Exclusive Interview: Anthony Kitzelmann, Chief Information Security Officer, Australian Digital Health Agency

On maintaining good cyber hygiene, preparing against and responding to cyber-attacks, and understanding the rationale of attacks in the healthcare ecosystem

Cybersecurity is the ultimate team sport. Anthony Kitzelmann, Chief Information Security Officer at the Australian Digital Health Agency and General Manager at the Agency’s Cyber Security Centre, underscores as he shares with Hospital Insights Asia why cyber resilience is crucial in healthcare, why cybercriminals are always looking for a good opportunity to attack, and how hospitals should prepare and respond to a data breach.

Why must hospitals be cyber resilient?

Trust is non-negotiable in healthcare. Patients go to hospitals and doctors they trust. Cybersecurity is a natural extension of this trust, as patients have a right to expect that their data will be looked after and the health system is secure.

Looking at it from a business perspective, the cost of cybercrime can be massive. If a hospital’s patient booking system for surgeries, for example, is affected by a ransomware attack, surgical procedures will have to be postponed, thereby, impacting the hospital’s revenue and its ability to sustain the workforce and meet the needs to the community it serves.

It may not be too obvious for others, but cybersecurity has a direct impact on patient care. A breach in the health system can delay surgeries, just as what happened recently at University Hospital Düsseldorf, where a patient died following a ransomware attack that delayed her surgery.

Hospitals should remember that cybercrime actors can attack booking systems, compromise imaging databases, patient databases, and corrupt data, which can all have an adverse effect on the safety of patients and the efficient delivery of hospital services.

But why do cybercriminals attack hospitals?

Cybercriminals have one specific focus – that is, to make money easily and quickly. They attack healthcare systems to gain access to personally identifiable information, like names, birthdates, health card number, and even banking details stored in the system, and use these data to take control of someone’s identity, sell data on the dark web, get bank loans, and make the hospital pay a ransom to get their data back after a ransomware attack.

Recently, across the globe, there has been a massive increase in phishing attacks with a focus on COVID-19. These come in an email urging you to open the link to supposedly find newest updates on the pandemic, which users often fall prey to as they are enveloped with fear for themselves and their families, thus, want to be constantly informed.

Cyber adversaries know the game they’re playing. They understand people’s emotional vulnerabilities at this difficult time and use these to their advantage. Now that people are slowly returning to physical work arrangements from remote working arrangements, we see cybercriminals adjusting their approach, targeting employees through a phishing email masked as someone from the company’s IT department. In other words, cybercriminals understand the uniqueness of the human psyche and this gives them leverage.

So how do hospitals up their cyber defences?

Cybercriminals can only gain an advantage if you leave a way for them to get into your system. To have a cyber-resilient health service, hospitals should make sure that all connections to the internet go through a managed gateway. Think of it as filtering the way the information comes to your hospital, thereby, allowing you to filter out the bad guys and letting the good guys through your front door. You can’t have a thief finding the unlocked door and walking through it that easy, can you?

Another important measure is to keep your technology patched and updated, as cybercrime is primarily a technology-based challenge. Just as you make sure your children get the latest vaccinations for the flu virus, you also need to ensure your servers and workstations are equipped with the most recent security so cyber-adversaries can’t possibly break in.

In the same way, educating the workforce is equally crucial, particularly for large hospitals. As cybersecurity involves a team rather than an individual, keeping hospital staff aware of good cyber hygiene practices and cyber risks is one way of avoiding someone in the organisation mistakenly clicking on a phishing email. A shared understanding of the risks, therefore, can help hospitals respond in a unified way. Further, it will increase the chance to level the playing field with cybercriminals as the latter often discuss and plan together what they’re going to do, whereas, this is not so common of a practice in healthcare organisations.

Part of this is also building confidence within the team to engage and take responsibility for cybersecurity. People make mistakes, and someone might accidentally open the front door to cybercriminals. But with a culture where everyone is not afraid to be transparent about potential breaches in the system, cyber-attacks can be prevented.

What can a hospital that experienced a cyber-attack do?

