Stephan Neumeier (Kaspersky)
The rise of digitally connected hospitals in Asia Pacific is exposing the healthcare sector to a new range of cyber threats, triggered by increased spending on advanced technologies.
In a regional healthcare market forecast to spend US$12.2 billion on technology in 2019 - rising to $14.9 billion by 2022 - hospitals are building out technology portfolios with the aim of improving care quality in both public and private sectors.
Increased IT investment is generating new cyber challenges however, creating a backdoor for hackers targeting the treasure trove of data housed within advanced digital hospitals.
“Healthcare is considered one of the fastest growing industries in the market but from a cyber security perspective, it’s not always the most relevant which has to change,” said Stephan Neumeier, managing director of Asia Pacific, Kaspersky. “We believe there has to be more focus on cyber security in healthcare because hospitals today are becoming very modern and digitalised.
“Some of the technology in place today was completely unimaginable only a few years ago, such as conducting surgery remotely or through 5G. Imagine a cyber attacker interrupting this type of surgery, this is very serious.”
Addressing regional media during Cyber Security Weekend in Myanmar, Neumeier said that on average, a cyber breach could cost a single healthcare organisation $23.3 million in losses across Asia Pacific.
“We’re seeing more threats against the healthcare sector,” he added. “Hospitals store a lot of data and because of that they are becoming victims of highly targeted attacks. Not many hospitals are profitable today because of the huge investments they have to make in new treatments and technologies, so losing this amount of money is very painful and difficult to recover from.”
Perhaps the most high-profile security breach in healthcare during the past 12-18 months occured in Singapore, through the attack on SingHealth.
As reported by Channel Asia, this incident was billed as the most serious attack in the nation states history, impacting 1.5 million patients to SingHealth’s specialist outpatient clinics between 1 May 2015 and 4 July 2018.
Likewise in Australia, the private health sector once again topped the list of sectors with most data breach reports to the Office of the Australian Information Commissioner (OAIC) from October to December 2018.
Revealed by ARN, out of the 262 data breaches reported to the OAIC under the Australian Notifiable Data Breach (NDB) scheme, 54 came from the private health sector followed by finance (40); legal, accounting and management services (23); private education providers (21) and mining and manufacturing (12).
Digital hospitals
In 2019, Neumeier said more hospitals are evolving into “digitalised and modern” organisations, driven by an increasingly competitive marketplace and the need to recruit new patients on a regular basis.
Reflective of changing market dynamics in healthcare, “ultra-modern” hospitals now have a mandate to provide personalised entertainment for partners, while ordering food without wastage and booking medical appointments at speed.
Specific to patient care, and due to the rise of digital hospitals, Neumeier said surgeries are becoming more remote, experts are becoming connected via video and Internet of Things (IoT) healthcare products are now deployed to measure health statuses.
“Healthcare is an old sector but today we’re seeing ultra-modern hospitals emerge across the region, in places such as Australia and Singapore,” Neumeier explained. “Investments have to be made in the most advanced equipment and technology because hospitals are competing with each other.
“The patient now has a choice and patients usually go to the hospitals with the best treatments and most advanced technologies, creating a need to have up-to-date offerings.”
Citing 5G, video and IoT as examples, Neumeier said the evolution of healthcare is evident through the rise of bedside terminals, seen as a new way to enhance user experience while also boosting profits.
“Investments are not cheap and because of this, hospitals are struggling to run their businesses profitably, they need to find other ways to become a profit centre,” he said. “Bedside terminals in Australia are very popular for example, and patients now expect this as part of the experience which represents new income for hospitals.
“Many vendors exist within this market but connections to wi-fi are not as secure as they should be. This is placing pressure on hospitals because they are motivated to reduce costs while still investing in new technologies. As a result, not all new technologies and deployments have cyber security in mind.”
For Neumeier, such a shift in buying behaviour has created holes in security frameworks, placing hospitals in “vulnerable” situations across the region.
“Security is not considered as strongly as it should be,” he cautioned. “Once hospitals have invested in new equipment and devices, they are staying in use for 10 years or more and software updates are not as frequent as they should be which creates risks.”
Coupled with an ageing population in Asia Pacific - chiefly across Australia, Singapore, Japan and Taiwan - and the rise of more advanced services, Neumeier said healthcare is facing a “chicken and egg” scenario in the modern day.
“Patients are living longer and more treatments and technologies are required,” he said. “This is placing new demands on hospitals which will only increase over the coming years.”
To combat such challenges, Neumeier said Kaspersky - and its expanding base of channel partners - must “shift the sector’s attitude” towards cyber security through improving its level in the “priority hierarchy”.
With not enough dedicated chief security information officers (CISOs) in roles - compared to more advanced security sectors such as banking and finance - the onus is now on hospitals to focus on the “human-factor” as a first point of approach.
Then, Neumeier advised, plans should be in place to enhance system infrastructures and privacy protocols, alongside setting up a dedicated security operation centre (SOC) to bolster defences.
“We find that prevention is better than cure,” he added. “Cyber security should be a leading mindset for CIOs in hospitals but unfortunately that’s not the case currently.
“Look at a bank, they deal with similar amounts of data and they are super secure today because the investments they make in security are way above that of healthcare. Healthcare must do the same and we advise hospitals to rethink their entire security strategy and posture.”
James Henderson attended Cyber Security Weekend in Myanmar as a guest of Kaspersky.
