Why cybersecurity needs to be a priority for healthcare in its digital journey

From data breaches, to the complete shutdown of a hospital’s IT system, the consequences of cyberattacks cannot be ignored by the healthcare industry, says Tony Hartono, Information Technology Expert for Indonesia’s Hospital Association (PERSI).

To overcome the challenges brought on by the COVID-19 pandemic, most hospitals have begun utilising digital solutions – such as telehealth and virtual pharmacies, among others – to provide quality care to their patients.

As a result of widespread digitalisation in the industry, medical institutions have been able to enjoy the many benefits that come from digitalising their operations and processes, while patients have also been able to receive more holistic care from their healthcare providers.

With COVID-19 unlikely to go away anytime soon, if at all, it is highly likely that healthcare’s digital transformation will be permanent.

There is, however, a crucial yet oft-overlooked element in the healthcare sector’s digital journey: cybersecurity.

According to a study by Bitglass published this year, the number of healthcare cyberattacks in the United States in 2020 increased by 55% compared to 2019, which resulted in the protected health information (PHI) of close to 26 million people in the country being compromised.

It is also estimated that healthcare data breaches are costing the US industries around US$6.2 billion per year, while PHIs can be sold for as much as US$363 each – making it more valuable than any piece of information from other sectors.

These startling statistics only serve to further reinforce the belief of Tony Hartono, Information Technology Expert for Indonesia’s Hospital Association (PERSI), that cybersecurity needs to be a priority for hospitals, especially in this digital age.

Tony Hartono, Information Technology Expert for Indonesia’s Hospital Association (PERSI)

“Hospitals continually face evolving cyber threats that can put patient safety at risk,” Hartono explained. “Cybersecurity is not only a technical issue that is under the IT department only. The C-level must also see cybersecurity and patient safety as important.

“Healthcare records are very easy to be sold on the dark web, and its value could be 10 times more than a credit card crime. Other than that, cyberattacks on electronic health records (EHR) also pose risks to patient privacy, which puts the hospital at risk of lawsuits that will affect the hospital’s financials and reputation.

“In addition, cyberattacks on the EHR can alter patient data, which could eventually affect patients’ health and medical outcomes.

“So, cybersecurity investment is becoming more important in this day and age, especially as hospitals are becoming more connected. Without proper cybersecurity, the attack vector to the hospital system will increase, and attacking the hospital will become easier.”

Some of the common gaps in hospitals’ cybersecurity that Hartono observed include insufficiently protected websites and servers, a lack of encryption to protect sensitive data, weak security on medical devices and equipment, and an absence of cybersecurity policies and procedures.

Most of these gaps, Hartono claims, stem from insufficient awareness within the organisation of the dangers of cyberattacks, which leads to less emphasis being placed on the aspect of cybersecurity.

“The C-level executives at most hospitals generally do not consider cybersecurity crucial to their operations,” Hartono said. “This means there is usually too little budget allocated to it, and so, most hospitals won’t be able to get the right support staff and services in place to secure their cyberspace.

“Cybersecurity is the responsibility of everyone in the hospital’s workforce, but many staff are not properly trained – if at all – in this area, so they are prone to making mistakes that could leave their organisation’s cyberspace vulnerable.

“There is also a distinct lack of strong security compliance in a lot of hospitals. This, again, is a result of the top executives not paying enough attention to cybersecurity within the hospital.”

Given the rampant cyber threats faced by healthcare, experts are predicting that the global cybersecurity market in the industry will reach a whopping US$125 billion by as early as 2025.

Likewise, Hartono strongly advises hospitals in the region to invest in their cybersecurity capabilities sooner rather than later.

He said: “Hospitals have to start making cybersecurity one of their top strategic priorities. They must first have a chief information security officer (CISO) or a security expert in a C-level position. They must then be given enough resources to execute the cybersecurity policies that they want to implement.

“Increasing the cybersecurity literacy of the hospital’s workforce, through mandatory and repeated training, is also important. At the minimum, however, hospitals should obtain the ISO 27001 (Information Security Management) certification, with ISO 27002 and ISO 27799 (Health Informatics) guidelines.

“By establishing a strong cybersecurity culture within your hospital, you can substantially reduce the risk of falling prey to cyberattacks.”


To find out more about cybersecurity in healthcare, join Tony Hartono and other esteemed speakers from the industry at HMA 2021 this September. Click here to register for the conference today!