By Aarthi Raghavan | July 30, 2021, 11.00am
The global healthcare sector is witnessing a rise in cyber threats. At a time when hospitals are stretched due to the COVID-19 pandemic, and resources – both human and financial – are running thin, many organizations are ill-prepared for cyberattacks that expose critical patient data. Data breaches have been a problem for the public as well as private healthcare sector, even before the pandemic. However, the past year has seen a dramatic increase in ransomware attacks that exploit vulnerable points to hack into healthcare databases, steal critical patient data and use it to demand ransom from hospitals. While adoption of electronic health records (EHRs), wireless medical devices, telemedicine and remote work is increasing, hospitals continue to use legacy systems owing to budgetary constraints and low prioritization of cyber threats.
In March 2020, volunteer groups like the CTI League and COVID-19 Cyber Threat Coalition were formed by cybersecurity experts to provide free cyber-threat intelligence to healthcare and hospital security teams. However, experts believe that a broader multilateral approach to protect critical infrastructure like healthcare is needed. The European Union (EU) offers an important template for other countries to follow, as observed in the case of the GDPR. Efforts are currently underway in Europe for greater collaboration with NATO countries and other democracies to expand cyber defense of critical infrastructure, including healthcare. The Network Information Security Directive, which is currently being updated by the Committee on the Internal Market and Consumer Protection (IMCO) of the European Parliament, aims to adopt national cybersecurity strategies, to designate competent national authorities so that the region’s critical infrastructure can be resilient against all sorts of attacks. It strengthens security requirements for organizations by imposing a risk management approach and providing a minimum list of basic security elements that have to be applied.
In Asia, countries have been experiencing cyber threats that are 1.6 to 1.7 times higher than the world average.While most governments in the continent are slow in implementing cybersecurity regulations, there have been some exceptions. Australia, for example, has implemented mandatory cyber breach disclosure regulations since 2018, and more recently, tabled amendments to the Critical Infrastructure Bill, which enhances the existing framework for managing risks related to critical infrastructure. The bill has introduced additional security obligations, a risk management program, and mandatory cyber incident reporting. Interestingly, the legislation broadened the definition of critical infrastructure by including healthcare and medical devices among other critical sectors. The legislation is expected to make cybersecurity a critical issue across all sectors, including healthcare, where decision-makers will be forced to prioritize, fund and maintain adequate measures to protect sensitive patient health data on their systems.
In Southeast Asia, Singapore is already an attractive target for cyber-attacks. Although not yet faced with a systemic and massive ransomware attack, Cyber Security Agency of Singapore (CSA) recognizes that the city is not far from it. The Cybersecurity Act 2018 has put in place obligations for organizations to strengthen the protection of critical information infrastructure (CII) against cyber-attacks, authorizes CSA to prevent and respond to threats and incident, establishes a framework for sharing cybersecurity information and establishes a light-touch licensing framework for cybersecurity service providers. The law also includes significant penalties for breaches. In 2019, the Singapore Personal Data Protection Commission (PDPC) fined SingHealth SGD 250,000 and Integrated Health Information Systems (IHIS) SGD 750,000 for the breach of 1.5 million patient health records in July 2018. Since then, CSA has been directing healthcare and other sectors to enhance its cybersecurity through improved detection of anomalous activity, backing up data regularly and offline, and practicing incident response and business continuity plans in case of a ransomware attack. Despite this, there are critical vulnerabilities that continue to remain exposed, forcing authorities to constantly be on their toes.
As a result, some countries are making all-round efforts to build partnerships and are pushing for cybersecurity education and training. Vietnam, for instance, has been active in reinforcing cybersecurity regulations, standards and blueprints across public and private organizations in the country. The government deployed twin 5-year cybersecurity masterplans to encourage the private sector to collaborate with the government in creating cybersecurity awareness and training for citizens and professionals respectively. India too has taken a similar approach, as it awaits the final version of its national cybersecurity policy soon. The Government of India has been making extensive efforts towards training, has increased investments in cybersecurity and is establishing agreements with other countries for cooperation in cybersecurity capacity building, research and development and protection of critical information infrastructure.
Indonesia’s National Cyber and Crypto Agency (BSSN) has involved stakeholders to increase cybersecurity awareness and address the shortage of local cybersecurity experts. The country has been increasingly targeted by cyber-attacks, with the latest one being data breach of patient records at BRI Life, an insurance arm of the country’s largest lender. The Indonesian government has yet to implement the personal data protection law which takes after the GDPR law and will replace the existing regulations. The law, applicable to public as well as private sector, would be highly effective if it includes sector-specific measures, particularly towards addressing the evolving cyber threats faced by the healthcare sector.
Cross-country cyber-attacks on healthcare systems are increasing across Asia. In May 2021, the Asian-arm of Axa Partners, a Paris-based insurance company, became a victim of targeted ransomware attack impacting patients in Thailand, Malaysia, Hong Kong and the Philippines. Nearly three terabytes of data was stolen, which included personal information, medical records and claims as well as data from hospitals and doctors. While the company has informed its customers and is investigating the incident, it is worrying that the stolen data may potentially be used to attack individual customers. In cases like these where multiple countries are involved, regional or global cybersecurity risk management approaches may be useful and can help prevent future threats to sensitive health data.
Some such regional initiatives for cybersecurity include the recent establishment of a cyber center of excellence in Singapore on June 15, 2021. Formalized by the ASEAN Defense Ministers’ Meeting (ADMM), the center aims to promote cooperation on cybersecurity and information within the defense sector, enhance multilateral cooperation amongst ASEAN nations against cyber-attacks, disinformation and misinformation. This development follows others like the institutionalization of ADMM-Plus cyber security working group in 2016 and the establishment of ASEAN-Japan Cybersecurity Capacity Building Center in 2019. However, being specific to defense, the cooperation efforts have yet to address sector specific issues, as faced by healthcare in ASEAN and other neighboring countries. Another key initiative from the private sector is the Asia Pacific Public Sector Cyber Security Executive Council, launched by Microsoft in June 2021. It includes policymakers from Brunei, Indonesia, Korea, Malaysia, Philippines, Singapore and Thailand, supported by cybersecurity professionals. The initiative is timely and important since it aims to accelerate public-private partnerships in cybersecurity and share threat intelligence.
Despite all these efforts, it is clear that cyber threats are evolving at a much faster pace than cybersecurity regulations and cross-country cyber collaborations. Even as many countries in Asia and across the world are fighting the COVID-19 pandemic, cyber attackers have been trying to create disinformation campaigns against vaccines. In October 2020, the Centre for Countering Digital Hate reported that 50 million people follow anti-vaccine groups on social media. The scale of such efforts have been widened in some cases due to support from hostile governments that aim to use misinformation to slow down vaccinations in rival countries. Some individuals and groups are also trying to discredit certain vaccines to sell their own remedies for COVID-19. Profit-seeking entities are especially interested in hacking research data, virus testing and clinical trials that show side effects or potential problems.
With the rise in pace, scale and forms of threats posed by attackers, it will be increasingly important for governments and businesses to work together and in collaboration with sector-specific stakeholders to develop regulations to protect sensitive personal health data. While ransomware attacks can cause huge losses to hospitals, it can also erode the trust that patients have on public and private healthcare systems. Cyber-attacks also threaten the vast landscape of pharmaceutical research and development that involves significant investments over several years, in addition to the hard work that scientists and researchers put in to develop life-saving drugs and vaccines for health and well-being of people. For policymakers in Asia, the challenge of protecting health data, ensuring patient trust and securing sectoral growth will be deciding factors as they struggle to choose the best national, regional and global approaches to cybersecurity.