Finding out that your hospital is under attack isn’t something you need to hide because everybody gets attacked anyway. So, the first thing you need to do is to immediately call for professional advice and support.

Next, you need to make the system safe, therefore, it requires you to contain the attack so it won’t get to your secondary systems. When your booking system, for instance, has been compromised, you should isolate this specific component from the network so it won’t break into the primary health network where patients’ health data is stored.

Collecting as much information as possible and sharing it with partners follow. Cybercriminals aren’t just going to attack your hospital, but they’re also planning to attack other hospitals. In cybersecurity, there are “indicators of compromise”, something like fingerprints that help you identify which cybercriminals are attacking you and how they’re attacking your system. When other hospitals have such information, they can successfully block the same attack by understanding the technical tradecraft the adversaries are using.

Equally crucial is having a Cyber Incident Response Plan in place, which shall cover three facets, namely, the technical capabilities, communications, and roles and responsibilities of management. The technical workforce needs to have the appropriate tools and support, so they can efficiently fix the system in case of an attack without having to wait for someone to give the go signal allowing them to make the necessary decisions to contain and stabilise the system. Additionally, should a cyber-attack happen, it is crucial to have a planned communications plan that includes these key aspects: acknowledgement of the cyber-attack in the hospital systems, actions taken to engage cybersecurity experts, assurance in putting patient data as the top priority, and commitment to advising the public as things unfold. This response builds a level of confidence for your patients as they know your hospital is being transparent about the issue and is actively taking necessary steps to correct the attack. Lastly, it is critical to clearly define the roles and responsibilities of your crisis management team, meaning, to have the right people make the right decisions and keeping key business stakeholders informed throughout the process.

Cybersecurity is a key part of the healthcare ecosystem, regardless of where they are located and their size. It is high time that hospitals acknowledge the magnitude of educating its workforce, ramping up its cyber resilience, and preparing for when a cyber-attack happens.

Kitzelmann uses a brilliant analogy that hospitals can refer to as a reminder of this: Cyber resilience and cybersecurity are a lot like washing our hands and putting a mask on before treating a patient. They ensure both the healthcare provider and the patient are safe and protected. If everyone practices good cyber hygiene, hospital systems might just be able to protect the trust of patients as well as the business.

Get more contents like this in your inbox. Sign up for Hospital Insights Asia‘s newsletter.

Looking at cybersecurity through Asian glasses

Gathering thoughts from hospital leaders in Asia about cybersecurity risks, awareness, and solutions

We have been talking about digitalisation in healthcare for several months now. We interviewed and held panel discussions on telemedicine, telemonitoring, and command centres, all of which have been accelerated by the ongoing pandemic.

A significant part of the conversations we had with hospital directors in Asia is cybersecurity. They know what it is, they understand what’s at stake, and they have their individual strategies to tackle it. Almost everyone has their fears but each one holds on to the confidence that the healthcare community in the region is stronger together.

A worrisome beginning

COVID-19 started as a flame and has since grown to a fire that needed extinguishing. When it started, the industry clambered to save lives and gather all resources that can help put the fire out. This is when digital health gained traction, and hospitals that are on their early stages of digitalising have been forced to expedite the process. 

It doesn’t help that the healthcare industry, according to Ryanto Tedjomulja, Chief Information Officer at Siloam Hospitals Group, still lags behind other industries, like financial and telecommunications, when it comes to information security.

As digital is a new undertaking for most, the ride hasn’t exactly been smooth. Jasmine Lau, Chief Executive Officer (CEO) at Nilai Medical Centre, shares how they were filled with worry at the beginning of their electronic medical records journey. Understanding that patient data is a primary responsibility, they were anxious about preserving patient confidentiality, ensuring patient information is secure, and preventing cybercriminals from hacking into their systems. And these worries were warranted as the world saw a heightened risk of cyber-attacks in hospitals.

An even challenging transition

Cyber threat actors have realised that people are the “weakest link” in hospital systems, and so they leveraged the pandemic-related “fear factor” to steal data. Now that everyone has suddenly become dependent on all things online, users are more vulnerable to phishing and other social engineering methods.

