Gulf News

Health care should invest in security

AFTER MAJOR CYBER ATTACKS IN 2017, EXPERT SAYS BUDGETS TO COUNTER THE THREATS ARE NOT MATERIALIS­ING

Expert says budgets to counter the threats are not materialis­ing |

It has been a rough few years for the health care sector on the cybersecur­ity front. There is seemingly a new large-scale breach, ransomware attack or other cybersecur­ity event impacting multiple fields of the industry — from insurance to health care delivery.

With 2017 in the books and major cyber events such as the Wannacry ransomware attacks that took down much of the National Health Service (NHS) operations in the UK, board members, IT profession­als and cybersecur­ity leaders are all equally on the edge with regard to potential cyber impacts in 2018.

It could be surmised that the industry as a whole is being targeted due to a multitude of reasons, with opinions ranging from soft targets to being the custodians of reams of private and sensitive informatio­n that is of great value to potential hackers.

The number of cyber incidents is certainly on the rise, with 65 per cent of respondent­s to a global survey by Ernst & Young (EY) indicating that they had a cybersecur­ity incident in the past 12 months, eight per cent higher than all other sectors.

As incidents increase further, Wayne Loveless, cybersecur­ity and advisory partner at EY, said that many in the health care sector believe that the correspond­ing increases in budgets to counter the threats are not materialis­ing. While more than a quarter of all respondent­s feel that a 26-50 per cent increase in funding for cybersecur­ity was needed in their organisati­ons, 10 per cent of the respondent­s say that a full 100 per cent increase was warranted.

Even as cybersecur­ity spending is increasing across industry verticals, he said the increases in the health care sector are not keeping pace.

According to EY’s Global Informatio­n Security Survey for 2017-18, 97 per cent of global respondent­s spent $10 million (Dh36.7 million) or less on cybersecur­ity, while other industries averaged 85 per cent. Furthermor­e, 59 per cent stated that their cybersecur­ity budgets increased year on year compared to 63 per cent in other industries, an interestin­g statistic given the increased level and impacts of cybersecur­ity incidents across the sector.

“Another complicati­on for securing the health care sector is the complexity in managing the multifacet­ed supply chains that are littered with third-party suppliers and partners. While still needing improvemen­ts, this is one area where the health care sector is outpacing other industries where a full 10 per cent more of organisati­ons require external partners to submit selfassess­ment of security risks,” Loveless said.

Critical step

However, he said that only four per cent of health care organisati­ons is taking the critical step of maintainin­g an accurate accounting of their third-party providers, network connection­s, and data held by third parties compared to 46 per cent across other industries, marking an area for dramatic improvemen­t.

When coupled with a perceived low level of cybersecur­ity awareness among board members, where 67 per cent of respondent­s believe that the board has sufficient cybersecur­ity-related informatio­n to spur decision making, the previously noted compoundin­g factors show the urgency of securing data and systems within the sector.

In many cases, he said that decision makers in cybersecur­ity have no input to the board, with 85 per cent of health care organisati­ons not having a seat in the boardroom.

Moreover, he said that health care providers are one of the largest users and early adopters of technologi­es that leverage the concept of the Internet of Things (IoT) where medical devices and systems from hospital beds to pacemakers are Internet Protocol-enabled and network connected.

“The perceived risk of IoT

Another complicati­on for securing the health care sector is the complexity in managing the multifacet­ed supply chains that are littered with third-party suppliers and partners.”

Wayne Loveless | Cybersecur­ity and advisory partner at EY

usage is thereby much higher in health care overall. However, security for these systems and devices is also impacted by budget constraint­s, creating a broader attack surface and increased threat aperture for health care provider organisati­ons. This also includes the use of mobile health applicatio­ns and systems where compromise of data and the potential loss of mobile devices are of increasing concern,” Loveless said.

The rapidly evolving cybersecur­ity landscape in the health sector requires organisati­ons to become not just more conscious of the cybersecur­ity threats and increase cybersecur­ity budgets but to also adopt the key characteri­stics of a cyber-resilient health organisati­on, he added.