Reviews and corrects ledger-to-subledger alignment in D365 by fixing posting configurations, inventory profiles, reconciliation logic, GL mapping, and critical reporting procedures.
Reducing Cyber and Data Security Risks for Medical Device Manufacturers
Posted on: May 20, 2021 | By: Guy Logan | QAD Financials, QAD Manufacturing, QAD Business Process, QAD Distribution
The hard truth is that a cyber and/or data security event can happen to any medical device manufacturer. However, there are practices and tools that can allow companies to reduce their cyber and data security risks. This article will discuss some of these safeguards. We’ll discuss the potential consequences that cybersecurity events can have for medical device manufacturers, solutions to prevent possible security breaches, and we’ll cover some different forms of high-profile data and how to protect it, including some options that are available to QAD users.
Cyber and Data Security Breaches – What’s the Cost to Medical Device Manufacturers?
Organizations that don’t think they are vulnerable to cyber and data security threats may wish to reconsider. A 2019 IBM report (registration required) estimated that a typical company has a 29.6% chance of experiencing a system breach in the next 24 months. In 2020, IBM also reported (registration required) that “the average cost per lost or stolen record was $146 across all data breaches.” This same report found the average cost of a data breach to be $3.86 million, with the average cost being $8.64 million for breaches in the United States. Medical device manufacturers should note that in the US, breaches were costliest in the healthcare industry, according to this same report.
All this is to say that breaches can be extremely expensive, especially for US-based medical device companies. But where is all this cost coming from? Medical device companies should note that the total cost of a data breach can be the sum of many different components, such as:
- US or EU Federal fines
- State and local agency fines
- Outside counsel expenses
- Class action lawsuits
- Internal disruptions associated with recovery (for example, data forensics on a ½ terabyte server can be approximately $60,000)
- Stock de-valuation for public companies
- Cyber insurance increase.
With all this in mind, we see the potential costs associated with failing to invest in the appropriate safeguards against cyber and data security risks. Now let’s look at some these safeguards.
Preventing Possible Security Breaches
We hear time and time again that human error is one of the most frequent causes of security breaches. Let’s look at some solutions to this problem that require minimal investment of time or funds.
Security Awareness Training
This training provides formal cybersecurity education to an organization, covering different security threats and the company’s procedures for dealing with them. Organizations may wish to outsource this training. One possible reason is that the different users within a company may speak different languages. In such a case, there is no way for HR or IT to effectively provide training material on policy.
Multi-factor Authentication
Multi-factor authentication has the user provide two or more factors to gain access to a resource. This is an organization’s first line of defense when an untrained employee gives away sensitive information, and it is valuable in general because of its ability to reduce the risk of brute force attacks.
Restricting Local Administrator Privileges on End User Devices
Users may consider this a last line of defense. For example, if an untrained employee clicks on a nefarious link, these restrictions prevent unwanted items from getting installed on his or her computer, because he or she does not have the required privileges for such an installation.
Active End-Point Monitoring
End-point monitoring is the tracking of activity across all internet-connected devices in an organization to protect against behavior that deviates from a baseline, which may be interpreted as malicious. Especially with so many personnel working remotely, end-point monitoring may never have been more important than now. It is important for IT departments to invest in the staffing to be able to respond to possible nefarious events, such as a login from an unrecognized location, but unfortunately many IT departments have struggled to invest in these measures.
Applying Security Patches
We know how important security updates can be. Sometimes, companies (for example, Microsoft) may provide security updates to its applications which should be installed on the same day they are released. However, organizations may opt to arrange them such that they run after hours.
High Profile Data and How to Protect It
HIPAA-Related Information
One of the main data security concerns of medical device manufacturers is protecting Health Insurance Portability and Accountability Act (HIPAA)-related information. This refers to patient data, either clinical data or other data. There is also the employee health background information involved in this category.
