n recent years, medical cybersecurity has emerged as a large and growing niche in the overall cybersecurity markets. Unlike other markets such as cloud computing that are highly oligopolistic and dominated by a few large actors, medical cybersecurity is quite dynamic as startups are entering the nascent space to address the specialized needs of the healthcare sector.
Those needs are varied as healthcare organizations face threats due to their adoption of innovations such as the Internet of Medical Things devices, electronic health records, and the cloud. The venture capital markets have taken notice and myriad startups are attracting sizeable amounts of capital in an arena that yearns for innovation.
With healthcare being almost a fifth of US GDP, the financial opportunities are immense. Just as importantly, the tremendous value of healthcare data makes it the most coveted personal information and the target of hackers so there is an opportunity for startups and VCs to add social value as well.
THE EMERGING NEED FOR MEDICAL CYBERSECURITY
Cybersecurity is growing in importance across the information technology industry but has become of paramount importance in the medical field. Security and privacy are major considerations within the healthcare market due to the fact that an astounding 30% of the global volume of data is generated by the healthcare industry.
The vital need to manage this data and protect it is why medical cybersecurity has become so central to the healthcare industry. Indeed, according to the 2022 Third-Party Breach Report by Black Kite, a cyber risk rating platform, cyber attacks in the healthcare sector accounted for 1/3rd of incidents in 2021, making it the most common victim of hacks.
In addition, there is the imperative to comply with the privacy mandates intrinsic to the Health Insurance Portability and Accountability Act (HIPAA) as violations of HIPAA have cost organizations over $75 million in fines since 2016. However, securing this data has proven to be an enormous challenge. The healthcare industry which routinely gathers some of the most personal financial and biometric data of patients experienced a tripling of data security breaches between 2018 and 2021 with 45 million patient records breached in 2021 alone which represented a strong increase from 34 million in 2020. The highly valuable data of healthcare organizations is increasingly being targeted by hackers who are undoubtedly aware that most of these enterprises are unprepared and unable to defend their information technology infrastructure from sophisticated cybersecurity attacks.
According to the Ponemon Institute, the costs are immense as healthcare data breaches cost organizations an average of $408 per record which is roughly twice the $206 amount of financial data and 2.5 times the global average of $148 per record across all industries. The demand for innovative cybersecurity products services to address the privacy and security challenges in the healthcare market is palpable. Ironically, venture capitalists who have experience in financing the hardware and software companies whose products are now under attack, are now being called upon to work with startups to finance security solutions for those products.
WHAT IS MEDICAL CYBERSECURITY?
The mission of medical cybersecurity firms is to protect the privacy and security of healthcare data from both accidental deletion and illegal breaches in healthcare information security. Medical cybersecurity generally involves both administrative and technical preventive security measures as well as post-incident data recovery solutions to guarantee the confidentiality, availability, and security of electronically stored health information.
Personal health data is increasingly important due to its comprehensive and highly sensitive nature: it involves biometric as well as financial information. Increasingly, this data is stored in the cloud to facilitate its manipulation but in the healthcare market most (70%) of healthcare organizations are novices in using cloud services while the remaining 30% are able to effectively deploy advanced technologies like IOT, AI, machine learning and serverless computing.
This likely reflects the fact that, as should be expected, the vast majority of healthcare organizations are focused on the delivery of care to patients with their primary focus being on accessing the financial and electronic health records that are the most critical data points in the fragmented American healthcare bureaucracy. The fact that 70% of users within the healthcare cloud market are beginners represents an enormous opportunity for cybersecurity startups with cloud technical capabilities as there is great demand for cybersecurity services to assist novices in effectively protecting the data that they have stored in the cloud. Indeed, in the two years to 2019, healthcare providers’ use of hybrid cloud doubled from 19% penetration to 37%. Compounding the challenge for healthcare providers is that there is a global shortage of cybersecurity professionals that reached 3.5 million unfilled positions in 2021, a 350% increase from 1 million in 2014.
