Gathering thoughts from hospital leaders in Asia about cybersecurity risks, awareness, and solutions
We have been talking about digitalisation in healthcare for several months now. We interviewed and held panel discussions on telemedicine, telemonitoring, and command centres, all of which have been accelerated by the ongoing pandemic.
A significant part of the conversations we had with hospital directors in Asia is cybersecurity. They know what it is, they understand what’s at stake, and they have their individual strategies to tackle it. Almost everyone has their fears but each one holds on to the confidence that the healthcare community in the region is stronger together.
A worrisome beginning
COVID-19 started as a flame and has since grown to a fire that needed extinguishing. When it started, the industry clambered to save lives and gather all resources that can help put the fire out. This is when digital health gained traction, and hospitals that are on their early stages of digitalising have been forced to expedite the process.
It doesn’t help that the healthcare industry, according to Ryanto Tedjomulja, Chief Information Officer at Siloam Hospitals Group, still lags behind other industries, like financial and telecommunications, when it comes to information security.
As digital is a new undertaking for most, the ride hasn’t exactly been smooth. Jasmine Lau, Chief Executive Officer (CEO) at Nilai Medical Centre, shares how they were filled with worry at the beginning of their electronic medical records journey. Understanding that patient data is a primary responsibility, they were anxious about preserving patient confidentiality, ensuring patient information is secure, and preventing cybercriminals from hacking into their systems. And these worries were warranted as the world saw a heightened risk of cyber-attacks in hospitals.
An even challenging transition
Cyber threat actors have realised that people are the “weakest link” in hospital systems, and so they leveraged the pandemic-related “fear factor” to steal data. Now that everyone has suddenly become dependent on all things online, users are more vulnerable to phishing and other social engineering methods.
There’s also worry on internal jeopardy. Dr Jeffrey Staples, formerly the Group Chief Operating Officer at United Family Healthcare and now with Metro Pacific Hospitals, mentions the risk of internal data getting to the hands of outside parties.
Today, more than anything, healthcare organisations are forced to look within their system and build it to become more resilient against dangerous cyber activities that can endanger patient data, lose patients’ trust and confidence, and risk patients’ lives.
A promising way forward
Almost all hospitals have their own team of Information Technology (IT) experts working to guard their security systems. IT teams make sure information does not leak out. Hospitals, when they ventured to use digital technologies, have also complied with international IT security guidelines as cybersecurity is an area they take very seriously.
Part of IT initiatives is the restriction of access to software that may become the easy passage for cybercriminals. At Nilai Medical, not everyone can access all patient records. Each physician has their own search functions to preserve patient confidentiality. They are also not allowed to access several sites, including social media, and to use flash drives.
Technology is a given, but more importantly, cybersecurity is about governance. Yes, political will and government’s participation are essential, but hospital management needs to play their part as well, Caroline Riady, CEO at Siloam, underscores.
Key to achieving cyber-secure hospital systems is improving awareness. Direct users of data can benefit from internal training, orientations, education posters, and online courses on good cyber hygiene. Nilai Medical believes that cybersecurity education for all staff is one step, and ensuring the strategy and policy are followed as well as enforced by all automatically follow.
At Siloam, employees even undergo an actual test to see if they can determine a phishing email. Riady emphasises that it’s usually the behaviours that need to be changed; thus, making employees aware that they can be the weak links for adversaries to attack the system is a big push.
Consistent with Kitzelmann’s message about cybersecurity being a true team sport, hospitals in Asia understand that coming together as a community, sharing knowledge and best practices, supporting internal networks, strengthening partnerships with all sectors, and generally keeping defences up are the best ways to tackle the increasing cyber risks that come with digitalisation. If done right, the digital journey might just be as smooth as we can imagine.