Small physician practices, and even small hospitals, likely have limited cybersecurity budgets. As a result, smaller practices rarely have security experts on staff who can explain precisely why using consumer-grade information technology (IT) equipment is a bad idea. Rest assured: It is a bad idea.
It may seem like a saving on the front-end to go to a nearby big-box store. After all, you can buy all of the necessary equipment for a fraction of the cost of being outfitted by a trusted business-class or enterprise-class supplier. But, as the saying goes, you get way you pay for.
Healthcare providers don’t reuse bandages or skimp on medical equipment, and they shouldn’t skimp on the technology that keeps the practice running, either. It is crucial that practices demonstrate to their patients they are trustworthy and capable of caring for them. This is true whether it’s providing clinical care or ensuring the infusion pump, or any other devices, are properly installed to provide care—and capable of doing so in a secure and HIPAA compliant way.
What’s the difference?
Anyone can buy every device needed to set up a home network. For example, there are consumer-grade Wi-Fi routers that range in cost from $10 to $250. The inexpensive equipment may seem like a deal compared to a single new enterprise-grade wireless router, which will run closer to $500. But remember, in order to keep prices low, the consumer-grade equipment’s hardware is sacrificed, as the software programming and security checks are rushed. And security is typically the first corner cut.
Part of the reason professional equipment costs more is because it is made with better hardware. This is particularly evident with devices that get heavy use, such as servers and printers. That all-in-one inkjet printer from the big-box store is technically capable of the same functions as enterprise equipment. However, it certainly cannot handle a medical practice’s needs to print hundreds of pages and send dozens of faxes each day.
Like with everything, you get what you pay for. If you pay for quality, you get quality. If you don’t, you pay for it some other way, such as frequent repairs or replacement, employee time, or security breaches.
It’s what’s inside that counts
The differences don’t stop with hardware, though. The physical materials are only a small part of the picture when it comes to electronics, especially computers, and their components. The software that runs on the hardware is a crucial component and is more likely to be the cause of a security incident or breach than the hardware itself.
For example, the difference in hardware between a $50 home router and a $200 small office/home office (SOHO) router is fairly negligible, perhaps a faster processor or more antennas, but not much beyond that. The biggest difference lies in the software that allows the router to function as well as control the network’s security.
Many home routers have software that is nearly impossible to properly secure. There are some open-source projects, such as OpenWRT, that have developed replacement software to make home routers more secure. This software is a good option but still insufficient for medical practices. Professional-grade devices have more security feature options, the ability to use more secure wireless networking protocols, and reliable updates and patches from the manufacturer.
If a quick look around the office reveals a bunch of consumer-grade devices, consider the investment to better protect your patients and the practice from a disastrous breach or security incident. Quality equipment is necessary to provide quality care. That may mean investing more upfront, but the money is a small price to pay in the long-term.
John Nye is senior director of cybersecurity research and communications at CynergisTek.