Cyberattacks Can Cost APAC Healthcare Firms $23.3M

Cyberattacks can cost Asia-Pacific healthcare organisations up to US$23.3 million in estimated economic losses, with 45 percent either experiencing or are not even sure if they have experienced a cybersecurity incident. In addition, just 18 percent amongst those that have experienced such threats looked at establishing a cybersecurity strategy before rolling out a digital transformation project. In comparison, 33 percent of their peers that have not encountered such incidents considered a cybersecurity component before doing so.

The remaining 49 percent either looked at cybersecurity only after they had embarked on their digital transformation initiatives or did not even consider security at all, according to a study conducted by Frost & Sullivan and commissioned by Microsoft. The survey polled 1,300 respondents from 13 Asia-Pacific markets, including China, India, Singapore, and Australia, of which 11 percent were from the healthcare sector.  

It found that 42 percent of healthcare organisations adopted "a tactical view" of cybersecurity to safeguard the company against attacks, with 19 percent turning to cybersecurity as a business differentiator and digital transformation enabler. The lack of emphasis on security as an enabler resulted in their application of such tools as a "bolt-on", the study noted, adding that this could lead to cybersecurity risks and vulnerabilities as well as impede efforts to build a "secure-by-design" digital project. 

In the event of a cyberattack, a large healthcare organisation could incur an average of US$23.3 million in economic losses, while a midsize company could lose an average US$17,000. Losses were assessed based on direct impact, such as loss in productivity and remediation cost, as well as indirect such as from customer churn due to the negative impact on brand reputation.

The biggest economic impact was from the loss of customers, while 60 percent of cyberattacks on healthcare companies in the past year had led to job losses across different functions. 

Web defacement and data exfiltration had the highest impact and often resulted in the slowest recovery time, the study revealed. It added that 50 percent of healthcare organisations running more than 50 cybersecurity tools took more than a day to recover from cybersecurity attacks, while 79 percent operating between 11 and 25 tools took less than an hour. 

In addition, 65 percent had pushed back their digital transformation efforts over concerns about cybersecurity.

Frost & Sullivan's industry principal of cybersecurity Kenny Yeo said: "With more and more healthcare organisations in Asia-Pacific moving beyond digitisation into transformation and rallying with innovation, building a strong foundation with security and compliance has become critical. Embedding security and privacy into all aspects of digital interactions is not an option anymore--it needs to be mandated, and even more so for healthcare organisations as they handle sensitive and confidential data."

Microsoft's Asia regional business lead for worldwide health Keren Priyadarshini concurred, noting that healthcare records were highly personal and sensitive and security breaches could be detrimental to healthcare organisations. "If patients' records are stolen, their private data may be traded in the underground economy to be exploited by cybercriminals for scams and frauds and, worse still, it could cause tremendous trauma to the patients," Priyadarshini said. 

She added that a patient's safety and well-being was invariably tied to a healthcare organisation's ability to safeguard private and personal data. "When a medical institution is hit with a cyberattack such as ransomware, critical care treatment needed by patients can be delayed and non-emergency cases can be forcibly canceled as doctors are unable to access patient's medical information or the accuracy of the data becomes questionable as cybercriminals could have changed the data values," she said. 

Singapore's Ministry of Health last month revealed that personal information belonging to 14,200 individuals diagnosed with HIV had been leaked online and the data of another 2,400 people listed as part of a contact tracing process also had been exposed. Their name, identification number, contact details including phone and address, as well as HIV test results and related medical information had been leaked, the ministry said. 

In July 2018, personal data of 1.5 million SingHealth patients also was compromised in Singapore's most severe data breach, to date, and found to be the result of misconfigured IT systems and IT staff who lacked cybersecurity awareness and resources.

RELATED COVERAGE

Data of 14,200 diagnosed with HIV in Singapore leaked online

Personal information belonging to 14,200 individuals diagnosed with HIV has been leaked online by an American living in Singapore and who had illegally accessed the data, reveals the country's health ministry.

Firms fined $1M for SingHealth data security breach

SingHealth and Singapore's public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country's personal data protection act. The fines are the highest dished out to date.

Employees sacked, CEO fined in SingHealth security breach

Two staff members have been fired for negligence and five senior management executives, including the CEO, were fined for their "collective leadership responsibility" in Singapore's most serious security breach, which compromised personal data of 1.5 million SingHealth patients.

SingHealth breach review recommends remedies that should already be basic security policies

The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth's network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.

SingHealth data breach reveals several 'inadequate' security measures

Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.