With any data, we need to ensure measures are in place to secure the data at each stage of its lifecycle. This starts with identifying data that needs to be protected, and understanding how it will be moved from one entity to another.
The healthcare sector will need to ensure that there are secure data transfer policies, access controls where data is being accessed by the right person and used for the right purposes, and secure practices for data disposal.
Singapore's Ministry of Health says the healthcare sector is 50x more valuable on the black market than financial information. In its Sentinel Event Alert released on 15 August 2023, the Joint Commission reported that in 2022, 707 data breaches occurred in the US exposing 51.9 million patient records, with the most common breaches coming from network servers and emails.
Picking from the lessons learned during the COVID pandemic, the Singapore government is undertaking what it describes as a long-term healthcare reform describing the process as a pivotal phase of its transformation journey.
The reform will see the Singapore government invest in information technology "focusing on mission-critical national systems for hospital billing, drug ordering and dispensation, and the maintenance of national medical databases."
The success of this reform will require collaboration across different health providers and access to patient data is a crucial component. The ministry plans to table a new bill in the second half of 2023 to enable the sharing of patient information across different healthcare providers, which will allow for uninterrupted and holistic care for patients.
According to Leonardo Hutabarat, head of solutions engineering for APJ at LogRhythm, there are established security practices to secure data shared through the typical communication methods on the web and over emails.
He opined that the healthcare sector will need to go a step further and ensure that communications between medical devices that collect healthcare data (e.g. an X-ray machine), and the health information systems that manage these healthcare data are secured as well.
"It is important that these systems and devices are implemented according to specialised protocols in the health industry," he continued.
The digitalisation of healthcare comes with a warning
John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, says hospitals have become data aggregators. Hospitals not only have large volumes of protected health information, he continued, but they also have personally identifiable data on patients, including payment information.
"Many hospitals and health systems also have highly valuable medical research. All these data sets, individually and in combination, make hospitals a target-rich environment for cyber gangs and nation-state actors alike," he continued.
As governments look to implement the sharing of data, it is imperative to ensure that the resulting data ecosystem is sufficiently robust to respond to cyberattacks.
Hutabarat believes policy and governance will be key when it comes to people, processes, and technology. When it concerns data protection of health information, the focus is on implementation.
"We need to ensure that cybersecurity tools are in place to aid healthcare institutions in responding to attacks," he added. "Early threat detection and swift data recovery would help citizens instil confidence and trust in data sharing. Secondly, implementing a centralised technology to monitor, track and respond to threats is crucial for visibility and safeguarding data."
Persistent attacks despite investments
A MarketsandMarkets report estimates that the healthcare sector will spend US$18.2 billion on cybersecurity solutions in 2023. This will rise to US$35.3 billion by 2028.
FutureCIO has been the recipient of comments from private and public healthcare CISOs who query why they remain under a constant state of attacks despite significant investments in cybersecurity solutions.
Hutabarat laments that security is never fully foolproof. He does, however, believe organisations can choose to prioritise protection on their crown jewel with two approaches.
"The first approach would be to protect your environment by implementing cybersecurity best practices like zero trust solutions — where an attack on a certain segment stays isolated and does not affect the others. Second, to look into common threats or recent attack techniques within your industry, and implement a cybersecurity approach that is suited to each threat."
Leonardo Hutabarat
Recommendations for upping the cybersecurity posture
According to Hutabarat, it will be crucial to get stakeholder buy-in on the importance of cybersecurity. "This can be done by raising awareness of cybersecurity threats through common communications channels, training employees to respond to threats through simulations of cybersecurity attacks, and monitoring employees’ actions for anomalous behaviour to prevent insider cybersecurity threats," he concluded.
Click on the podchat player to hear Hutabarat elaborate on understanding the hurdles to the digitalisation of healthcare.
- Healthcare reform, as in the case of Singapore, will entail the sharing of patient data between healthcare providers – both public and private. What challenges must the system overcome in this undertaking?
- What are some factors that will be crucial to the success of such an initiative? Can you cite any learnings from other governments that have implemented something similar?
- What needs to be done to build a robust data ecosystem and build citizen trust?
- In recent years, healthcare systems have come under cyberattack. It is puzzling that despite spending US$17.35 billion in 2022 taking advantage of the latest in security solutions and services, healthcare organisations remain vulnerable.
- Why is this continuing to occur?
- How can healthcare institutions protect themselves from the risk of cyberattacks and safeguard sensitive patient data?
- For CIOs, CISOs and leadership at healthcare organisations – both private and public – any recommendations for getting buy-in and support from stakeholders?
