny to ensure quality and consumer safety. Functionality of these devices must be stable, and any change or upgrade requires extensive quality assurance, so updating the underlying components of the technologies is not always prioritized. Technical debt (tech debt), referring to the deferred maintenance and upgrades of a system, is commonly accrued in the healthcare and life sciences industries. Often, leaders must choose between maintaining systems that function consistently and have undergone the arduous process of quality assurance or other attestation versus upgrading or replacing those systems and having to recertify regulated systems, which might require downtime as well as investing in IT resource hours and costly replacements.
Successfully replacing or upgrading solutions takes involved projects to rethink and reprioritize clinical workflows, obtain multimillion-dollar replacements, and allocate extensive project management resources and technical expertise hours. But if the technology is functioning as is, what is the real driver for an organization to undergo such projects? Even medical device manufacturers until recently were not required to have a plan for maintaining supported systems or addressing vulnerabilities in medical devices to achieve U.S. Food and Drug Administration (FDA) clearance. The healthcare industry and biomedical device fields often prioritized keeping devices as static as possible to support clinical quality testing and FDA clearance requirements once manufactured.
Is Paying off Tech Debt Worth It?
An unfortunate side effect of these industry challenges is that some of the most heavily relied upon medical devices in use leverage unsupported and legacy operating systems with inherent vulnerabilities that are highly susceptible to cybersecurity threats. The Verizon “2024 Data Breach Investigations Report” noted a 180% increase in exploitation of vulnerabilities compared to the previous year, also stating the reasons for these attacks were primarily ransomware and other extortion-related threats.
Healthcare and life sciences organizations, critically interconnected, are already some of the most vulnerable to cybersecurity attacks due to the complex networks and infrastructure, the need for advanced availability, the value of records and sensitive data, and the critical processes being supported. The goal of providing and supporting patient care is one of the main reasons the industry is vulnerable. Because the healthcare industry needs to do anything possible to minimize harm to and impact on life-sustaining and supportive processes, healthcare organizations are often willing to pay ransoms to ensure the continuity of care.
From a cyber-economic perspective, the financial impacts related to vulnerabilities and potential exploitation are substantial. Even in the unlikely scenario where all other cybersecurity safeguards and controls in these industries are mature, the risks associated with unsupported devices can result in significant financial losses. The capabilities of the cyber risk management solution X-Analytics, from Secure Systems Innovation Corporation (SSIC), allow for the placement of tangible monetary values on losses and make the business case for addressing cybersecurity risks by highlighting the return on investment (ROI) of a comprehensive cyber risk management strategy within the context of the wider business strategy.
As an example, a health system with an annual revenue of $2.5 billion and average IT landscape complexity and threat exposure with theoretically “perfect” cybersecurity maturity ratings for all control areas other than vulnerability management processes presents an estimated $2.7 million in cyber exposure. Of that exposure, 59% is attributed to data breach potential, 23% is attributed to ransomware risk, and 18% is attributed to interruption loss categories. The key takeaway is that a theoretically perfect cybersecurity program that does everything right but is unable to effectively manage and remediate vulnerabilities in the environment (like those caused from maintaining end-of-life operating systems) presents $2.7 million in cyber risk exposure.
However, maintaining a perfectly implemented and mature program is not a reality, so a more realistic scenario assumes an overall maturity level at a 3 on a scale from 1 through 5 against the National Institute of Standards and Technology (NIST) Cybersecurity Framework 1.1. In this example, the overall total (median) cyber exposure is about $19.9 million a year. Enhancing threat and vulnerability management controls to address cybersecurity deficiencies in critical IT assets effectively represents a $5.5 million cyber exposure benefit. These legacy devices, sometimes more than a decade out of service, continue to pose threats of exploitation and failure. In this example scenario, spending just under $5.5 million on addressing vulnerability management deficiencies and implementing a robust vulnerability management program (on top of the annual IT budget allocated) would still present a positive ROI through cyber economic risk exposure decreases. This cyber economic risk information makes clear that it is a financially worthy endeavor to upgrade or replace vulnerable and legacy systems.
