Investment Risks in Health Tech: What We Can Learn from the Tissue Regenix Incident
Last week saw an announcement in the Health Tech industry that should be changing the way we view cyber security and its business impact in all tech startups, across the board–especially from an investors’ standpoint. January 28, the booming Health and Bio-Tech innovator, Tissue Regenix, announced that “its computer systems and a third-party IT service provider in the United States were accessed without authorization, sending its shares down as much as 22%” (Reuters). While some may be tempted to see this as just another enterprise breach that will come and go in the news, the facts point to the arrival of a new trend for startups–investment and stock problems that can’t be mitigated by a stellar PR strategy. Investors have finally figured out that cyber risk means business risk, and what that means for everyone running a startup –regardless of your current stage of growth– is that if you don’t get your act together in security and remain consistent, you stand to lose your financial footing.
Cyber Risk Emerges as #1 Risk to Your Business
In Health Tech, particularly, we have been telling ourselves that the real risk is in technologies and systems that contain Patient Health Information. This is no less true today, as patient data is not only regulated by HIPAA, but stands to damage human lives if compromised. However, all systems are vulnerable, not just because of the data they store, but because systems enable operations–and operations enable cash flow. If a system is accessed by an unauthorized user, everything that touches operations is now at risk. You won’t know until you either perform due diligence in forensics or experience a secondary attack what systems cyber criminals were targeting. The compromise could even be a relatively simple one, but the resulting devastation could be in the millions. How serious is the potential impact? No one is better suited to answer questions about risk than insurance companies. After all, they are the ones who have to pay out when crisis hits. According to the Allianz Risk Barometer 2020, published recently by the global insurance leader, cyber risk has now displaced business interruption as the top business risk globally. The. Top. Risk.
Why All Health Technology is Under Fire, Even Without PHI
Looking at this key financial risk in the context of the Tissue Regenix incident, it becomes clear that we are now past the point of being able to fool ourselves into silo-ing security risks in Healthcare or Health Tech to those technologies which are collecting and holding patient data or are IoT-connected. We now have to admit that even those Health Tech companies whose technologies are holding NO patient data, such as manufacturers of ground-breaking bone graft tissues or other patient products that contain no possibility of a security vulnerability, are under fire. The reason for this is that any kind of security risk can put the success of their entire business at risk. Why?
Compromised Business Systems Drain Cash
Security Incidents can get expensive, fast. You will need experts to manage the incident, performing a proper forensics investigation, identifying vulnerabilities, and helping you remediate the problems that led to the breach in the first place. If you are like many, and have not enabled and stored system logs properly, they may or may not even be able to find the source of the breach. If you have not been keeping up with security audits, patching, and firewall maintenance without lapses, you will need to re-allocate budgets to spend on those items–or re-allocate staff to focus on them. If you are using a less than secure MSP, you may find yourself in need of a new IT provider. Other identification and remediation efforts may include company-wide security audits, network segmentation, network penetration tests, monitoring solutions, endpoint protection, and so on. While this might sound overwhelming, the truth is that tech companies should be adding these layers and growing their programs incrementally from the beginning, rather than having to spend on all of these security controls at once, post-breach. What it all amounts to is that the money you thought you’d be spending on business growth, customer acquisition, and innovation development has to be rerouted to address a business emergency of the highest order.
Protecting Intellectual Property (IP) in Health Tech
Business systems maintain continuity of cashflow, yes, but they also may host information about highly valuable, proprietary technologies or new rollouts– your company’s treasure chest. In a vertical like Health Technology, where success means survival, and survival means having the strongest IP, corporate spying becomes an issue. If your technology–and even your daily operations–are compromised, you can’t keep your edge over the competition. Even if your competitors can just find out about a new product’s general capabilities and the target rollout date, they can gain the edge over you in timing and push something out to disrupt the market before you do. That information is typically available in systems that are as easy to hack as an email account. So yes, your operational systems need to be secured, even if your actual formulas or application codes are locked down.
