The healthcare sector has emerged as the top target for cyber criminals, accounting for 35% of cyber-attacks in 2022. BroadReach Group Chief Technology Officer, Ruan Viljoen says the sector needs to be extra vigilant and protect highly sensitive health data from exploitation. He says it is a highly lucrative target for the cybercrime underworld and that healthcare providers need to focus on the issue year-round, not only during Cyber Security Awareness Month.
“When healthcare facilities are hacked, their data is stolen, and the hackers often use it to launch ransomware attacks. The global average cost of a data breach is $4.5 million – this includes the cost of remediation and insurance for affected individuals,” explains Viljoen.
BroadReach supports HIV/AIDS prevention, treatment and care for millions of patients across Africa as an implementing partner to health departments and large donors who are joined in the mission to end HIV as a public health threat by 2030. BroadReach co-founder and global health tech innovator in public health management, Dr John Sargent says that all around the world, there are more people who need healthcare than we have health resources for. “Digital tools can help us to increase access to healthcare and the quality of that healthcare by supporting healthcare workers focus on high impact intervention. These endeavours rely on good data that is secure and free from attack. Every day there is a report of a breach. This is why the industry needs to educate itself on how to stay safe.”
Vedantha Singh, a researcher on responsible AI in healthcare at the UCT Graduate School of Business, says a 2021 study from the University of Pretoria revealed that South African health institutions were particularly vulnerable to cyber threats. This is largely due to inadequate cybersecurity talent, an absence of cybersecurity response frameworks in healthcare organisations and inadequate disaster recovery strategies.
“It’s not a matter of if, but when you will get attacked,” adds Steve Ramsden, Chief Security Officer at The Global Fund. “All healthcare organisations face cyber threats – we have to become resilient.” Ramsden is currently working with the World Health Organisation (WHO) to set up international cybersecurity guidelines for the healthcare sector.
Here, these experts offer tips and practical solutions to help the healthcare sector guard against cybersecurity risks:
Tip 1: Focus on the basics first
Singh said organisations often assume they must invest in expensive anti-hacking strategies, however the majority of breaches are due to fairly unsophisticated email phishing attacks aimed at all levels of employees. “The Osterman Research Institute says organisations who provide employee training twice a year are far safer. I advocate for ongoing training such as sending fake phishing emails to test and educate employees on a regular basis. A good phishing awareness programme can save organisations millions.”
Viljoen echoes this sentiment, advising organisations to educate their workforces on a continual basis on the dangers of clicking on malicious hyperlinks from stealthy attackers. “Make your staff feel proud of spotting threats rather than fearing retribution if they make a mistake. It’s important to create a culture shift – that everyone is part of the security chain. Small, incremental progress helps. Look at the 50 things you need to do to improve your cyber security posture and start with a handful of the most impactful items first. You will soon see progress.”
Ramsden says basic cyber hygiene is also a good place to start. “Don’t share passwords, don’t write them down and stick them on your desk, don’t use simple passwords, and change your passwords regularly. It might sound like an over-simplification, but these basic mistakes are still being made.”
Tip 2: Put fundamental protections in place
Singh says organisations needed to put email authentication technologies and other fundamental cyber protections in place to prevent malware and phishing attacks. “Considering implementing robust access control, modern encryption techniques, Security Service Edge (SSEs), Attribute-based Encryption, and Privacy Preserving Data Mining in place that doesn’t reveal the raw or sensitive health data. Also invest in tokenisation and other identity protocols.”
Ramsden said ransomware was particularly worrying for hospitals. “Hospitals should keep offline copies of all patient data, so that you don’t have to pay ransoms to recover data.” Viljoen added that offline includes the use of multiple cloud vendors. “At BroadReach we store copies of our data with different cloud providers or data centres, not just to protect against attacks, but also as security against vendor-specific cloud outages.”
Tip 3: Set up a cybersecurity steering committee
“A great strategy is to invest in a specific steering committee within your organisation, where data breaches can be anticipated, reported and tracked. Make sure the committee consists of members of all different departments, not just the IT team. Cybersecurity should be a shared responsibility. Meet regularly and set up cyber security prevention strategies, insurance and disaster recovery plans,” suggests Singh.
Ramsden agrees, “Proper cybersecurity must be integrated into the culture of the organisation and openly discussed. Think like the attacker and not the victim. As a team, look out for patterns and motives for attacks.”
Tip 4: Set up regular cybersecurity testing
Ramsden says we have to go into the mind of the attacker and how they operate on every platform and channel, from LinkedIn, WhatsApp and very sophisticated phishing emails, to more complex attacks. “At The Global Fund and WHO, we call it ‘Security by Design’. You need to know where your sensitive data is and you need to do regular penetration testing, by hiring ethical hackers who help secure your ecosystem.”
Beyond doing penetration testing on your own organisation, it is also helpful to look for cybersecurity vulnerabilities in supply chains, Ramsden said. “In healthcare, everything is part of a supply chain. Look not only at who the first, second and third parties are, but also who the fourth and fifth parties in your ecosystem are. Try to understand what is critical to the business.”
It is vital that organisations within the healthcare sector learn from best practice implemented across their network instead of reinventing the wheel. “There are many examples of organisations that have implemented effective cyber security strategies, including the use of AI for the organisations protective benefit. By collaborating across the public and private sector, we can learn from each other to protect sensitive health data from exploitation,” concludes Viljoen.