While it's no surprise to anybody reading this that data breaches are on the rise, the attacks facing healthcare organizations, most recently in Asia, are particularly worrisome. One need not look very far to find examples of the threats facing these entities:
- In Singapore, 1.5 million SingHealth patient records - including those of Prime Minister Lee Hsien Loong, were compromised in what is being called the Republic’s worst cyber attack. Singapore's Deputy Chief Executive of the Cyber Security Agency, Ng Hoo Ming, addressed the attack in his keynote at the RSA Conference at the end of July. He highlighted the need to make privacy paramount and reinforce the practice of good data governance, with the private sector and government working together to build trust on the Internet.
- MGM New Bombay Hospital was victimized by a ransomware attack in July, resulting in the loss of more than two weeks' worth of data.
- Another recent ransomware incident involved Hong Kong’s Department of Health, although, in this case it appears that no data was leaked.
The 2018 Thales Healthcare Data Threat Report (including the India, Japan and Korea sub-reports) corroborates the headlines; specifically, our survey found that two in five global healthcare organizations (39%) experienced a data breach in the last year.
Evolving Threat Landscape
In addition to protecting traditional repositories of patient data, healthcare organizations also face the challenge of an expanding attack surface as they continue to adopt connected medical devices. The internet of things (IoT) promises better, more efficient patient care but the rapid introduction of connected devices places new stress on hospital security professionals, who must guard against attacks on hospital networks. Before being introduced, healthcare organizations must be able to trust IoT devices.
Attackers are also using automation to probe networks for vulnerabilities. And just as security professionals rely on industry conferences and resource centers to share information about new solutions and best practices, cybercriminals share new techniques and code, even adapting open source penetration testing tools for nefarious purposes. It’s clear that the challenges for security teams are constantly evolving.
The immediate financial consequences of a data breach are quite apparent as organizations must hire incident response professionals, pay staff overtime, cover the administrative costs of notifying affected individuals…the list goes on. And this doesn’t include the penalties the breached organization may incur.
Beyond the financial impact, the organization faces a loss of public trust and negative media coverage, particularly in the event of a large breach. As a result, senior leadership and the public relations team face a daunting challenge as they attempt to reestablish confidence in the organization.
What’s more, data breaches have ostensibly prompted the introduction and passage of strict data protection compliance requirements, such as the South Korea Personal Information Protection Act (PIPA), and pending Regulation no. 20/ 2016 in Indonesia, as well as the introduction of mandatory data breach notification regimes into national security data protection acts. Complying with these mandates, which many would argue are necessary to provoke better protection of personal data, creates an additional administrative burden for organizations.
Protecting Sensitive Data
A defense-in-depth approach is clearly required in the healthcare sector, including the use of data encryption and strong key management to protect patient records. The attacker’s goal is the theft of valuable patient records, so many organizations have implemented encryption because it renders data useless, even in the event of a breach; without the decryption key the attacker steals away with only cipher text.
At Thales we have decades of experience in helping enterprises address their biggest data protection challenges and improve their compliance postures. Together with a number of partners in the region, including Sunnic, Pacific Tech Pte Ltd., KPMG Singapore, Thales Solutions Asia Pte Ltd. stands ready to work with healthcare organizations to secure sensitive records so their focus can be on the important work of caring for patients.