With the recent uptake in data breaches and the healthcare industry vulnerable to a myriad of cyber breaches, concerns of the resilience of cyber security infrastructures within healthcare organisations are not unfounded.
iTNews Asia finds out from Gyanesh Ojha, Information Security - Principal Associate, Thoughtworks SEA about the state and preparedness of existing cybersecurity infrastructures, the challenges faced in making them resilient, and how the security landscape will change with the emergence of 5G.
iTNews Asia: How has the cybersecurity landscape changed within the healthcare industry compared to pre-pandemic and now?
The pandemic has forced the healthcare industry to rapidly shift onto the online space. The most salient change I have observed would be the way in which medical data is being stored and accessed across different parties and locations.
Historically, medical records were kept in cabinets and shared in a more restricted manner through a paper trail, given the lack of connectivity between various healthcare facilities or departments. Today, the majority of patients’ data is now stored in the cloud – granting medical professionals, hospitals, and private health companies the ability to access medical records remotely and in real-time.
Yet, just as rapid as these infrastructural changes were adopted, the cybersecurity landscape has also quickly responded to these shifts and we now see security threats that are rapidly growing in sophistication than ever before. Cybercriminals are now more active, looking for weaknesses in these new systems to access private and confidential medical information.
The sudden changes in infrastructure, databases, and applications across the healthcare industry often ignores key security requirements, with developers prioritising their accessibility as opposed to their ability to offer privacy, confidentiality, and integrity. Cybercriminals are well-aware of this practice and remain well-equipped to take advantage of such vulnerabilities.
iTNews Asia: Healthcare possesses a wealth of data and information that cyber attackers would be eager to retrieve – making it a high stakes sector given its importance. Are the operating systems in the healthcare industry able to ensure the resilience of their cyber security infrastructures?
The healthcare industry's focus, after all, remains centred on the health and safety of patients. As such, healthcare providers often channel the majority of their budgets into medical equipment, which requires steep upfront investment.
Unfortunately, this also means that little has been done to ensure that healthcare systems can remain resilient in fending off cybersecurity attacks. Instead, most healthcare providers continue to rely on outdated and legacy operating systems, unpatched applications and unprotected infrastructures that are easily accessed by malicious threat actors.
Another factor for continuing with legacy infrastructure and systems, would be that many healthcare practitioners have already grown accustomed and too comfortable with the systems and processes in place, so much so that they are reluctant to implement these new updates, even if it means increasing workplace efficiency as well as strengthening cybersecurity measures.
This lack of focus on cybersecurity is not surprising but this ultimately negatively impacts patients, particularly when sensitive data is being compromised, and threatens the reputation of healthcare providers.
iTNews Asia: The healthcare industry is also a critical sector where connectivity needs to be seamless and always connected. What are some of the challenges faced when upgrading their cybersecurity infrastructures, and how were they overcome?
The main challenge faced is the steep cost of medical equipment. In the absence of sufficient budget and resources, equipment is either typically not upgraded or older, less secure, and unpatched systems are purchased. This could lead to security flaws and the loss of important data with healthcare organisations left vulnerable to attacks.
When upgrading cybersecurity infrastructure, healthcare providers may engage several disparate security solutions from various vendors, creating data silos that hinder cross-functional information sharing – preventing them from accessing crucial information. It also poses a challenge for security teams who may not have full visibility across networks, devices and assets to monitor, anticipate and mitigate potential threats.
The sudden changes in infrastructure, databases, and applications across the healthcare industry often ignores key security requirements, with developers prioritising their accessibility as opposed to their ability to offer privacy, confidentiality, and integrity. Cybercriminals are well-aware of this practice and remain well-equipped to take advantage of such vulnerabilities.
- Gyanesh Ojha, Information Security - Principal Associate, Thoughtworks SEA
Upgrading systems to an online space or relocating information from one cloud to another will also pose a challenge. However, if the upgrade is well-planned – which involves assessing and identifying the relevant risks – said challenges can be easily overcome.
