Regional Vice-President, Solutions Engineering – Asia Pacific & Japan at Claroty
Over the past decade, teams of healthcare clinical engineers, and IT security personnel have focused on the security and privacy of patient data. The confidentiality, integrity, and accessibility of patient data is protected in many countries by data privacy laws, including the Singapore Personal Data Protection Act, the Malaysian Personal Data Protection Act, and the Korean Personal Information Protection Act (considered one of the strictest in the region).
However, ransomware continues to blithely ignore these legislations, negatively impacting not only the financial stability of healthcare organizations — but also patient privacy and safety.
Cyber-Physical Systems and Patient Safety
The healthcare industry is on the cusp of a digitalization wave, and Singaporeans are poised to embrace it. According to a report by Accenture, Singaporeans are more willing than their global counterparts to seek medical advice virtually to save time, with Gen Z (52%) and Millennial (51%) Singaporeans leading the way. Singaporeans are also open to using digital technologies to communicate with their medical providers, with 44% using technology to receive prescriptions and 29% to access their preferred doctors and treatments.
Meanwhile, healthcare costs in Singapore are expected to rise over the next decade due to the aging population, with total health spending projected to increase from SGD 24.5 billion (USD 17.7 billion) in 2020 to SGD 45.9 billion (USD 36.7 billion) by 2030, according to Fitch Solutions, making the costs of disruption ever greater.
The rise of the interconnected Internet of Medical Things (IoMT) and other healthcare cyber-physical systems means cyber threats have the potential to disrupt patient care by triggering device outages or malfunctions.
Today, caregivers are taking a more clinically focused viewpoint on cybersecurity, correlating it more closely with patient outcomes. Dr. Christian Dameff shares, “We are at a point where bits and bytes are meeting flesh and blood.” This cyber-physical world of connected devices on a hospital network uniquely increases the risk to patients. The medical devices that patients’ lives depend on cannot be properly managed or protected by traditional IT security tools, leaving them as easy network entry points unless purpose-built security controls are implemented.
Securing Medical Device Security: Key Mistakes to Avoid
The high stakes of securing connected medical devices and other healthcare cyber-physical systems are well understood, but many organizations still make one of the following mistakes:
- Complacency with having an inaccurate and incomplete visibility of the inventory of all the connected devices on the healthcare networks. This includes all specialized IoMT devices as well as associated IT and IoT devices that work together with these medical devices. Laying the foundation of deep and complete visibility is where effective cybersecurity and hence patient safety starts.
- Attempting to use IT security tools to secure medical devices. IT security tools are not compatible with the protocols used by medical devices, and in most cases, attempting to use them will often do more harm than good.
- Managing medical device security separately from IT security. When cybersecurity silos form within a healthcare organization, it leads to situations in which isolated teams fail to defend against cyber threats in a coordinated manner. To present a unified front against threats to patient privacy and safety, healthcare organizations must adopt a converged approach to cybersecurity.
- Ignoring the need to identify the security blind-spots on the healthcare connected assets because they may be difficult to patch. Where patching is a possibility, remediation can be considered and where it is a constraint, other means of vulnerability shielding can be used to safeguard against exploitation of a resident vulnerability. But using the approach of not exposing the weaknesses leads to an increasingly vulnerable situation potentially compromising patient safety.