There’s also worry on internal jeopardy. Dr Jeffrey Staples, formerly the Group Chief Operating Officer at United Family Healthcare and now with Metro Pacific Hospitals, mentions the risk of internal data getting to the hands of outside parties.

Today, more than anything, healthcare organisations are forced to look within their system and build it to become more resilient against dangerous cyber activities that can endanger patient data, lose patients’ trust and confidence, and risk patients’ lives.

A promising way forward

Almost all hospitals have their own team of Information Technology (IT) experts working to guard their security systems. IT teams make sure information does not leak out. Hospitals, when they ventured to use digital technologies, have also complied with international IT security guidelines as cybersecurity is an area they take very seriously.

Part of IT initiatives is the restriction of access to software that may become the easy passage for cybercriminals. At Nilai Medical, not everyone can access all patient records. Each physician has their own search functions to preserve patient confidentiality. They are also not allowed to access several sites, including social media, and to use flash drives.

Technology is a given, but more importantly, cybersecurity is about governance. Yes, political will and government’s participation are essential, but hospital management needs to play their part as well, Caroline Riady, CEO at Siloam, underscores.

Key to achieving cyber-secure hospital systems is improving awareness. Direct users of data can benefit from internal training, orientations, education posters, and online courses on good cyber hygiene. Nilai Medical believes that cybersecurity education for all staff is one step, and ensuring the strategy and policy are followed as well as enforced by all automatically follow.

At Siloam, employees even undergo an actual test to see if they can determine a phishing email. Riady emphasises that it’s usually the behaviours that need to be changed; thus, making employees aware that they can be the weak links for adversaries to attack the system is a big push.

Consistent with Kitzelmann’s message about cybersecurity being a true team sport, hospitals in Asia understand that coming together as a community, sharing knowledge and best practices, supporting internal networks, strengthening partnerships with all sectors, and generally keeping defences up are the best ways to tackle the increasing cyber risks that come with digitalisation. If done right, the digital journey might just be as smooth as we can imagine.

Get more contents like this in your inbox. Sign up for Hospital Insights Asia‘s newsletter.

Cyber-attack in the time of COVID-19

Hospital Insights Asia talks to Brno University Hospital in the Czech Republic about cyber-attack in healthcare from the eyes of someone who has seen and experienced it.

At 5 in the morning of 13 March, the Brno University Hospital ordered everyone to turn off their computers. Three hours later, they cancelled all scheduled surgeries, sent several patients home, and transferred patients to other hospitals. Employees were met with an order not to turn any of the computers on.

Brno University Hospital is the second-biggest hospital in the Czech Republic. Responsible for running COVID-19 tests, the hospital has had a vital role to play in the nation’s outbreak response.

The attack at Brno was just one of several other data breaches in the healthcare industry during the pandemic. Similar incidents have been reported in the healthcare sectors of other countries, like Thailand, France, Spain, and the United States. The World Health Organisation (WHO) has even found itself target of several phishing attacks while it’s occupied with the outbreak.

Just a few days back, University Hospital Düsseldorf in Germany experienced a similar attack, which delayed the treatment of a patient, leading to the first ransomware-related death. This increasing number of cyber breaches is largely due to the fact that hackers see the healthcare industry as an area of interest to make money from, Pavel Žára, the spokesperson for Brno University Hospital, tells Hospital Insights Asia.

Hospitals as new targets

Cybercriminals exploit the chaotic situation brought by COVID-19 to hack into computer systems and steal passwords and data.

Ransomware, a malware planted illegally on computer systems, allows hackers to disable hospital operations and access confidential data. They then use this as bait to extort money from the hospital in exchange for the restoration of the system and the protection of data. Extortionists know how it’s crucial for hospitals today to get access to patient records and computer systems, hence, know they have a higher chance to make their victims pay.

In recent months, a new Kwampirs malware was also found targeting supply chains around the world. As everyone panics about the shortage of personal protective equipment to deal with the infection, hackers saw an opportunity to control the supplies and make money.

All things digital come with risks

Everyone has suddenly become dependent on digital tools for information, socialisation, education, and even shopping. Hospitals are at their busiest. People are anxious and stressed.

