With the Asia Pacific (APAC) region accounting for two-thirds of the global population, it stands to reason that the healthcare sector in the region has nowhere to go but up in terms of growth. This is reinforced by a report from the Economic and Social Commission for Asia and the Pacific2, which notes that foreign investments into the APAC health sector are on an upwards trend.
No doubt, the business of healthcare is booming. However, given the amount of sensitive information typically stored within healthcare systems, as well as the industry’s reliance on technology, this also makes the sector extremely appealing to threat actors. Reasons include valuable patient data stores, the constant flow of that same patient data between healthcare institutions and other third parties, the use of diverse and increasingly connected medical devices, vulnerabilities in legacy systems, and more.
This unique environment in healthcare creates a complex security challenge for healthcare practitioners and their IT teams. Modern healthcare institutions are no strangers to cybersecurity incidents.
Recent reports show that 1 out of every 34 healthcare firms have experienced an attempted ransomware attack. The incident rate in Asia Pacific (APAC) is markedly higher in comparison, with 1 in 20 healthcare firms in APAC facing attempted ransomware attacks.
- Dirk Dumortier, Director of Strategic Partnerships, APAC, Alcatel-Lucent Enterprise
Now more than ever, secure communications, especially in the context of the healthcare industry, requires a holistic approach that combines technical measures, operational resilience, and ongoing security best practices, all tailored for the healthcare industry.
Developing a Risk, Resilience and Security framework
Here are three ways how a Risk, Resilience, and Security (RRS) framework provides a model for achieving this:
1. Make sure your security basics are covered
Secure communications within healthcare operations must be built around three key principles of encryption, secure authentication, and network segmentation.
To start, end-to-end encryption for patient data such as medical records and payments information, are fundamental, as breaches can lead to identity theft or insurance fraud. Healthcare providers both in APAC and globally are required to comply with stringent data protection regulations such as Singapore’s Personal Data Protection Act (PDPA), and Australia’s Privacy Act 1988. By encrypting medical data, healthcare organisations can better protect patient privacy, maintain regulatory compliance, and ultimately foster trust in the healthcare systems that they operate in.
Secure authentication must also be ensured to gatekeep staff access to critical systems. This can come in the form of multi-factor authentication (MFA) and strong password policies. Password-less authentication is one of the newer best practices to emerge recently; this is enabled using biometrics or passkeys, with the latter typically provided through password manager applications. Password-less authentication can provide a more seamless and convenient login experience as users do not need to remember and enter passwords to gain access.
Finally, network segmentation and the practice of isolating patient data from operational systems to contain breaches is a key best practice. This helps improve security by preventing attacks from spreading across networks and into other business systems.
2. Bolster your business continuity by becoming operationally resilient
Ensuring business continuity in the healthcare sector is crucial, as disruptions can have a devastating impact on patient care. As such, operational resilience must be built in by implementing redundant systems and infrastructure to minimise single points of failure. Establishing alternative communication channels like landlines and satellite phones can maintain connectivity during emergencies. Additionally, regular staff training on how to react to and manage emergency procedures empowers employees to respond effectively to unforeseen events.
Take John Flynn Private Hospital for instance, who worked with ALE and delivery partner NorthBridge on a bespoke alarm and notification system, with the goal of being able to better prioritise alarm codes to help nurses be able to access to respond to emergency codes much faster, enabling them to tend to patients quickly, as well as to reduce alarm fatigue over the long term.
Having a robust network infrastructure designed for high availability, coupled with proactive network monitoring and rapid issue resolution tools that can help take the load off the IT and security team as well as operational staff, further strengthens resilience by minimising downtime and ensuring smoother patient care with less interruptions. By doing so, healthcare organisations can safeguard their operations, protect patient safety, and maintain their reputation as reliable providers of essential medical services.
3. Build a security-first culture that permeates the entire organisation
Cybersecurity incidents can pack a wallop, not just to the company bottom line, but also to the company’s reputation. PWC’s Digital Trust Insights 2024 Asia Pacific survey highlighted reputational damage as one of the top three concerns for Asia Pacific organisations5 when it comes to the outcomes of potential cyberattacks.
As such, cybersecurity literacy is essential for employees, as it empowers them as the first line of defence against cyber threats. By being able to understand the common risks today such as phishing, malware, and social engineering, employees are better equipped to have a healthy scepticism towards information that seems too good/bad to be true, thus helping to better protect sensitive company data and lower the chances of costly breaches. For healthcare workers, this can include continuous security awareness training for all staff, especially for those who frequently handle sensitive patient data, and by extension, those who manage third-party access to patient information too.
Building a security-first culture is just as important; leadership must set the tone by ensuring that communications and security policies put in place should be unambiguous. A workforce that is more cyber aware is also one that is more security-conscious, with employees more likely to proactively report suspicious activities and to follow best practices. This ultimately strengthens the organisation’s overall cybersecurity posture.
A framework for success
Healthcare organisations must deal with thousands of patients daily, making operational efficiency paramount to long-term success. Effective and secure communications can allow healthcare institutions to run at maximum efficiency, delivering tangible benefits to both the patient and the organisation.
Approaches like the Risk, Resilience and Security (RRS) framework offers processes, best practices and solutions that healthcare institutions need to better predict, monitor, avoid, and counter exposure to cyber-risk. At the same time, finding the right partner who understands the unique challenges and regulations of the healthcare industry, will help the business be better positioned for success over the long term.
Dirk Dumortier is Director of Strategic Partnerships, APAC, Alcatel-Lucent Enterprise