Thus, healthcare providers are compelled to turn to the products and services offered by the medical cybersecurity industry. The conservative healthcare industry is now more open than ever to collaboration with innovative startups—despite their lack of size or extensive track record--that can help it to solve these complex problems which by definition require innovation and out-of-the-box thinking.
THE IMPORTANCE OF HEALTHCARE DATA
Importantly, if the integrity of healthcare data is compromised, the actual physical health of patients can be deleteriously impacted. The health status of patients is increasingly accessible digitally due to the growth in e-prescribing, telehealth, mHealth, and especially electronic health records. These records are designed to be easily accessible to both patients and healthcare providers but that also makes for weak cybersecurity.
The 2009 HITECH Act required doctors to maintain digital documentation of all patient interactions and appointments and this has made EHRs ubiquitous, but these EHRs face constant attacks from hackers. Medical data includes highly personal information such as fingerprints, DNA samples, blood test results and the like that is now increasingly stored digitally so protecting it is vital.
In the healthcare sector, valuable financial data such as employment, health insurance, and credit history are also recorded in America’s for-profit healthcare system, so it is possible for hackers to steal information related to the finances of not only patients but also medical professionals. Finally, personal information such as social security numbers, patient addresses, phone numbers, and e-mail addresses is also in healthcare databases which makes it possible—in tandem with financial data—to illicitly access bank accounts and facilitate identity theft.
Not only is this data increasingly stored in the cloud, but healthcare providers are also at the forefront of deploying the millions of devices known as the Internet of Medical Things (IOMT) which must interface with the cloud to be effective. The data that is generated by, shared, and stored on, and analyzed within the cloud represents a massively distributed, interconnected and highly vulnerable ecosystem of devices, applications, and servers.
A 2019 survey by Irdeto found that 82% of healthcare organizations had experienced an IOT-focused cyber-attack. The very devices that have been developed to facilitate patient health are being used to undermine healthcare security. The problem is so unique and requires such special capabilities that complex products and services are being developed in the medical cybersecurity industry to address the challenges of securing IOT devices to the hybrid cloud as there is poised to be an explosion in security threats due to the networking of billions of IOT devices.
THE MEDICAL CYBERSECURITY MARKET
Due to the aforementioned factors, the medical cybersecurity market is booming. The global healthcare cybersecurity market is projected to more than triple from $11 billion in 2020 to $35 billion in 2027. The global healthcare cybersecurity market is projected to further increase to $57.25 billion by 2030, a figure that represents a CAGR of 16.3% between 2021 and 2030. Securing the data within the cloud is particularly important. Within the overall cloud security market, there are a wide variety of industry use cases but along with financial services, medical cloud security has become amongst the most attractive since the data they collect is so vital.
Investors have taken notice of the opportunities in the medical cybersecurity market and capital in flowing into it. According to Vation, funding peaked at $2.6 billion in 2020 but has still remained strong at $1.5 billion in 2021 and $1.2 billion in 2022. The dramatic peak in 2020 reflects rising interest in healthtech generally during the pandemic while the recent decline is indicative of the current global economic headwinds. Still demand for healthcare is inelastic and the imperative to secure data in the Information Age is also a constant so the innovative entrepreneurs in this market will likely find no shortage of venture capital financiers.
REGULATION AND MEDICAL CYBERSECURITY
Regulation is particularly important in the medical cybersecurity market. The dynamic between security and regulatory compliance should be further highlighted as it is a global issue. Through the California Consumer Privacy Act of 2018, California has enacted some of the most stringent laws in the country that give consumers greater control over the personally identifiable information that businesses collect about them. Nationally, HIPAA has its own restrictions.
In Europe, there is the General Data Privacy Regulation (GDPR) which establishes privacy as a human right, protects the personal data of EU citizens and affects any organization that stores or processes their personal data even if it does not have a business presence in the EU. Canada has the Personal Information Protection and Electronic Documents Act. and China is a world unto itself regarding data security and privacy.
