While their clinical colleagues are fighting on the frontlines of the war against COVID-19, IT and cybersecurity officers in hospitals around the world are fighting an equally brutal battle – against cybercriminals and threat actors.
Hospitals are attractive targets for cyberattackers, as they hold large amounts of valuable and potentially lucrative information, such as patient records, medical data, and treatment methods. A cloud security firm report counted some 599 healthcare information breaches in 2020 in the US alone, that collectively affected over 26 million individuals. This was more than double the numbers reported in 2018, where 290 cases of breaches were counted, and 11.5 million individuals were affected.
The consequences of a severe data breach can be dire. After a 2017 phishing attack and a separate 2018 data breach, patients filed a class-action lawsuit against UnityPoint Health, a US-based healthcare provider. Patients complained that they were “harassed and inundated with unwanted, unsolicited and unlawful spam and phishing emails”, or hit with attempts to open unauthorised credit cards in their names.
On the other side of the world, Channel NewsAsia reported that the number of cyberattacks using COVID-19 as a lure has surged across all industries in Singapore since early 2020, when the pandemic started its rapid spread across the world. The country’s healthcare sector, was the worst hit, with phishing attacks rising by almost 200 times in the first four months of 2020.
Challenges in managing cybersecurity
Attackers have pounced on public fear and attention on COVID-19 as a bait to gain access to devices and systems. Mr Linus Tham, Group Chief Information Officer of IHH Healthcare, noted that for his organisation, “the most significant increase in malicious activity was around using email as a point of entry, for example hiding under the guise of COVID-related news, alerts or directives.”
As an international hospital operator, operating 80 hospitals in 10 countries, IHH Healthcare works with numerous partners in delivering a suite of private healthcare services. This group may be a vulnerability that could be compromised by cyber attacks. Mr Tham explained, “In our operating model, we have ‘risky people’ in the form of our doctors cum partners, who are not our staff but partner with us to provide care. They require access to our systems not just within our facilities such as our hospitals and wards, but also from their clinics, homes and personal mobile devices. However, these are areas which we are not given permission to fully manage from a cybersecurity perspective.”
In a way, the rapid adoption of digital technologies in healthcare is posing an increased cyber risk. As hospitals engage patients over digital platforms more often, Mr Tham raised that the varying levels of awareness amongst the patients about cybersecurity creates “more exposure to cyber threats from different devices”.
The use of IoT (Internet of Things) in healthcare – creating a network of devices that connect and exchange data with each other – holds much potential in raising efficiency of operations, improving data analytics and advancing remote monitoring capabilities. However, Mr Tham cautioned that there is a need to ensure that IoT devices are secure against cyberattacks. “With the ever-increasing prevalence of IoT in healthcare devices used by patients, staff and our doctors and partners within our walls, this presents increased risks. This is a new area which needs to be addressed as protecting these groups of stakeholders requires different approaches compared to other technologies.”
Beefing up security measures
So what can healthcare organisations do to mitigate cyber risks? In preventing email phishing attacks, a robust organisation-wide email security programme is essential. IHH Healthcare has put in safeguards at ‘entry points’, where malicious emails are identified by their source, content or other warning flags, and blocked promptly; and another round of checks at ‘end points’, or the users’ PCs and laptops.
To ensure the organisation quickly detects and isolates any outright hacking attempts, IHH Healthcare had also established a Security Operations Centre (SOC). A SOC – staffed by an information security team, equipped with the necessary technology tools, and guided by a detailed set of processes and procedures – would be monitoring, analysing and responding to cyber incidents on an ongoing basis.
In the face of the rapid rate at which new cybersecurity threats are emerging, it is crucial for healthcare organisations to ‘stay nimble’. “We need to stay committed in monitoring the landscape of new threats so we are able to adapt and adjust our responses accordingly,” said Mr Tham. “It is a continuous process of protecting our systems, data and most importantly, our patients.”