healthcare data

(Source – McAfee)

Why is it getting harder to secure healthcare data?

Healthcare data continues to be a prime target for cybercriminals all over the world. In Southeast Asia, several healthcare facilities have fallen victim in recent times to cyberattacks. The most recent healthcare cyberattack in Southeast Asia was in an eye hospital in Singapore whereby hackers were able to gain access to the healthcare data of some 73,000 patients.

But it’s not just unsecured healthcare data that is vulnerable to attacks. With the growing increase of healthcare IoT devices and cloud adoption, hospitals are needing to increase their cybersecurity investment, especially in securing these devices. Most healthcare IoT devices do not have security features built into them and are vulnerable to any cyberattack.

For example, McAfee Enterprise found critical vulnerabilities in two types of medical infusion pumps that are used to deliver medication into a patient’s body. With more than 200 million IV infusions administered each year globally, this has significant implications for the global healthcare industry. These vulnerabilities could be maliciously exploited to modify a pump’s configuration, posing the risk of an unexpected dose of medication being delivered to a patient.

To understand more about healthcare data protection, Tech Wire Asia caught up with Jonathan Tan, the managing director in Asia for McAfee Enterprise to get his views on the topic and how McAfee is helping the healthcare industry deal with the issue.

Here’s what Jonathan had to say.

Compared to other regions, how secure is healthcare data in Southeast Asia?

Globally, we are seeing a rise in cyber attacks on the healthcare sector as bad actors exploit the COVID-19 crisis to target already stretched healthcare organizations. The World Health Organisation, for instance, reported a fivefold increase in cyberattacks in 2020. Healthcare organizations around the world have been largely caught by surprise — and Southeast Asia was no exception.

Jonathan Tan, Managing Director, Asia, McAfee Enterprise. (Source – McAfee)

What is perhaps unique about the region is that it has emerged as a prime target for cybercriminals in recent years. Southeast Asia is digitizing rapidly, at an accelerated pace that has largely left its cybersecurity industry struggling to keep up. Case in point, McAfee found a 54% surge in threats specifically targeting Asia from Q4 2020 to Q1 2021.

With a nascent cybersecurity landscape, the healthcare industry in Southeast Asia was vulnerable to the recent global surge in cyber attacks on critical public health infrastructure. Last year, a hospital in Thailand fell victim to a ransomware attack. Elsewhere in Singapore, SingCert discovered vulnerabilities in over 100 million internet-connected devices including medical equipment and over 73,000 patients of a private eye clinic had their personal data compromised in a cyberattack last month. Clearly, there is more that can and must be done to secure healthcare data in the region.

Why are hospitals, especially private clinics not taking healthcare data seriously enough? Is it because they lack understanding of the value of the data or is it because of weak regulations?

One of the biggest challenges to securing healthcare data is that cybersecurity awareness in the industry is trailing rapid digitalization. The healthcare sector is at a turning point, where it is adopting smart technologies at breakthrough speed to support the accelerating demand for healthcare services. To deliver higher quality care at a faster pace, hospitals and clinics are now moving patient records to the cloud, adopting IoT devices, and more. Yet, doctors, nurses, and staff members may not have the time or necessarily the education to understand the cyber risks inherent to new technologies — they simply need the devices and systems to work.

 On the other end of the spectrum, another critical challenge facing healthcare organizations is medical devices that tend to run legacy operating systems and are rarely updated in a timely fashion. Making matters worse, legacy devices are using operating systems such as Windows XP that Microsoft no longer supports with security patches and updates. When you consider how the staff is already well-versed and familiar with these legacy devices, investing in new technology and retraining doctors and nurses may seem like poor business sense. This comes back to an optimism bias that we are all susceptible to as humans, which results in a tendency to underestimate cyber threats.

At a regional level, Southeast Asia has a varying level of cyber readiness with no unifying framework to streamline collaboration and intelligence sharing. However, recent developments suggest that change may be afoot. Singapore recently announced the launch of a new Cybersecurity and Information Centre of Excellence, which will facilitate exchanges among ASEAN defense establishments against the threats of cyberattacks, disinformation, and misinformation. This sets the country in the right direction that will go towards building a more coordinated and comprehensive approach to cybersecurity regulations in the region.

What is the most convenient method for healthcare data protection?

