Depending on who you speak to, healthcare cyber risks are on the rise everywhere around the world. The COVID-19 pandemic has attracted cyber criminals that see an opportunity to attack distracted citizens and governments.
The healthcare sector with its copious amount of patient data presents an attractive target for cybercriminals. What’s at stake?
According to Bitglass, Healthcare Breach Report 2021, a total of 599 healthcare breaches collectively affecting over 26 million individuals. The average cost per breached record increased from $429 in 2019 to $499 in 2020. The cost to healthcare organisations? US$13.2 billion.
With many focused on containing the COVID-19 pandemic, is there room to relax our guard against cyber contagion?
Nilesh Jain, vice president, Southeast Asia & India at Trend Micro, says the healthcare sector is among the top three most attacked verticals globally, apart from government and banking, and ASEAN is no different.
The dark side of healthcare modernization
“The only difference is that in some of the ASEAN countries, healthcare infrastructure is just coming up, and it’s coming up much faster than in the last 15-20 years. We have seen that the biggest infrastructure transformation taking place in the healthcare space is in the ASEAN region, including Singapore, Malaysia, Indonesia, and Thailand,” he explained.
He cited the adoption of medical devices that connected to the cloud thereby enabling them to be controlled remotely. These devices store data in the cloud. And this is where it gets interesting.
He notes that a lot of hospitals do not know that these devices can be promised and those that do, do not know how to protect them.
He cited a Frost & Sullivan study claiming almost half of the healthcare organizations in Asia Pacific have either been compromised or they have seen some security event happen at any point in time in the last two years.
“Since Covid-19, a lot of healthcare organizations are under pressure of modernizing their infrastructure, and so are the attackers. They are going behind the organizations and a lot of attacks are happening around medical devices and ransomware,” he continued.
Some good news
Jain alludes to one possible good news. Current generation of medical equipment are running on current generation of computers and are connected to the Internet. So, when medical equipment upgradation is happening, IT upgradation is happening simultaneously.
In addition, medical device manufacturers are beginning to learn to secure their devices, patch vulnerabilities, and what kinds of security practices are needed.
“I’m not saying they are not secure, but instead, that they don’t know what vulnerabilities they have opened themselves up to. So, these are the challenges that we are seeing across ASEAN,” said Jain.
Jain commented that CIOs and CISOs at healthcare organisations in ASEAN are not ready. However, they continue to be vigilant and trying to learn as much as possible.
“They are working with some of the largest medical device manufacturers and cybersecurity companies and trying to organize training programs. A lot still needs to be done as the industry is evolving,” he continued.
According to Jain the pace of growth in IoT devices, which a lot of hospitals are deploying, is much faster than the security solutions that can secure them. This is the reason why there is pressure on healthcare IT professionals, as medical devices are being deployed much faster than security solutions.
Advice to the community
Jain believed that the way forward is for CIOs and CISOs to develop an ecosystem comprised of medical device manufacturers, a cybersecurity partner to monitor security operations 24/7, and a cybersecurity consultant who is doing a continuous audit as a red teaming.
Click on the PodChat player and listen to Jain elaborate on how healthcare organisations in ASEAN need to respond to the rising cyberthreat.
- Please provide a state of the cybersecurity landscape in ASEAN from 2019 - 2021?
- Specific to the healthcare sector, what are some of the security threats that healthcare organisations in ASEAN need to be wary of?
- How can malware attacks, especially of the recently warned NAME:WRECK, impact the provision of healthcare?
- What steps can healthcare organisations take to protect themselves and their patients from potential security threats?
- Selling the security story to CEO/CFO and Board?
- For CIO-CISO, what questions to ask their security vendors to address emerging threats?