Safeguarding Innovation in Critical Infrastructure - A Spotlight on Healthcare

Imagine a future where smart medical devices monitor our health around the clock, leveraging AI to detect health issues early. These devices provide timely intervention, helping us stay healthy from the comfort of our homes.

Across Asia and the world, digitalisation is revolutionising the healthcare ecosystem. In this fast-paced landscape, telemedicine is flourishing, while the incorporation of new technologies is streamlining healthcare delivery, cutting costs, and enhancing patient outcomes.

Yet the healthcare sector is arguably more vulnerable than others to cyber threats. And as we become more dependent on connected devices and systems, the potential for medical data manipulation and even physical harm grows exponentially. What can we do to address cyber threats in healthcare?
 

The digitalisation of healthcare

It's no secret that patient access to care and the way healthcare workers operate in healthcare institutions have evolved, thanks to digitalisation and advancements in technology.

Yong Yih Ming, CEO of Mount Elizabeth Hospital, pointed out that the days of hardcopy "case cards" stored in metal cabinets are fast disappearing. In Singapore, medical records are typically digitalised.

“It has brought a lot of efficiencies and improved accessibility to care for the patients. And in some way, it has also reduced the cost of health care,” he said. “The visuals, the patient information, their medical conditions, the medication prescribed, even the cost of treatment, are all part of this digital system.”

Such sensitive information falling into the wrong hands would be a huge problem. Fully securing the systems that host clinical information is no walk in the park, however, considering the diversity of healthcare environments and technology infrastructures.

“Everyone has different financial investment, different logistics support, and different infrastructure. I think that's where the new challenges will come from because it's not a homogeneous care or technology environment,” observed Yong.

“It is also not a homogeneous technology knowledge environment – the doctors and healthcare professionals using these systems vary in terms of their cyber security awareness and understanding of technology and information sharing."
 

A rising tide of threats

Medical devices are the weakest link on the hospital network as they bear critical vulnerabilities, says Alex Nehmy, the director of Industry 4.0 for Japan & Asia Pacific at Palo Alto, citing research by his firm's threat intelligence and incident response team, Until 42.

Imaging devices, such as X-ray, magnetic resonance imaging (MRI) and computed tomography (CT) scanners, are particularly vulnerable. Specifically, one in five (20%) common imaging devices are running an unsupported version of Windows, and 44% of CT scanners and 31% of MRI machines were exposed to high-severity vulnerabilities.

"[Today], medical devices critical in providing positive health outcomes for patients are now computer systems performing complex and life-saving medical functions – like digital ventilators, advanced pacemakers with implantable defibrillators, and robotic surgical systems – and they’re getting smarter,” said Nehmy.

Vulnerabilities to cyberattacks have increased with digitalisation, Nehmy explained. He noted that the closer a medical device is to a patient, the more likely it is to impact patient safety and that a threat actor will weaponise it.

"A security breach in health care is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Ensuring the cyber security of Internet of Medical Things (IoMT) [devices] has never been more important for patient safety,” he said.

Charting the road ahead

Legacy, perimeter-based security is no longer adequate, says Nehmy. “Healthcare service providers will need an ironclad strategy that offers complete visibility on how people will interact with them and ensures that security is baked in all steps of their approach, from the planning stages through the running phase.”

Ultimately, healthcare CISOs must prepare for the worst. “Preparedness is key, and having an incident response plan is no longer a 'nice to have' but a must to manage growing cyber threats and minimise the impact of cyberattacks on business operations,” said Nehmy.

One thing that IHH Healthcare Singapore did was introduce restrictions to patients’ information, limit the use of portable storage devices, and keep general Internet access to dedicated terminals, says Yong. Moreover, new employees are expected to pass a compulsory cybersecurity onboarding quiz, which must be retaken annually with updated questions.

Yong suggests that new equipment purchases should be viewed through the lens of cyber security. A connected robot for the operating theatre should be acquired together with relevant systems to mitigate potential cyber security threats. A project-based approach like this keeps cyber security investments manageable and progressively improves the organisation’s security posture, he says.

And when more investments are needed, such as additional security systems to secure the growing fleet of hypothetical robots, this could be amortised across the lifespan of the system: “If we can do it on a bite-sized level, in simple investment terms, then I think it's probably easier for the board or the senior management to accept.”

“Boards need to understand that beyond providing healthcare services, good healthcare in the future is really how we manage digitalisation and patient information in a digital context,” said Yong.

“And when it comes to allocating the budget, it needs to go beyond just the tools for healthcare operations. There must be another layer of dedicated investments for cyber security protection. Like it or not, this is the new normal,” he summed up.

Remember to join us at the by-invitation-only GovWare Healthcare Forum in Room GW7 at 12pm today if you have registered.