While moving to the cloud, the selected infrastructure should ensure confidentiality, integrity, availability and privacy, whilst allowing authorised access from healthcare providers. Additionally, patients’ data should be encrypted with appropriate technical solutions, while the devices used to access patients’ records have the appropriate controls in place like strong password, encryption, patching, and logging.
As much as possible, third parties should not be given access to the patient's data – instead masked data can be shared. If it is mandatory to give access rights to them, patients will have to provide their consent.
Healthcare providers should assess the third party’s security practices before engaging with them and ensure that they follow all the applicable regulatory and compliance requirements. At the end of the engagement, the healthcare provider should collect all the data back from the third party and ensure that all data within their possession is securely deleted.
Data retention policies should be clearly defined by healthcare providers. This will help ensure that regulatory requirements are followed. Data should be retained only as per the regulatory requirements. Once the data retention requirements and timelines are over, this information should be securely deleted.
iTNews Asia: How often do healthcare staff undergo training to improve their IT and cybersecurity proficiency?
As healthcare becomes more digitised and with the rising adoption of more sophisticated patient care solutions, training healthcare staff to be proficient in technology has become a priority. While there is no blueprint for developing the technological expertise of healthcare staff, organisations should try to take a more holistic approach to their security awareness programs.
Ideally, said programs should be designed to focus on changing staff’s perception towards security by thoroughly explaining the security risks as well as its subsequent impact on patients, the organisation and healthcare providers, substantiated with strong case studies. The program should also focus on the current practices that healthcare professionals follow during day-to-day operations, along with the necessary changes they need to make in each of those daily activities to improve security.
At the end of the day, all staff should be able to meet a certain level of IT and cybersecurity proficiency that will ensure all patient data, applications and software used are kept secure. IT and cybersecurity training should not be viewed as a one-off lesson, but rather, a continuous learning journey for healthcare professionals.
iTNews Asia: How do you see the security landscape in the healthcare industry changing over the next 3 years, with 5G emerging?
With 5G networks across Asia Pacific expected to increase in adoption over the coming years, a new world of possibilities will be seen in the healthcare landscape and will spur innovations with the potential to reduce risk and promote positive impact for patients.
This can include advancements in medical telemetry and remote telesurgery, robot-powered clean-ups of healthcare facilities, and instantaneous sharing of patient data. Yet while the potential of these advancement can be limitless, the technology must be balanced with privacy, security, and other considerations.
Healthcare systems that leverage the speed of 5G connectivity and the robustness to interconnect multiple devices and touchpoints in the ecosystem will blur the lines between the physical and digital world. Consequently, the attack surface for potential security breaches will also be expanded.
What can be worrying, is that these new applications of 5G and connected devices can extend the reach of a compromised network into the patients’ personal lives. For example, via connected cameras and microphones in homes. Such issues also give rise to significant implications for personal privacy
Regardless of tech advancements, baseline security requirements should be followed. Technology enhancement has a lot of positives but if not implemented appropriately, it will open channels for cybercriminals. As such, healthcare providers must ensure that they have the required controls and countermeasures to negate possible attacks.
Greater connectivity will allow people to access and share a lot of data easily. It is thus important to look out for all possible loopholes to reduce the attack surface. Controls like end-to-end encryption, proper access control, logging, monitoring, and auditing should be implemented.
Additionally, patients’ data would require greater levels of protection. With the emergence of robot assistants and connected homes, the private data of patients will become accessible across multiple levels, and can also be more vulnerable should confidentiality, integrity and privacy aspects continue to be de-prioritised.
Healthcare devices connected to home networks or to healthcare providers’ networks need to have robust controls at perimeter, end-point level, database, and application levels. While developing such applications, the development team should consider all possible attack vectors and test these systems thoroughly.
Digital Healthcare 2022 is happening on 22-23 March 2022. More information can be found here.
