According to the CBSi B2B Cybersecurity Study, Asia Pacific 2018, one of the biggest challenges faced by an organisation’s cybersecurity framework is aligning cybersecurity with business priorities. Jega Ponnudurai, Industry General Manager, Healthcare & Life Sciences, Asia, DXC Technology, recommended that healthcare organisations tackle this challenge by linking the costs and benefits of cybersecurity to the value of regulatory compliance.
This is especially critical for certain segments which are more linked to patient safety and patient data confidentiality and calls for more investment on security frameworks within application parameters. These segments include clinical documentation, pharmacy and medication management, tests and investigations and critical care support systems. Ponnudurai, who has more than 25 years of experience in the telecommunication and healthcare industries, shares his insights on the cybersecurity threat and risk landscape in Asia Pacific.
Most common cybersecurity threats/risks to healthcare organisations in APAC
Specific to healthcare organisations, issues like Electronic Medical Record (EMR) data leakage, especially sensitive operational (like billing disputes, patient dissatisfaction) and clinical (like sensitive diseases HIV/STD etc.) data with the purpose to malign private/public health settings or get hold of VIP patient data are some of the cybersecurity threats/risks these organisations face. However, Ponnudurai explained that they had not come across cases where a security threat on data leakage has ended in ransom demand but it could happen.
Network and workplace-related security threats are no different from those of other industries – these include ransomware, endpoint attacks, phishing and many others.
Key lessons from a series of healthcare-related data breaches/leaks in Singapore
Some of the key lessons learnt are the importance of having security, not only from the outside but also from within an organisation. There is also a need for independent cybersecurity auditors to be put in place and such audits to be carried out more frequently.
“Internet separation models and the design of data security zones is becoming more and more pertinent in terms of de-risking data in rest,” said Ponnudurai. There also needs to be a diligent scoping of cloud data assets and for cross-application landscapes, data security/accessibility should be governed/designed by information area at a corporate level, not at an individual application level.
From within an organisation, human (contractor or internal employee) inflicted local threats needs to be closely controlled and monitored.
Blind spots in the management of cybersecurity threats/risks
One of the areas/aspects that is usually overlooked by healthcare organisations in the management of cybersecurity threats/risks is application security in clinical applications. Most large healthcare organisations have a mesh of clinical and operational systems – Patient Administrative System (PAS), EMR, Finance, Billing, Ancillary systems for pharmacies/laboratories, Radiology Information System (RIS)/ Picture Archive and Communication System (PACS) etc. Often these systems need to exchange information – and security breaches are potent in a) data in motion, such as interfaces and message queues and more importantly b) context switching, such as accessing an application logic/data/screen from another application.
“A robust Development, Security and Operations (DevSecOps) Strategy should be imbibed early in the life-cycle for health application design,” Ponnudurai added.
Managing increased cybersecurity threats with reduced budgets and lack of trained experts
Chief Information Security Officers (CISOs) or Chief Information Officers (CIOs) are constrained by reduced budgets and lack of trained professionals to deal with the ever-increasing cybersecurity threats and incidents and Ponnudurai’s suggestion to tackle the issue is to study the impact of cybersecurity breaches, both from a financial and personal trauma (for the impacted parties) perspective. The concern of most healthcare providers about cybersecurity has resulted in their hesitation to venture into cloud-based services. This, in turn has a direct cost impact in the running of a healthcare service provider.
Increasingly, cloud adoption should be backed up by cyber defense and orchestration strategies including intelligent security operations and continuous threat monitoring using a leveraged Security Operations Centre (SOC) model which reduces upfront capital expenditure (CapEx). This provides best-of-class protection at a spread out cash-flow, he concluded.