Leveraging cybersecurity data to drive capital planning strategies 

Part 3 of a 3-part series 

October 1, 2021

Cybersecurity isn’t just an IT concern. It impacts every facet of the health system. The first part of this series focused on the importance of medical device inventory visibility, and part two demonstrated how that enhanced visibility impacts the overall cyber risk posture. The final piece to this series focuses on how to leverage that objective cybersecurity risk data to support strategic capital planning decisions. 

Financial pressures facing hospital systems 

Over the last several years, U.S. hospital operating margins have been on a steady decline,(1) and in the wake of COVID-19, nearly 50% of health systems are deferring capital expenditures to offset the long-term financial impact of the pandemic.(2) On top of that, the Internet of Medical Things (IoMT) market is expected to grow to $285.5B by 2029, with an annual growth rate of 28%,(3) meaning hospitals are facing increasing pressures to balance tighter capital budgets against growing medical equipment purchase needs.  

With less money to go around, all departments—including IT—are feeling the strain. Cybersecurity breaches could render devices unavailable for use causing delays in patient care and, consequently, gaps in revenue streams. Medical equipment deemed to be high risk or vulnerable could incur costly repairs or need to be replaced altogether, resulting in unforeseen capital expenses. Health systems must be more strategic than ever with their capital dollars, and the cybersecurity impact on clinical assets should be an essential consideration for medical equipment capital planning.  

The role of the cyber risk score in capital planning 

Medical device cybersecurity is highly complex and translating the impact of various cyber elements of a specific medical device to make clear replacement planning decisions can be challenging. The TRIMEDX CYBER Risk Score is a dynamic algorithm that provides a numerical score based on device-specific risk assessment to provide an objective measurement of how vulnerable that device may be to cybersecurity attacks.  

The TRIMEDX CYBER Risk Score not only provides valuable insights into the vulnerability of specific devices that help proactively protect against cyber-attacks, but it can also be used to support data-driven capital planning decisions. An objective cyber risk score on each device is only one of the data inputs that can help drive strategic decision-making. When integrated with device profile and performance data captured through clinical engineering and device utilization captured through an IoMT security platform that monitors network activity in real-time, health systems can arm themselves with the data necessary to optimize the entire capital planning and budgeting process. 

Data-driven clinical asset inventory optimization 

A comprehensive clinical asset management program can transform the capital planning process from the traditional mindset of replacement planning to complete inventory optimization that maximizes budgets and drives financial savings. 

The TRIMEDX RUDR ScoreSM is a sophisticated, proprietary algorithm that incorporates the TRIMEDX CYBER Risk Score, along with a multitude of device data points such as parts availability, device criticality, repair events, remaining useful life, FDA alerts & recalls, downtime, and device utilization to prescribe objective recommended actions for replacement, upgrade, disposal or reallocation of each device.  

Most devices are replaced well before they have exceeded the end of their useful life, due to basing replacement decisions off single data points like depreciation or downtime. In reality, many devices simply need firmware or other software upgrades to improve their risk exposure. The TRIMEDX RUDR Score highlights the devices that have upgrades available, with the goal of keeping the devices up and running longer. Extending the useful life of devices beyond full depreciation, maximizes capital investments and positively impacts net income by deferring capital expenditures through capital planning activities. 

With prescriptive and data-driven recommendations, health systems can focus on fully optimizing their clinical asset inventory, which in turn improves operational efficiencies, reduces operating costs and maximizes capital spend. 

Impact of supplier cyber performance on financial savings and operational efficiency 

The cybersecurity performance of medical equipment manufacturers is an important, but often overlooked, factor in the capital planning process. Before any equipment is purchased, the different manufacturers should be evaluated on their responsiveness to cyber vulnerabilities impacting their devices.  

As part of the comprehensive cybersecurity solution, TRIMEDX provides a supplier scorecard that objectively assesses medical equipment manufacturers on the number of devices that are currently impacted by vulnerabilities, which vulnerabilities the manufacturer has provided validated patches for and the average response time for, patch and remediation response. This data can be leveraged to support which vendors have the best track records when it comes to cyber performance.  

Not only can you avoid substantial remediation costs, but you can also support supply chain best practices and drive additional financial savings. Incorporating manufacturer cyber performance evaluation into the capital planning process can help drive equipment standardization and supplier consolidation.  

A consolidated supplier list for medical equipment increases supply chain purchasing power by negotiating bulk device purchases, which also trickles down to all of the ancillary and consumable item costs. Not only can bulk discounts be negotiated, but inventory management costs and storage space can be reduced by limiting the variety of supplies in stock. 

The indirect impacts of medical equipment vendor consolidation should not be ignored. With medical equipment from fewer vendors, staff can save time that would be otherwise dedicated to training on a variety of different equipment. As a result, the staff becomes more knowledgeable with advanced equipment functionalities, which can increase the utilization of the devices. Additionally, streamlined training and usage for staff can have a positive impact on patient safety. The more comfortable staff becomes with the equipment, the more likely they are to use the devices properly for patient care. 

With the increasing importance of medical device safety and security, it’s critical for health systems to implement a comprehensive clinical asset management program that includes best-in-class cybersecurity solutions. Getting clear visibility into the complete medical device inventory is the first step to understanding the impact they have on patient care and safety. Real-time monitoring of cyber threats and end-to-end remediation allow health systems to proactively manage their cybersecurity risk posture. By combining a robust understanding of device inventory along with detailed cyber risk information, health systems can make strategic and action-oriented decisions that can positively impact their bottom line.  

To learn more about TRIMEDX’s Cyber and Clinical Asset Management solutions click here 

 

  1. Health System Operating Margins Down 39% Post-ACA Coverage Expansion: AnalysisGuidehouse, Sept. 2018 
  2. Hospitals Face Massive Losses on COVID-19 Cases Even with Proposed Increase in Federal Reimbursement, Strata, March 24, 2020. 
  3. Global Internet-of-Medical-Things (IoMT) Market Paved Way for Extensive Healthcare Modernization, Prophecy Market Insights, July 2, 2020.