Medical device companies will find that having a security framework in place is vital to achieving HIPAA compliance. If a medical device company who is business associates with a HIPAA compliant customer (such as a hospital), the Health and Human Services Department will demand Business Associate information when auditing. The medical device company will then have to demonstrate its HIPAA compliance; to be compliant, the company must have a security framework.
Protecting HIPAA Information
There are a couple of questions that medical device companies can ask themselves as a step toward protecting HIPAA information.
The first is “Are we auditing outsourcing vendors?” A company may wish to assess what info it shares with these vendors, and potentially consider auditing these vendors to ensure that they are secure.
The second question is “Are training records concerning data management in place?” For General Data Protection Regulation (GDPR) requirements, it is mandatory that all data handlers receive data management training.
Medical device companies will also want to ask “Are we documenting the purposes for retaining data? Do we document how long the data is retained?” This will naturally lead to companies asking if such retention policies and procedures are being adhered to—and if these are documented.
Another question involves unstructured data. How much unstructured data does the organization have? Where exactly is that data? eDiscovery tools such as Veritas eDiscovery Platform can help organizations find what sensitive data exists within the company and where it is located. Then, the organization can decide how to proceed—whether that be through encrypting the device where the data is located, encrypting the data itself, or destroying the data.
Compliance auditing is another data protection angle to consider. This allows the company to see with whom the organization is exchanging data and why. Companies may wish to have either an internal audit team that specializes in data management, or one that the company can outsource.
Other Protected Data Potentially in QAD
- PHI (Personal Health Information)
- PCI (cardholder data)
- HIPAA
- PII (Personally Identifiable Information)
- Protected financial data
- Financial reporting info
- Bank routing codes
- Commission rates, pricing
- Intellectual property (BOMs, routing content, etc.)
- Other competitive information (pricing, cost of goods, test result performance, etc.)
If any of this data exists in QAD, there are potentially ways that this data can be exported. If any intellectual property is exposed, competitors can gain an advantage. The same holds true for information such as pricing information or test result performance. Therefore, companies may wish to consider this when developing their data protection scheme.
How the QAD ERP Application Can Help
There are numerous options within the QAD ERP application for bolstering security. Here we list a few. (If you have any questions regarding these options, we encourage you to reach out to us here.)
- Segregation of Duties and Access Control (EE)
- Customer/Supplier Transaction Blocking (EE)
- Field Security
- Dictionary field Security
- Browse Data Exports & Imports
- Active Directory Integration (2016EE and up)
- Application Time Out
There are also some procedures used to heighten application security.
Least privilege/access processes
This means that the user has only the permissions necessary to perform his or her job, thereby reducing unnecessary risk.
Formal access/menu request processes
An organization can make its request processes formal. It may involve having designated applications or forms for requesting data. The organization may have several people from different functions required to approve access to the user.
Regular review of roles and associated access
As a person’s role within the company changes, so too should his or her access privileges; he or she likely should not still have access to the same data from a previous role if the organization is to follow the least privilege protocol. The HR team is going to be the most likely to be notified of these changes. This is one of the many reasons why having an HR member as part of an organization’s security team may be useful.
Employee terminations
Ideally, the same day an employee is terminated, he or she will no longer have active directory access. Otherwise, this is likely to show up on an audit.
Conclusions/Next Steps
We’ve covered a lot today. We’ve discussed the potential costs of cyber and data security incidents and where these costs can come from; the importance of activities such as security awareness training in lowering security breach risk; we’ve covered the different forms of high-profile data organizations may deal with, especially focusing on HIPAA information, and we’ve included several questions medical device manufacturers can ask themselves to determine if their HIPAA data is secure. Lastly, we looked at the security options available to QAD ERP users, as well as general procedures useful for lowering cyber and data security risk.
However, we cannot hope to cover all such risk-reducing practices deeply in a single article. We therefore encourage you to visit our Cybersecurity webpage, where you will find a list of our services, including a general security assessment and a HIPAA compliance evaluation. You will also get a look at the Logan methodology for cybersecurity.
We also encourage you to reach out to us with any questions you may have regarding cybersecurity or the QAD ERP for your medical device organization.