In today’s ever-evolving threat landscape, there is no easy or convenient solution to securing our healthcare data. Cybercriminals constantly pivot their tactics to catch potential victims off guard, demanding healthcare organizations to be constantly on their toes.

To increase their security and resilience, healthcare organizations must adopt a zero-trust mentality to cybersecurity. At its core, a Zero Trust approach means trusting no one. Traditional network security focuses on keeping attackers out of the network but Zero Trust assumes the network has been compromised and challenges the user or device to prove that they are not attackers. Such an approach limits a user’s access once inside the network, preventing an attacker who has successfully infiltrated a network from moving unfettered to access valuable data. For healthcare organizations that face the daunting challenge of securing a fragmented and disparate data infrastructure, a Zero Trust approach will be key to strengthening their defenses and protecting critical healthcare data.

With the increased usage of healthcare IoT devices, is the industry now more vulnerable to cyberattacks?

(Source – McAfee)

According to IBM, over the next decade, the number of connected medical devices is expected to increase from 10 billion to 50 billion. Smart medical devices have the potential to transform patient care, but the threat such devices pose to patient safety must also not be underestimated. From vital monitors to MRI scanners, each device is a potential touchpoint that cybercriminals can exploit and use as a gateway to access any data sent over the internet, as well as files on devices connected to the same network. Recognizing this potential weak link in the security infrastructure, cybercriminals have been quick to target IoT devices, with malware threats targeting IoT surging by 55% in Q1 2021.

Not only should hospitals emphasize securing healthcare patient data, but also all the networked medical devices that have the potential to transform a patient’s life and at the same time endanger patient privacy and threaten a patient’s safety.  Healthcare organizations must ensure that all medical devices, anti-virus, and protective software are regularly updated.

Should medical hardware producers look into building more secured healthcare devices? Why are they not focusing on that?

In the rush to bring new products to the burgeoning IoT market, medical hardware manufacturers may prioritize functions and cost over cyber safety — overlooking the importance of having robust cybersecurity features.

However, security loopholes in medical devices could have life and death implications. We recently discovered critical vulnerabilities in medical infusion pumps, which could be maliciously exploited to deliver potentially lethal doses of medication to a patient. It is therefore of utmost importance that medical devices are designed with security in mind from the very start. Companies should remain diligent in addressing security and privacy issues, and ensure that any newly uncovered vulnerabilities are immediately addressed.

How does McAfee help protect the healthcare industry in APAC?

McAfee Enterprise offers a suite of security solutions that can help the healthcare industry secure its data. Organizations looking to implement a Zero Trust security framework can find a comprehensive solution in MVISION Private Access, a data-aware Zero Trust Network Access (ZTNA) solution. Such ZTNA solutions implement the least privileged controlled access, restricting user access to specific applications strictly on a “need to know” basis. At the same time,  ZTNAs enable adaptive, context-aware access to private applications from any location and device, allowing for a flexible and dynamic approach to cybersecurity.

We also consistently probe IoT devices for vulnerabilities, and flag these issues to manufacturers for patching before publicizing our findings. For example, our Advanced Threat Research team found critical vulnerabilities in Temi, an interactive robot that is used in senior living and healthcare facilities. The exploited vulnerabilities could allow bad actors to intercept or join existing calls, gain video access and even control the robot remotely – without any authentication. As soon as we discovered the vulnerabilities, we reached out to Temi and worked closely with their team to develop a more robust solution. For each vulnerability, we provided them with mitigation strategies and carried out tests to ensure that all the vulnerabilities reported were effectively resolved. We are working hand-in-hand with medical device manufacturers to build a more secure healthcare landscape in APAC — and it’s our privilege to be a part of this journey.

Lastly, do you foresee healthcare breaches increasing in the future?

Globally, there is a definitive upwards trend in terms of sophistication and sheer quantity of cyberattacks. In the first quarter of 2021, McAfee found that the volume of new malware threats averaged 688 threats per minute, an increase of 40 threats per minute over Q4 2020.

Amidst these trends, the healthcare industry is embarking on the next wave of its digital revolution. Without a doubt, we will continue to see an uptick in cyberattacks targeting the healthcare sector — but it remains to be seen if there will be a corresponding explosion in healthcare data breaches, which will ultimately hinge on the speed at which healthcare organizations can fortify their defenses and adopt a mature zero trust model, among other strategies