Building Cyber Resilience in Healthcare’s Digital Transformation Era
“Healthcare is one of the most essential infrastructures in any society, yet it is also one of the most vulnerable to disruption,” said Dr Lam Pin Min, the chairman of iAPPS Health Group. He made this observation at a keynote panel he moderated at GovWare 2024, on the topic of digital transformation and cyber resilience in healthcare. “We stand at a pivotal moment where healthcare can either harness the power of technology for more efficient delivery and better outcomes or become ensnared by the challenges that come with it,” he said. This raises a crucial question. What can healthcare organisations do to harness the full potential of digital transformation while safeguarding patient privacy and ensuring data security? The Evolving Goalposts of Data ProtectionProtecting data may sound straightforward, but it’s an uphill battle due to various factors, including the emergence of new data types that require protection. Panellist Dr Stanley Lai highlighted the evolving goalposts of data protection with an example: “With improvements in genomics, for example, the person's genetic information, the results of genomic tests, now form part of the corpus of personal data belonging to patients.” Dr Lai is a senior counsel specialising in intellectual property practice, cybersecurity and data protection, and a partner at Allen & Gledhill. He had previously acted for SingHealth in the Committee of Inquiry convened to investigate the 2018 SingHealth cyberattack and ensuing data breach investigations. “The crown jewel of any organisation is data. With the rapid advances we see through technology, [we are] going to be confronted with even more challenges to protect this data,” he observed. Reading between the lines, the varied data types and the sheer volume of data make securing it increasingly difficult, even as richer datasets will invariably attract more bad actors. “The crown jewel of any organisation is data. With the rapid advances we see through technology, [we are] going to be confronted with even more challenges to protect this data.” – Dr Stanley Lai, Head of the Firm’s Intellectual Property Practice, Co-Head of the Cybersecurity & Data Protection Practice and Partner of the Litigation & Disputes Department, Allen & Gledhill LLP
Another consideration is what to do in a cyber breach. When it happens – and some cyber leaders warn it’s an inevitability, healthcare organisations, who are not tech experts, must act swiftly to contain any fallout. “You have to manage the cyber incident on so many different levels. You have to deal with the issue of containment, you have to deal with the requirements of notification. We also have to deal with new regulatory challenges,” said Dr Lai. The Opportunities from Digital TransformationDr Walter Lim, CEO of HMI Singapore, concurred on the importance of protecting data. “I think I can speak for all healthcare operators when I say that data protection and information security are top concerns for healthcare operators that keep us up at night,” he said. However, Dr Lim called for healthcare organisations not to ignore technology out of fear, but to leverage the opportunities it offers by balancing it with proper risk management. “For the first time in a very long time, we have a technology that might actually reduce the workload in healthcare. Many other technologies… ended up adding to doctors’ and nurses’ workload. AI is one of the first few technologies that may make the daily life of frontline staff better in so many ways.” “How can we manage exposure in a very sensible way, with very precise and deliberate thinking around clinical and non-clinical use cases for this technology? This is where we need the help of IT experts to develop safe sandboxes for the use of data,” he said. Not doing anything to harness new technologies such as AI is no longer an option, according to Dr Lim. “I think the other option, which is not moving forward, is not an option now.” A Vastly Expanded Threat SurfaceWhile much in healthcare has remained the same, others have changed beyond recognition, says Yong Yih Ming, the Chief Operating Officer of IHH Healthcare Singapore and Chief Executive Officer of Mount Elizabeth Hospital. Yong was commenting about another healthcare-related GovWare panel he spoke at last year. “In the last 12 months, there's an acceleration in the number of medical equipment, technologies, and innovations that have come into play. There is an acceleration of uptake and even technologies and equipment that integrate with patient information,” said Yong. “The dimensions of healthcare have expanded from episodic treatment to full-spectrum ecosystem for treatment. That means the information of the patient moves from one point to another, and [numerous] parties in the ecosystem interact with information [in multiple ways].” He noted that this extensive integration and use of data have vastly expanded the threat surface in healthcare as data flows between medical equipment providers, specialists, and insurers. In addition, the unique environment of healthcare further complicates data protection due to the many humans involved. These healthcare workers will need a grounding in data protection on top of healthcare information access security protocols. “There are nurses and doctors, thousands of staff, just to use my hospitals as an example, who are dealing with patient information on a daily basis. Even the housekeeping lady who cleans the room needs to know about the patient, right?” Moving the Needle in HealthcareHow can the healthcare industry improve cyber resilience? Yong suggests taking advantage of the general aversion to change as an opportunity to introduce new systems in smaller phases. This will presumably allow competencies to be developed at a more comfortable pace – and to ensure systems are adequately secured. “Introduce changes in [smaller groups] … avoid ‘Big Bang’ implementations. Go for those who are happy to convert and use the new systems,” he advised. Eventually, the organisation will achieve the needed critical mass that will compel everyone else to adopt the new system. But how should healthcare organisations respond to a cyber breach? Citing the large and growing varieties of cyberattacks, Dr Lai says healthcare organisations must ensure that various scenarios must be rehearsed ahead of time. “One of the things that we learned in managing a cyber crisis is knowing how to deal with middle management, senior management, and also the board of directors because these are all stakeholders with very different concerns,” said Dr Lai. This must happen even as the CISO, cybersecurity teams, and other IT personnel rush to address and recover from the threat. He summed up: “A whole-of-the-institution approach is needed to formulate a response to cyber breaches.” |