In each domain, there are major legal and financial ramifications for those found to be non-compliant with laws. Healthcare data involves human beings and as such it is inherently global. As they endeavor to secure data and respect patient privacy, the complexity of these regulations and the financial repercussions of their violation has proven to be a major bottleneck, so organizations need products and services to assist them in navigating these regulations.
MEDICAL CYBERSECURITY INNOVATORS
While there are a few larger companies within the medical cybersecurity market, the industry is so nascent that it is largely a forum for highly disruptive and innovative startups. A few of these firms compete across multiple areas of medical cybersecurity but often they focus on niches such as medical device security (IOMT), ransomware, patient data protection/EHRs, cloud cybersecurity and regtech/compliance. One of the larger actors in this space with a comprehensive cybersecurity solution is FireEye.
FireEye, which has raised $1.2 billion in over 7 funding rounds, provides a holistic cybersecurity-as-a-service (CAAS) platform that can augment cybersecurity operations in a wide variety of domains: public or private cloud, on premise or hybrid environments, in network or at the endpoint.
Specifically, the companies healthcare offerings include the protection of patient data, clinical research, and critical infrastructure by leveraging proprietary technology with threat intelligence to identify hackers, their plans, and their methodologies. Its healthcare practice focuses on three distinct stakeholders: healthcare providers, life sciences and health insurance providers. The FireEye solution also offers enhanced flexibility through the ability to conduct myriad types of cloud configurations as well as integrate with any of the major cloud service providers (Azure, AWS, and GCP); and increased visibility by enabling the user to see their security control across multi-account and multi-cloud environments.
Sensato, which was recently acquired by CloudWave, is another of the more comprehensive solutions in the medical cybersecurity arena. Uniquely, Sensato began by specializing in medical cybersecurity but is now expanding into other industries which demonstrates how the lessons learned from the medical cybersecurity sector have broad applicability. Sensato’s Nightingale cybersecurity platform provides real-time packet-level monitoring of network traffic, host intrusion detection, and asset fingerprinting as well as compliance and incident response modules for healthcare infrastructure including patient-attached IOMT devices.
The company’s Cybersecurity Tactical Operations Center (CTOC) is explicitly designed for the healthcare sector and includes threat fusion capabilities, a ransomware response center and the first clinical cybersecurity rapid incident response program that is specifically designed for attacks on IOMT devices.
Likewise, the Sensato Medical Device Cybersecurity Operations Platform (MD-COP) is a single solution for medical devices that addresses strategic medical device cybersecurity needs by helping healthcare organizations to understand their security risks and policy gaps, deploy breach detection, and perform medical device manufacturer cyber security risk assessments.
The company also offers a Critical Access and Rural Health program. This is an end-to-end managed cybersecurity solution that provides an integrated security platform covering servers, networks, as well as medical devices with 24x7 monitoring, threat intelligence, deception technologies tailored to the needs of the rural hospital environment. More generally, the company is expanding beyond its healthcare cybersecurity offerings to provide Advisory and Strategy services including cybersecurity maturity modeling, penetration testing, and advanced simulations for other industries and sectors.
CONCLUSION
Healthcare organizations are no longer medical entities solely concerned with the amelioration of physical ailments. As their internal operations increasingly digitize and as they are required to interact with an external environment where that is also happening, healthcare organizations are becoming information technology companies.
That reality necessitates that their systems and especially the valuable data on those systems be protected with state-of-the-art cybersecurity products and services. Due to the unique and highly complex context of the medical industry, this is not an easy task for traditional, more general cybersecurity solutions.
In addition, this market is vast and quite lucrative. Consequently, cybersecurity startups are emerging to address the specific needs of this complex and dynamic market with an eye towards the enormous profits that can be generated by generating value for such a huge and fundamentally important industry. People will always pay to stay healthy and the healthcare industry will always pay innovative startups to satisfy those patients by protecting their data and assisting in the delivery of better care at lower cost.
Interested in the full research paper?
Join to receive Venture Capital research, guides, models, career tips, and many other great insights delivered straight to your inbox.