People from around the world want to get updated information about the pandemic. Hackers know this. In fact, ninety-eight percent of cyberattacks in the past few months has used social engineering methods. This underscores that cybercriminals are using human weaknesses to succeed in their illicit activities.

Online users, who are thirsty for updates and are filled with anxiety, are tricked into downloading a map that displays COVID-19 statistics. What they don’t know is that the map is only a façade for a concealed dangerous malware allowing hackers to access their passwords.

But it doesn’t stop here. Cybercriminals go as far as attacking electricity and water supplies in several countries, which impact the pandemic response as these are critical infrastructure even for the healthcare sector.

Thirst for data

Data is crucial to healthcare. Patients’ data should unquestionably remain confidential and protected. Even Hippocrates believes so. After all, patients reveal their most personal and private information to clinicians.

The cyberattack at Brno University Hospital affected “about 50 to 80 percent of data, especially the administrative part,” says Žára. While the system has been successfully restored after three weeks, it paused the hospital’s operations, consequently impacting the care provided to patients and the hospital’s contribution to the country in pandemic management.

Brno University Hospital has cybersecurity measures in place even before the pandemic and the attack happened. Primarily, its cyber defences are financed from the hospital’s information technology budget allocations and funds from the Ministry for Regional Development of the Czech Republic’s Integrated Regional Operational Program (IROP).

Yet, the scale of the cyber breach is that huge that even a hospital with cyber defences was caught off-guard. Today, Brno University Hospital, Žára highlights, is further strengthening its cybersecurity measures and allocating more budget for this.

Experts, too, believe that the key to fortifying hospitals’ cyber defences is awareness. Brno University Hospital acknowledges that the attack can happen again to the hospital and other hospitals. Hence, being aware of the methods that hackers often use in cyber breach is necessary to layout plans on how to counter their methods. Practising good cyber hygiene for nurses, doctors, administrative staff, and management is also helpful.

Get more contents like this in your inbox. Sign up for Hospital Insights Asia‘s newsletter.

Telemedicine through the lens of an insurance company – AXA Asia

Gordon Watson, Chief Executive Officer of AXA Asia, recognises that COVID-19 accelerated the rollout of telemedicine and is optimistic about telemedicine’s role in promoting value-based care.

For AXA Asia, telehealth, together with other online services, has been in its long-term pipeline. With the outbreak of COVID-19, its introduction to the market was fast-tracked. Patients restricted with lockdowns as well as fear of contracting the infection if they go to the hospital found telemedicine convenient.

In an interview with Hospital Insights Asia, AXA Asia’s CEO Gordon Watson notes that the rollout of telehealth is “to not only benefit customers but also wider society as part of AXA’s solidarity efforts, driven by [its] commitment to transform from being a payer to a true health partner”.

Acknowledging the need for telehealth in this challenging time, the insurer offers tele-consult across its markets in Asia and integrates both physical and mental health services.

Watson acknowledges that hospitals can be overwhelmed because of the novel infection, thus, patients can find it difficult to get medical advice or even support for routine medical issues. Telemedicine can enter the equation “to alleviate the burden of the stretched healthcare system and divert customers away from overcrowded hospitals”.

Watson also highlights that telehealth can promote value-based care as patients can have improved access to care through leveraging mobile technologies at a relatively low cost. Likewise, telemedicine benefits both patients and healthcare providers as it is a cheaper and more efficient alternative.

As such, AXA Asia has pledged to offer 5 million free teleconsultation services to customers and even non-customers in the region. Besides leveraging its in-house capabilities, AXA has partnered with service providers to address the unique demands of patients across Asia. 

In China, AXA works with Tencent Trusted Doctors to provide 24/7 online medical consultations through a platform supported by 450,000 physicians and psychologists. Meanwhile, in Japan, policyholders can avail telemedicine consults through T-PEC and DoctorsMe.

In Indonesia, AXA partners with Halodoc to support the country’s large population in view of its lack of healthcare facilities. Over the past few months, Halodoc has seen a surge in usage. AXA has also made a free teleconsultation program available to more than 2.6 million existing customers, as well as new ones, for a limited time period in Indonesia.

