When your marketing team is planning out how to highlight all of the features of a new medtech product, cybersecurity and compliance are likely not features that are top of mind.
In fact, you might not even think of it as a feature at all. Cybersecurity and compliance are often viewed as a box to check off—something you have to have, but it’s not exactly the most exciting thing to talk about.
What if we told you that seemingly standard features could actually be a key feature of your offering, and that you can actually present the concept in a compelling way to your customers? We’ve had a couple of recent podcast episodes centered on different aspects of security and compliance, and learned a lot about how medtech companies can put it at the forefront of their offering.
Positioning Cybersecurity & Compliance as a Key Feature
Terry Ziemniak, fractional CISO and partner in TechCXO’s Product and Technology practice, was a guest on a recent episode of The Health Connective Show. During that episode, he explained how cybersecurity can become a key feature of your offering.
We all know in healthcare that we have an obligation and an expectation to protect patient data. However, the healthcare providers and organizations that are using your device or technology are really on the hook for ensuring that they not only keep patient data secure on their end, but also making sure that anyone else they work with will do the same. Every new vendor that collects patient data is a new risk point for that organization.
In the episode, Terry said “If you are selling something to a big healthcare company, insurance, whomever, you are a risk to them. So keep that in mind when you have the conversations, and that’s where cybersecurity becomes the value add, the differentiator, in addition to, you just have to have it these days.”
So, yes, it’s important to have all of the proper measures in place to be secure and HIPAA compliant. But you shouldn’t just assume that your customers know what you are doing to protect them. This is where it becomes an opportunity to really make it a feature of your offering, and talk about all of the things your company is doing to keep their data secure and compliant.
How to Reassure Customers of Your Security & Compliance Efforts
Because new medical devices and tools that collect patient data introduce risk to organizations that use them, simply stating in the marketing materials that you are secure and compliant probably won’t be enough to reassure potential customers.
On the other hand, you don’t want to drone on about all of the technicalities of security and compliance. So, how do you reassure potential customers without getting too technical?
Highlighting software architecture that allows for more rapid updates
In a recent podcast episode with the team from Bold Type, we were talking about new FDA cybersecurity guidance, and how some medical device companies may have a harder time meeting those requirements depending on their software architecture.
Jose Bohorquez from the Bold Type team recommended that whenever possible, your software architecture should be set up in such a way that it allows for more rapid updates, so that when updates are needed for security or compliance purposes, it will be easier to get that done. He said:
Frankly, the best time to start thinking about cybersecurity for medical devices is early, because if you make certain architectural decisions early that then bring on vulnerabilities, it’s going to be very difficult to meet those needs down the line. So, you don’t want to be in a position where you’re trying to do remediation on the cybersecurity front, because it’s not just a question of documentation. It may be a question of architecture.
While that part of it is more on the development side of things, if your team is on top of things in that way, that’s something that you can highlight in your marketing. Your device is set up so that security and compliance-related updates can be rolled out quickly and smoothly, so it’s one less thing that your customers have to worry about.
Conducting a third-party review of your company’s processes & practices
One of the things that we as a company have done to both audit our processes and reassure customers is work with a company that specializes in third-party reviews of HIPAA practices and policies. While there is no official government appointed agency that can verify HIPAA compliance, a third-party review will typically check for all of the points that you would be subject to if your company was audited for compliance.
There are different companies you can work with to do this. We used Compliancy Group, which has software that streamlines the process and assists with documentation and training. Once you have completed their program and their team has verified and validated the information you supply, you receive a “Seal of Compliance” that can be used on your website to assure current and potential customers that you have made a “good faith effort” to comply with HIPAA standards. (You might notice ours at the bottom of the page!)
This type of third-party review isn’t required, but it can go a long way in building trust for your customers. It shows that you do take security and compliance seriously. It also can help to uncover potential vulnerabilities in your current systems and processes so that you can correct them.
Incorporating Cybersecurity into Your Marketing
In most cases, cybersecurity isn’t the primary selling point of your offering. However, it is something that your customers will really care about. Hospitals and health systems introduce new risk potential for their data each time they engage with a new company that has access to sensitive data.
You don’t have to get super detailed about your security measures in your marketing materials, but it is worth addressing beyond just saying “we’re HIPAA compliant.” Back up those claims with some high-level information about your software architecture, third-party audits, and anything else that is relevant to your security practices, and be prepared to answer more specific questions during the sales process.
Cybersecurity may not be the most exciting part of what you are offering, but keep in mind that if you handle potential PHI, it’s something that you need to get in the door with your target customers.
As the marketing manager, Ashley ensures that our clients’ marketing strategies are put into action. This includes content writing, SEO, online advertising, analytics, and interfacing with the tools, systems, and team members needed to help our clients accomplish their marketing goals.