Speed-to-Market is Everything in Health Tech
If cyber thieves can tie you up with the chaos that comes with a security incident, your competition has a chance to play catch-up. Speed-to-market is crucial in Health Tech, especially since new products that interact directly with patients must undergo longer testing phases than in any other field, with efficacy and safety tests reaching hundreds per month, any delay can cause a severe interruption in cash flow. These testing and development times are, for Health Tech companies, a sort of gauntlet that separates the “good ideas” from the profitable ones. If you don’t have enough cash reserve to support such extensive testing periods and still pay your staff, you aren’t going to survive the final runway between the innovation phase and actually getting your products on the market. If you are already on the market, you may struggle to invest in the kind of marketing and sales programs necessary to push you into securing a stronger share of the market, given the fact that you are now investing those funds in getting your security program up to speed. One thing is certain, your investors are not going to sit by idly. They will want evidence, proof that your efforts to secure your environment have not only been successful, but can be validated by industry professionals.
Why Would Innovative Tech Companies Outsource IT?
Now that the sheer cost of a cyber security incident to your business has been illuminated, and the reasoning behind investors’ changing attitudes towards security, in general, you may be asking yourself why Tissue Regenix was using outsourced IT, to begin with. Typically, we associate MSPs with small businesses, who don’t have their own, internal technology teams. In Health Tech, however, leadership tends to spend every last technology dollar on product or application development, leveraging internal technology teams to focus on proprietary aspects of your technology, itself. So, where it is true that some of the most brilliant IT minds on the planet are working in Health Tech as Technology Directors, those folks are overloaded with demand for innovation. Who has time to babysit the servers (?), or so goes the logic. Further, it is simply more cost efficient for companies who are running lean (as most tech companies do until well past Series A) to outsource IT. Using an MSP helps these companies direct their dollars where they count the most, at least until they are a raging enterprise.
So, the real question we should be asking is not why Tissue Regenix was using an MSP, but why the IT Provider was not vetted more thoroughly. For an MSP, being compromised in such a way that your clients’ environments are exposed points to some serious errors in daily management practices. When vetting partners and vendors, it is essential to dig past your provider’s security policies–because everyone says they are doing a great job, especially on paper– and evaluate the actual day-to-day security practices in detail. Taking the time to do this is absolutely a worthwhile endeavor and budget line item.
Investors Want Proof of Your Cyber Security Posture
What does all this mean for tech startups who are trying to grow? When a Health Tech company is operating in transitional mode, having surpassed their Seed Money stage and working to mature their technology offerings with Series A funding, it is absolutely essential to stop and spend time maturing their security programs, as well. In fact, investors are becoming less willing to even dole out Series A funding to begin with, until startups can fully validate a robust security program that is being constantly maintained and updated. Big money investors like Goldman Sachs, for example, require a full penetration test before they will even BUY your technology. If you want their investment funds, you are going to have to demonstrate not just that you have completed yearly Security Assessments and Security Testing, but you will also have to demonstrate that the team who performed the assessments or tests are highly qualified and experienced in their field. Be prepared to justify your vendors.
True Digital Security specializes in helping Health Tech companies architect secure environments that are meant to scale with the business, as well as building robust security programs. TRUE’s around-the-clock network monitoring solutions include Managed Detection and Response (MDR), Managed Security Information and Event Management(SIEM), and Network Security Monitoring (NSM), all of which are tailored to meet the custom needs of our clients. Further, the TRUE Risk Advisory and Security Testing teams perform everything from specialized compliance and security audits and validation testing to consultation designed to help you implement best security practices. Finally, TRUE offers a full suite of managed and project-based IT services. Our IT engineers are highly trained to support the needs of Healthcare and Health Tech companies who need to run highly secure systems whose patches don’t lapse, whose firewalls are constantly well-maintained, and who have networks designed and configured to be security-first at every layer.