Similarly, all life and select general insurance customers of AXA in the Philippines have been given free teleconsultation services through MyPocketDoctor, which as of date has already served around 750,000 clients. 

Krungthai-AXA Life also provides teleconsultations for customers in Thailand through its hospital partners, Bangkok Dusit Medical Services and Praram 9 Hospital. 

In Hong Kong, AXA utilised its nurse hotline service launched in 2019 to extend psychological support to COVID-19 patients.

Apart from giving patients a chance to receive care remotely, AXA also understands the importance of providing holistic support to customers. In its telehealth offerings, the company incorporates free mental wellness counselling in China and Indonesia. In Hong Kong, AXA launched its ‘Mind Health Programme’ in January, which is Hong Kong’s first employee benefits cover to provide comprehensive mental health support.

Furthermore, AXA Asia has tapped global expertise from Microsoft’s Azure-bot framework, LUIS Natural Language Processing engine, HealthKeeper, and Sensely to develop Emma, an app envisioned to act as a “customer’s digital health partner”. Emma is already used by customers in Hong Kong and the Philippines, but will soon be introduced to Japan and China as well.

Even though technology is no longer an issue at this day and age for telehealth to be widely used, regulation and cybersecurity issues pose a challenge for its continuous adoption.

For instance, there are no electronic prescriptions in Hong Kong. Therefore, even if patients use teleconsultation services, they still need to go to the physical clinic to get the prescription and medication. While a few healthcare organisations in the city have a license to courier medication to patients, it is observed that telehealth still “remains complementary to traditional clinic visits”.

In other countries, AXA Asia has observed a more relaxed regulatory environment for telemedicine. Japan and South Korea, for example, had a conservative stance on telehealth. But with the outbreak of COVID-19, these countries had encouraged telemedicine services to cater to patients. Similarly, Thailand, Indonesia, and the Philippines have encouraged the use of teleconsultation services during the pandemic.

With regard to the safety of patient data, Watson acknowledges how “big data not only brings opportunities for AXA to provide value-added personalised products and services, but also the overarching responsibility to safeguard such data”. Thus, the company invests heavily on data security and protection. When forging partnerships with third-party providers, AXA ensures that data privacy officers are largely involved. It also has ongoing projects and technology updates to prevent potential breaches. Likewise, AXA Research Fund supports academic research to further understand data privacy issues and therefore better protect its customers.

“The telemedicine market worldwide is growing and is expected to reach $130 billion by 2025,” says Watson. Over time, the industry will mature and with it comes an improved quality that can significantly address the three components of the ‘iron triangle’ of healthcare: access, cost, and quality. That being the case, Watson is confident that moving to value-based care can be hastened with telehealth.

How cybersecurity could shape the future of healthcare?

Contributed by: Amanda Oon
Hospitals across Asia are on the brink of digital rebirth. Sensitive data races across hyper-connected systems. AI robotics streamline processes…Read more

How cybersecurity could shape the future of healthcare: and how to get right

Hospitals across Asia are on the brink of digital rebirth. Sensitive data races across hyper-connected systems.  AI robotics streamline processes, and even perform critical operations. But with finite resources and investment, industry leaders may struggle to secure their digital assets in the rush towards innovation.

For most hospital managers the importance of a strong cyber framework is clear. But the steps to achieve cyber-resilience can be uncertain. With the life of your business – and your patients – at stake, the price of a breach is high. What is the cost  – and the value –  of good cybersecurity?

New technologies, new risks

New technologies are building a new normal for Asia’s hospitals. Vast volumes of patient data are migrating to the Cloud. This April, Bangkok’s Hospital Pattaya became the first hospital in Southeast Asia to use artificial intelligence in medical scans to diagnose Covid-19. Innovation extends to the front line: last year, Singapore heart surgeons became the first in the region to use robot assistants in surgery.

But with digital progress comes digital risk. Security experts have noticed a “significant increase” in cyber-attacks over the past few months.

