Wandile Mcanyana | Security Lead | Accenture Africa | mail me |
Renowned French philosopher, Paul Virilio once said; “When you invent the ship, you also invent the shipwreck.” How inevitable is this in technology today? Security professionals are having to work hard at putting in measures, best practices, mapping systems, lighthouses and beacons in order to reap the benefits of new innovations, all while managing potentially catastrophic risks.
Organisations are working tirelessly to avoid being like the Titanic. You certainly see it. And as we work with clients, we see it first-hand every single day, across the globe.
The healthcare sector continues to explore opportunities to improve healthcare outcomes for patients as well as effectiveness and efficiency of service delivery through the introduction of technology.
Business leaders, who have cybersecurity top of mind are questioning if investment in security is enough… in the right things and commensurate with the probable cyber security threats and risks posed?
Business leaders know it’s not enough to focus purely on prevention of security breaches. To truly defend and empower your organisation, you need to prepare for known and unknown threats – better yet take a proactive stance, assume a security breach, search for and evict adversaries on company networks.
Cybersecurity context for the healthcare industry
As a data-sensitive industry, healthcare is not immune to cybersecurity issues. Health information is one of the categories of data considered to be ‘Special Personal Information’ under Section 26 of the Protection of Personal Information Act (POPI).
Data about patient diagnoses, chronic illnesses and personal information is highly sensitive. As such, consumers have high expectations for digital trust, and it is important to shift from prevention to detection and response given the near certainty of security breaches.
Overall the rapidly changing IT environment is leading to greater opportunities for attack of hospital systems. There has been a broad adoption of ‘New IT’ and a proliferation of mobile computing and bring your own devices (BYOD). Data shows that hospitals house an average of 10-15 IoT devices per bed.
Manufacturers of medical devices are taking precaution to minimise cyber risks by considering foundational and security hygiene improving practices, for example, disabling file transfer capability, such as USB drives that are usually the means to propagate malware attacks.
A well-known German medical manufacturer ensured it disabled the USB port on its incubators. However, not all manufacturers are as diligent when it comes to minimising the chances cybersecurity attacks.
The healthcare sector, as with other industries is reliant on an extended ecosystem of suppliers in the delivery of patient care. Digital transformation across the value chain enables further and inevitable opportunities for cyber-attacks to succeed.
As a result, third parties remain a high risk for the industry and formal effective Vendor Risk Management (VRM) programs are just emerging. Providers and suppliers of medical equipment or services have access to important credentials that open the industry up to fraud.
Furthermore, not only is there a rise in incidents of ransomware, but attackers are becoming more sophisticated in their methods, creating an increasing gap between adversary capabilities and defences.
The UK’s National Health Service suffered from the WannaCry ransomware attack that affected dozens of hospitals across the country in May 2017.
In September of this year several hospitals in the US and Australia suffered ransomware attacks resulting in patients being turned away.
Three regional hospitals in the state of Alabama and a number in the state of Victoria, Australia were victims of attacks. In the healthcare industry, especially for providers, ransomware attacks are disruptive.
Building and improving cyber resilience in healthcare
We have identified the healthcare industry’s cyber threat actors and their goals. Top adversaries include nation states, hacktivists, cyber criminals, and insiders.
In all categories of the chain, data theft, system disruption, ransomware and IP theft remain top concerns. We tackle these concerns using a 360-degree approach and relentless focus on business impact.
To implement the best cybersecurity solution, our focus is on seven domains including Business Alignment, Cyber Response Readiness, Strategic Threat Context, Resilience Readiness, Investment Efficiency, Governance & Leadership within the organisation, and the Extended Ecosystem which measures protection from third-party risks and co-ordination of joint responses to security incidents.
Protecting healthcare organisations from cyber-attack requires an end-to-end view of high-value targets across the ecosystem. Interconnectedness makes breaches dangerous to all entities regardless of the first point of attack.
The following infographic details this:
Our security enables businesses to operate and grow confidently in a rapidly evolving threat landscape. We help businesses prepare, protect, detect, respond and recover along all points of the security lifecycle.
Leveraging our global resources and next-generation technologies, we create integrated, practical solutions that are tailored to each organisation’s specific business goals and industry— solutions that clients can put in place immediately.
Whether defending against known threats, quickly detecting and responding to the unknown or running an entire security operation centre, we help harden organisations and make it extremely difficult for even the most sophisticated cyber adversaries to succeed.
The real cost of data breaches
The root causes of data breach are malicious attacks, system glitches, and human error. This is not a simple matter.
Now in its 14th year, the IBM 2019 Cost of a Data Breach Report was based on in-depth interviews with more than 500 companies around the world who have experienced a data breach between July 2018 and April 2019.
The report states that the average cost of a data breach is USD3.92 million, with the healthcare sector being the most expensive industry at USD6.45 million.
The global average data breach cost in the healthcare industry is approximately R0.1 billion far above than the R76 million and R69 million in financial services and pharmaceutical, sectors respectively. These sectors are highly regulated.
Considering the increasing number of countries around the world promulgating data protection and privacy laws penalties and fines levied against companies in highly regulated sectors will cause consternation for leaders.
Under POPI, the maximum punishment on data breach that can be imposed is R10 million and/or 10 years imprisonment. Unfortunately, the time it takes to detect, identify and contain a data breach adds further to the cost. According to the report, this takes 206 days to detect, and 73 days to contain.
Digital transformation initiatives introduce new technologies and new ways of working which inadvertently increase the attack surface and probability of data breaches, unless the appropriate security protocols, activities and mechanisms are considered at inception.
The incoming National Health Insurance (NHI), is likely to make use of sophisticated and centralised electronic health record systems. In fact, the recent Healthcare Market Inquiry undertaken by the SA Competition Commission also identified data integrity and the quality of data in the healthcare arena as being critical to the provision of universal quality healthcare to all South Africans.
However, such data must be secure and must always place the needs and interests of the patient at its centre.
If security is not prioritised, the risk of data breaches and their adverse impact would be significant on the quality of healthcare provision. A security-first mindset is needed.