Real-life cybersecurity challenges from hospital CIOs

Experts share insights and recommendations on how hospitals can strengthen their cyber defences in light of increasing cyber-attacks during COVID-19.


Fuller Yu, Chief Information Security Officer (CISO), Hong Kong Hospital Authority

Leon Chang, Head, Cyber Defence Group, Integrated Health Information Systems (IHiS)

Carlos Arglebe, Corporate Cybersecurity Officer, SVP, Siemens Healthineers (moderator)

Gagandeep Singh, Vice President & Group CISO, IHH Healthcare Berhad (moderator)


The pandemic has made hospitals more vulnerable to cyberattacks as cyber adversaries exploit on the former’s busyness. It is timely, therefore, that hospitals start to more aggressively prepare for these attacks on their system to protect patient and organisation’s data. The most recommended approach to doing this is evaluating factors, like what we’re trying to secure, the value proposition, risk assessment, financial model, and the hospital’s capabilities.

It is also recommended that hospitals build on their detection and response capabilities, especially in today’s day and age when technology is more widely used in healthcare. With this, hospitals ought to understand that digitalisation and cybersecurity go together. Higher usage of technology and more complicated devices also require stronger cyber defences.

Moreover, we have to acknowledge that cybersecurity is a journey. It goes on for long-term; hence, there should be no question on whether it has investment value. Building cyber resilience complements business resilience, and this is what hospitals have to understand when faced with the dilemma regarding the resources required to build cyber capabilities. Likewise, hospitals can start with the resources they already have and try to really maximise these resources.

Finally, the key thing about cybersecurity is it is about collaboration and communication. Hospitals often mistake that cybersecurity is just about IT, but tend to forget that people can be the weakest links. We could have the most advanced technology to protect us from attacks, but if our hospital staff are poorly trained or have poor awareness of cybersecurity, we could still fall victims. What hospitals need to do, therefore, is to make sure everyone in the organisation has a proper understanding of cybersecurity risks and avoid compromises on data privacy.

Key Takeaways

  1. No one is immune to cyberattacks.
  2. Cybersecurity should be integrated from the design level.
  3. Digitalisation and cybersecurity go hand in hand.
  4. Organisations need to protect staff as digital citizens.
  5. Hospitals need to look at cybersecurity as a journey.
  6. Cyber resilience equates to business resilience.