Southeast Asia is now a prime target for cybercriminals around the world. Hospitals must be diligent in their cyber security and employ the proper measures before it’s too late.
Healthcare data is sought after by cybercriminals all over the world, but Southeast Asia, in particular, has emerged as a prime target due to the rapid pace of digitalisation spurred by the pandemic. Hospitals in Thailand, for instance, have deployed “ninja robots” to measure the temperature of patients, and thus protect and reduce the burden of medical workers; how difficult is it to imagine hackers gaining access to these robots to steal information, or physically harm patients?
While the use of robotics, artificial intelligence, and Internet-of-Things (IoT) systems is a boon for hospital operations, patient data is at risk of being stolen if the proper precautions or protocols aren’t in place.
Here are several ways hospitals are leaving the figurative back door open for criminals to take advantage:
IoT devices offer many benefits to hospital management, from faster and more accurate treatments to better resource management and decreased error rates. However, these IoT devices don’t always come with built-in security features.
Security software company, McAfee Enterprise, found critical vulnerabilities in two types of medical infusion pumps, which could be exploited to modify a pump’s configuration. This could endanger patients as their prescribed dosages could then be manipulated. Singapore-based cyber security agency SingCert also discovered vulnerabilities in over 100 million internet-connected devices, including medical equipment.
It’s important for hospitals to consider cyber security expenditure when coming up with budgets for their digital transformation; one without the other will only put patients at risk. Real patient protection includes cyber protection, too.
Even the best cyber security can falter if not handled with the proper precautions. Negligence always creates room for risk.
For example, healthcare training provider HMI Institute of Health Sciences was fined S$35,000 by the Personal Data Protection Commission (PDPC) for a 2019 breach where the personal data of 98,000 Ministry of Defence, Singapore and Singapore Armed Forces personnel was leaked. It was discovered that HMI left itself vulnerable to a well-known risk for more than four years.
Upon further inspection, the PDPC also uncovered other data protection lapses in the company. HMI used a single password that was shared between its IT administrator and at least three other employees of its IT solutions service provider. Passwords also contained the acronym of the organisation’s name, and there was no two-factor authentication for log-ins.
Cyber security is a joint effort across the entire organisation, not just the duty of an individual or team. Addressing the possibility of human error is just as important as securing connected devices; to forestall lapses resulting from social engineering exploits, organisations must be vigilant about training everyday users of the company’s network to enforce cyber security best practices.
With that being said, there is always the risk of breach even when the proper precautions are followed. Institutions must be prepared to make a quick and appropriate response to mitigate some of the damage.
For instance, one of the biggest follies with the SingHealth data breach — also known as the “worst breach of personal data in Singapore’s history” — was its failure to comply with the protection obligation. Its Chief Information Officer failed to adhere to SingHealth’s IT security incident reporting processes even after being informed of multiple failed attempts to access SingHealth’s patient database. This resulted in multiple missed opportunities to prevent the theft and exfiltration of data.
While the threat of cybercrime is always around the corner, hospitals must be vigilant in their defence. Hospital managers can do this by adopting a zero-trust approach where the network assumes it has been compromised, and it challenges users to prove they are not attackers.
Cyber security should also be a mindset adopted not just by the IT professionals and cyber security managers, but also the staff. As healthcare providers focus primarily on caring for patients, they must also be taught and trained to put the same amount of care into protecting their patients’ privacy. This includes knowing what to do in case of a breach. The Ministry of Health outlines specific steps to take in case an institution experiences a breach.
Lastly, hospital managers must maintain constant vigilance, regularly updating networked anti-virus software and firewalls protecting their connected medical devices.
To make it easier to comply with cyber security best practices, hospitals that are in the midst of their digitalisation journey can use trusted systems that can consolidate the operational workflow of hospitals into one platform. Not only will this improve patient care, it also makes it easier for hospitals to manage their transition and implement the proper measures to protect them from cybercrime. Thomson Hospital Kota Damansara in Malaysia, for instance, worked together with T-Systems to implement SAP for Healthcare—a single platform solution hosted on the Azure public cloud, providing a solid foundation for the hospital’s expansion and digital transformation.
Keep your healthcare data safe against cybercrime; take measures to protect them. Speak to a T-Systems solutions expert today.