Shankar Bhaskaran, Managing Director-India, MetricStream emphasises that despite the increasing attention and resources dedicated to cyber risk, healthcare institutions grapple with challenges unique to their industry. Safeguarding patient information remains a formidable task amidst evolving cyber threats
In the past decade, technological advancements and the transition to digital-first services have been reshaping the landscape of the global healthcare system. The sector’s persistent efforts to meet growing technology requirements have increased data sharing across organisations and the supply chain.
However, varying levels of maturity in security and resilience have been posing serious cyber risk challenges to this.
Sample this: According to a recent study by Sophos, a UK-based cybersecurity firm, nearly 60 per cent of healthcare organisations worldwide have experienced a cyberattack in the last year. This includes prominent medical institutions in India, including the All India Institute of Medical Sciences (AIIMS) and the Indian Council of Medical Research (ICMR), among those affected. The cyberattack on the ICMR meant exposing personally identifiable information (PII) of as many as 81 crore Indians, potentially one of the most significant data breaches in Indian history.
The reason for such continued targeting of this sector is crystal clear: healthcare institutions are repositories of valuable personal and sensitive data, making them prime targets for attacks and ransomware.
Yet, the fallout of a cyberattack on healthcare isn’t just about financial losses. It directly impacts patient safety and security, sometimes even potentially escalating into life-or-death situations. Manipulated patient records, postponed critical tests, redirected ambulances and compromised medical procedures are all stark examples of the consequences patients may endure.
With Artificial Intelligence (AI) now assuming a more central role in diagnostics, patient data management and medical tools, healthcare organisations must fortify their cyber risk and resilience strategies. Armed with a clear understanding of the expenses and repercussions of data breaches, they can construct a more robust, more secure and resilient system that safeguards not only their financial interests but also the priceless trust of their patients.
Healthcare’s unique cyber risk challenges amid rapid digitisation
Despite the increasing attention and resources dedicated to cyber risk, healthcare institutions grapple with challenges unique to their industry. Safeguarding patient information remains a formidable task amidst evolving cyber threats.
As per an IBM Report from last year, India witnessed a 28 per cent surge in the cost of data breaches, amounting to Rs 17.9 crore, and the country’s healthcare sector was identified as the most vulnerable. The complexity of cybersecurity in healthcare is always exacerbated by risks posed by interconnected medical devices, reliance on outdated IT systems and the need to navigate evolving regulatory compliance requirements.
Primarily, the expansion of the digital footprint, integration of third-party systems and widespread adoption of cloud services have intensified cyber threats. Many healthcare providers also offer a wide array of comprehensive health solutions, and this growing connectivity exposes them to greater vulnerability to cyberattacks.
In the face of these challenges, human error, such as merely clicking on a phishing email, remains a leading cause of cyberattacks. This is also mainly due to the lack of cybersecurity training among healthcare professionals.
New approach for cyber risk mitigation
The area of healthcare cybersecurity continually faces threats that jeopardize the safety and confidentiality of patient data. These vulnerabilities include outdated software, subpar password protocols, deceptive phishing schemes, unprotected mobile devices and insecure networks.
Additionally, in an era of increased connectivity in healthcare systems, antiquated and isolated methods of managing cyber risks and reliance on manual processes fall short. These primitive practices no longer enable the quick detection and response to counter emerging threats.
At a time when even a single phishing email could jeopardize millions of patient records and ruin systems, the imperative for agility and swift risk mitigation has never been more pressing. Embracing an agile, continuous and interconnected approach is vital to bolstering healthcare organizations’ resilience in the rapidly evolving cyber threat landscape.
Here’s what your cyber risk management strategy in 2024 should include:
Implement continuous control monitoring (CCM) to automate control testing across all aspects of your infrastructure, including medical devices, systems and networks, ensuring regular evaluation of physical, technical, operational, and administrative controls.
Incorporate cyber risk quantification techniques to predict the financial impact of potential breaches, leading to more informed investment decisions, insurance assessments and effective communication with non-technical stakeholders.
Integrate third-party risk management seamlessly into your cyber risk strategy, moving away from isolated approaches to conducting thorough due diligence, continuous monitoring and security assessments of third-party data security practices, compliance levels and certifications.
Streamline controls across various frameworks and standards to ensure comprehensive coverage and enhance overall cybersecurity posture.
Build a culture of risk awareness by engaging all stakeholders in cyber risk management, simplifying security policies while providing user-friendly incident reporting tools and conducting regular training and awareness initiatives.
To sum it up
Cyber vigilance is a crucial aspect of the healthcare sector, being a vital safeguard for patient information and ensuring adherence to regulatory standards. Proactive measures are essential for healthcare organisations to manage security breaches and implement resilient solutions effectively.
As the sector takes active steps to mitigate looming threats of cyberattacks, prioritising resilience and navigating complexities become imperative. This requires a critical re-evaluation of the existing cyber risk management protocols that organisations are using.
Embracing a strategic mindset, focusing on continuous innovation and demonstrating commitment to protecting patient welfare are integral components of effective cyber risk management. Continuous employee training also assumes a chief role in building a robust cybersecurity culture and embedding organisational best practices.