In the UK, two companies involved in building emergency coronavirus hospitals were hit by cyber-attacks this month. Interserve and BAM Construct, the companies behind Birmingham’s NHS Nightingale and Yorkshire and the Humber’s hospitals, reported two separate incidents as “part of the wave of attacks on public and private organisations supporting the national effort on Covid-19“. Even as day-to-day business resumed, reports from Interserve admitted that “some operational services may be affected“.

Connected networks and the need to act with urgency leaves hospitals especially vulnerable to overlooking cybersecurity during this critical period.

First steps to security

John Masud Parvez, Chief Transformation and IT, Hoan My Hospital Vietnam believes a major challenge ASEAN hospitals face is that awareness does not always match the pace of innovation. “Data is the new currency”, he warns, “and people don’t always understand it”. Inability to keep track of their digital assets in a hyper-connected world, means that “many hospitals don’t even know they’re being hacked!”

For him, the first step towards cyber-resilience is making sure that hospitals have the adequate in-house technology professionals to build cybersecurity strategy. Parvez believes that every hospital in Vietnam should aim to have a designated IT Director and Chief Information Security Officer. Cyber-awareness should also spread through the veins of the company culture, through regular training and simulation tests for medical professionals. As he describes: “Digitising is like going into a jungle. When you only have one light, you can see so little…but if everyone has a light…you can see everything that’s lurking in the bushes”.

Lessons from SingHealth

Singapore’s cybersecurity market growth outperforms both that of the APAC and wider global markets, with a predicted reach of US$889 million by 2022.  Its companies also lead in investment when it comes to new technologies, such as Cloud, AI and IoT. As Parvez notes, “Singapore was so developed…so when something happened, it sent the whole industry into panic mode”.

In July 2018, the nation suffered its most serious breach of public data yet, when an attack on SingHealth, Singapore’s main national cluster of health institutions, saw a total of 1.5 million patient records accessed and 160,000 records of outpatient prescriptions compromised.

Nanyang Polytechnic adjunct lecturer Navin Nambiar’s 66-year-old mother was among the 700,000 patients impacted by the incident, when her personal and prescription details were stolen. “It is very upsetting…” the 37 year-old explained. “The last thing anyone would want is for their personal information to be leaked out”. Others echoed her concern, and confusion over the hackers’ motives. “I am flustered”, wrote another victim, “as I am not sure what the perpetrators will use this information for”.

Lack of understanding over basic digital security and accountability had huge real world impact. And Parvez believes it is important “to learn from each other’s mistakes”. Hospitals across Asia laying their cybsersecurity foundations can gain a head start by implementing these practices early on. Bruce Leong, Director, Technology and Strategy at Mt. Alvernia Hospital describes the attack as a “wake-up call, and what with realising that healthcare data could be so lucrative (to hackers) most hospitals end(ed) up spending a lot more energy and investment”. The major change he’s noticed since the attack has been the shift in focus towards cyber-resilience from hospital stakeholders and managers.

How much should good cybersecurity cost?

Leong believes “it’s impossible to put an exact figure on how much cybersecurity should cost to a particular organisation”. The key is understanding each organisation’s unique risk appetite: “You’ve got to have a differentiated protection plan in place focusing in protecting your crown jewel”, he explains. “Are we a national institution, or are we some small business with small amount of data?”.

Research suggests that the cost of a breach is about US$200 per patient while to secure those same records costs just $8. But despite 82% of hospital leaders reporting a cyber-attack in the 2018 – 2019 period, only 5% of hospital IT budgets went towards cybersecurity, compared to 15% in other sectors. Across ASEAN hospitals, where “digital is king” and the value of the medical tech industry is estimated at US$130 billion the size of the cybersecurity budget should grow along with the size of technology spend, and the increasing cost of a breach to your business.

Investing in the future

Total cybersecurity spend across APAC is set to reach S$14.2bn by the end of this year. But there is still some way to go.  As Leong notes, “cyber protection is always an on-going and ever changing effort. You need to maintain high vigilance and regularly review the ever changing…threat landscape.” As their digitalisation journey gains pace, healthcare leaders will find that investing in sound cybersecurity training and resources will make the sector a safer place for patients, and a better place for business.