How cybersecurity could shape the future of healthcare: and how to get right
Hospitals across Asia are on the brink of digital rebirth. Sensitive data races across hyper-connected systems. AI robotics streamline processes, and even perform critical operations. But with finite resources and investment, industry leaders may struggle to secure their digital assets in the rush towards innovation.
For most hospital managers the importance of a strong cyber framework is clear. But the steps to achieve cyber-resilience can be uncertain. With the life of your business – and your patients – at stake, the price of a breach is high. What is the cost – and the value – of good cybersecurity?
New technologies, new risks
New technologies are building a new normal for Asia’s hospitals. Vast volumes of patient data are migrating to the Cloud. This April, Bangkok’s Hospital Pattaya became the first hospital in Southeast Asia to use artificial intelligence in medical scans to diagnose Covid-19. Innovation extends to the front line: last year, Singapore heart surgeons became the first in the region to use robot assistants in surgery.
But with digital progress comes digital risk. Security experts have noticed a “significant increase” in cyber-attacks over the past few months.
In the UK, two companies involved in building emergency coronavirus hospitals were hit by cyber-attacks this month. Interserve and BAM Construct, the companies behind Birmingham’s NHS Nightingale and Yorkshire and the Humber’s hospitals, reported two separate incidents as “part of the wave of attacks on public and private organisations supporting the national effort on Covid-19“. Even as day-to-day business resumed, reports from Interserve admitted that “some operational services may be affected“.
Connected networks and the need to act with urgency leaves hospitals especially vulnerable to overlooking cybersecurity during this critical period.
First steps to security
John Masud Parvez, Chief Transformation and IT, Hoan My Hospital Vietnam believes a major challenge ASEAN hospitals face is that awareness does not always match the pace of innovation. “Data is the new currency”, he warns, “and people don’t always understand it”. Inability to keep track of their digital assets in a hyper-connected world, means that “many hospitals don’t even know they’re being hacked!”
For him, the first step towards cyber-resilience is making sure that hospitals have the adequate in-house technology professionals to build cybersecurity strategy. Parvez believes that every hospital in Vietnam should aim to have a designated IT Director and Chief Information Security Officer. Cyber-awareness should also spread through the veins of the company culture, through regular training and simulation tests for medical professionals. As he describes: “Digitising is like going into a jungle. When you only have one light, you can see so little…but if everyone has a light…you can see everything that’s lurking in the bushes”.
Lessons from SingHealth
Singapore’s cybersecurity market growth outperforms both that of the APAC and wider global markets, with a predicted reach of US$889 million by 2022. Its companies also lead in investment when it comes to new technologies, such as Cloud, AI and IoT. As Parvez notes, “Singapore was so developed…so when something happened, it sent the whole industry into panic mode”.
In July 2018, the nation suffered its most serious breach of public data yet, when an attack on SingHealth, Singapore’s main national cluster of health institutions, saw a total of 1.5 million patient records accessed and 160,000 records of outpatient prescriptions compromised.
Nanyang Polytechnic adjunct lecturer Navin Nambiar’s 66-year-old mother was among the 700,000 patients impacted by the incident, when her personal and prescription details were stolen. “It is very upsetting…” the 37 year-old explained. “The last thing anyone would want is for their personal information to be leaked out”. Others echoed her concern, and confusion over the hackers’ motives. “I am flustered”, wrote another victim, “as I am not sure what the perpetrators will use this information for”.
Lack of understanding over basic digital security and accountability had huge real world impact. And Parvez believes it is important “to learn from each other’s mistakes”. Hospitals across Asia laying their cybsersecurity foundations can gain a head start by implementing these practices early on. Bruce Leong, Director, Technology and Strategy at Mt. Alvernia Hospital describes the attack as a “wake-up call, and what with realising that healthcare data could be so lucrative (to hackers) most hospitals end(ed) up spending a lot more energy and investment”. The major change he’s noticed since the attack has been the shift in focus towards cyber-resilience from hospital stakeholders and managers.
How much should good cybersecurity cost?
Leong believes “it’s impossible to put an exact figure on how much cybersecurity should cost to a particular organisation”. The key is understanding each organisation’s unique risk appetite: “You’ve got to have a differentiated protection plan in place focusing in protecting your crown jewel”, he explains. “Are we a national institution, or are we some small business with small amount of data?”.
Research suggests that the cost of a breach is about US$200 per patient while to secure those same records costs just $8. But despite 82% of hospital leaders reporting a cyber-attack in the 2018 – 2019 period, only 5% of hospital IT budgets went towards cybersecurity, compared to 15% in other sectors. Across ASEAN hospitals, where “digital is king” and the value of the medical tech industry is estimated at US$130 billion the size of the cybersecurity budget should grow along with the size of technology spend, and the increasing cost of a breach to your business.
Investing in the future
Total cybersecurity spend across APAC is set to reach S$14.2bn by the end of this year. But there is still some way to go. As Leong notes, “cyber protection is always an on-going and ever changing effort. You need to maintain high vigilance and regularly review the ever changing…threat landscape.” As their digitalisation journey gains pace, healthcare leaders will find that investing in sound cybersecurity training and resources will make the sector a safer place for patients, and a better place for business.