Another factor in determining the worth of addressing vulnerabilities is the fact that consumers and patients have little tolerance for cybersecurity lapses. Recent high-profile cyberattacks have highlighted that leadership in healthcare and life sciences is expected to prioritize cybersecurity, adequately fund necessary upgrades, and ensure the resolution of potential threats to clinical processes and patient data. Failure to do so can lead to severe reputational damage and loss of trust. Messaging around a data breach or clinical process interruptions caused by vulnerabilities in a server that is decades old will not be well received by the public, and leadership will be questioned as to why funding for upgrades to these vulnerable machines was not prioritized in all that time.
Get Ahead of the Problem
Addressing tech debt, especially when it’s related to clinical and life-supporting technologies, can be a daunting task. It is vital that the healthcare and life sciences industries identify the depth and breadth of the risk to address it immediately rather than waiting for cybersecurity and outage incidents in the future and then identifying tech debt as the root cause. To move into a more secure and stable clinical technology environment, an organization can pursue the following objectives:
Be Aware of Vulnerable Devices
While tech debt is not limited to unsupported devices and operating systems, they are a great place to start for identifying vulnerable assets before they become unstable or nonoperational. Inventorying and quantifying the risk around maintaining these vulnerable devices can provide clarity on prioritization.
Understand the Options
Many paths might lead to tackling tech debt, and identifying the options and the level of investment necessary for those paths is the next step. Perhaps upgrades are available from the manufacturers. Perhaps the organization has already adopted a comparable technology that can replace the aged or unstable technology. Perhaps the process the technology is supporting is no longer critical and may be deprecated.
Understand the Business Case
Vulnerable operating systems often support the most complex and custom clinical processes or high-value revenue streams. Reduction in tech debt might come with some quick wins in which previously unknown and vulnerable devices can be replaced, deprecated, or upgraded with ease. Depending on the business case supported by these technologies, the organization might be willing to maintain individual devices (with appropriate compensating controls in place) for longer periods of time to facilitate a strategic change or sustain critical processes as is through a critical timeline. In these situations, the risk of cybersecurity exploitation, data integrity, confidentiality compromises, and technology outages must be measured and fully understood by the organization and business leaders to determine the next steps.
Gain Buy-In from the Decision-Makers
IT and cybersecurity stakeholders must communicate the urgency of this issue to the appropriate decision-makers. Presenting the current top risks, the status of support for critical assets, and the specific risks associated with outdated systems is essential. When cybersecurity incidents occur, healthcare and life sciences CEOs and presidents will be held accountable for the decisions made to maintain and secure the IT infrastructure and consumer and patient data. Leaders must understand that allowing systems with known vulnerabilities to remain in use likely will be seen as cybersecurity negligence if systems are exploited.
Funding and prioritizing projects to upgrade or replace vulnerable solutions is not just a strategic move but a critical step in safeguarding patient care and maintaining trust. Proactively addressing organizational tech debt is in the best interest of the patient, the consumer, and the organization. An organization in the healthcare or life sciences sector without a single unsupported system would set a new standard in cybersecurity and operational excellence.
About Mindy Herman
Mindy Herman is the managing principal of health & sciences at Crowe, where she oversees a team of trusted advisers with specializations across the entire health value chain. She advises and brings teams together for clients – including global Fortune 500 clients – to exceed objectives, build more effective and efficient programs, improve business processes, inspire creativity, protect privacy and information, apply technology, and align metrics to drive results and reduce risk.
About Jasmine Fransen
Jasmine Fransen is a cybersecurity senior manager at Crowe where she specializes in life sciences and healthcare cybersecurity governance, risk, and compliance. She uses her extensive experience in assessing and remediating cybersecurity and HIPAA compliance issues to deliver strategic support, risk operations, and governance advisory to clients of all sizes and complexities in the life sciences and healthcare industries.
Get Fresh Healthcare & IT Stories Delivered Daily
Join thousands of your healthcare & HealthIT peers who subscribe to our daily newsletter.
link