The Global State of Information Security Survey 2015, released by PwC, showed that reported cyber security incidents globally rose 48% costing SG$54.7 million in 2013, representing 117,339 attacks daily. In fact, detected cyber incidents have been rising at a compound annual rate of 66 % since 2009. Security threats are looming more than ever before as the healthcare industry is steadily adopting more technologies in a bid to retain competitiveness, improve operational efficiencies and eradicate medical errors.

PART 1: TOP 10 SECURITY THREATS TO HEALTHCARE IT ACROSS THE GLOBE

Desktops and Point-of-sale systems

The Verizon Data Breach Investigation Report (DBIR) gave us insights on the motivations and operations of cybercrime based on research carried out between 2011 and 2013. This chart will tell you that profit drives most healthcare cybercrimes:

Embedded Devices

Connectivity made easy creates problems even as they solve problems. The same seamless connectivity which made tracking and recording convenient opens up healthcare IT networks to cyber threats of all forms including viruses. Threats were a lot more restricted when we were all using just desktop PCs.An example in point occurred with the Hospira Lifecare Drug Infusion Pump. A hacker can use the built-in Ethernet port to extract the Wi-fi data and seize control of all the units in the hospital. It gets extremely dangerous as the hacker can alter drug settings, dosages, or crash the units entirely. The US FDA has issued warnings on Hospira’s PCA3 and PCA5 infusion pumps.

Mobile Devices

HIMSS’ 2015 Mobile Technology Survey received responses from 238 healthcare which revealed that mobile technology is increasingly used in patient services. Of particular interest is that at least 50% of mobile data was integrated into patient health record. Transfer also takes place the other way, where patient data is downloaded by both patients and healthcare service providers onto mobiles devices. Seamless data traffic is great but comes with tremendous risks if unmanaged.

Device Theft and Loss

Infoworld Tech Watch highlighted data from the October 2014 California Data Breach Report, compiled by the California Department of Justice, showing that 70 percent of losses sustained was due to physical theft. Such theft was defined as lost or stolen hardware or portable media containing unencrypted data. Bitglass, a security vendor, analyzed Health and Human Services data to report that only 23 percent of data breaches since 2010 were hack-related; the rest were through “loss or theft of employee mobile devices with information on them.” Such corroborations of findings flag out the critical need to secure hardware, software and data.

Hackers targeted specifically at personal details such as bank account details. It is also possible that your data could be used to apply for credit facilities. Health data does not seem as appealing since it requires extra efforts to convert them to money.

Multiple Devices

Healthcare institutions are equipped with many different types of devices. It gets more complicated as healthcare workers adopt their own devices for professional use. Consumer IT adds risks to network security which are already numerous and difficult to solve.

Devices linked to healthcare networks

HIMSS Asia Pacific Exclusive Article

Insider Breaches

The Joint Commission accredits and certifies more than 20,500 health care organizations and programs in the United States. Based on a study conducted between 1 Jan 2010 and 30 June 2013, participating hospitals reported 120 HIT-related events. Of the 120 cases, about 33% had to do with human-computer interface usability issues while 24% were related to HIT support communication and 23% arose from design or data issues relating to clinical content.

One incident involved a chest X-ray being mistakenly ordered and performed for the wrong patient when the incorrect room number was clicked. Another involved a physician accidentally choosing the wrong method of injection from a drop-down menu.

Cyber Attacks through Malware

Komando reported on 9 June 2015 that cybersecurity company TrapX had detected intrusions on blood gas analyzers, a picture archive and communications system and an X-ray system while installing its technology in three hospitals.

TrapX had found malware Ransomware, Zeus, Citadel, and Conficker on the devices. These malware made remote control of the devices possible.

Users, Passwords and Social Media Sharing

Most healthcare workers—physicians, nurses, clinicians, specialists and administrators—use passwords to access HIT. With online portals made accessible, patients need passwords too.

Easy-to-crack passwords will continue to be a big risk in 2015, analysts said. Symantec’s Sian John alerted that weak passwords led to many of the high-profile attacks such as the recent iCloud attack.

System Failures

Research from the 2014 Veterans Health Administration study indicated that over 50% of the adverse events reported in 100 closed safety investigations stemmed from causes such as system failures, computer glitches and false alarms.

User Errors

The same research input error or a misinterpretation of displays accounted for another 25% of the incidents. Not forgetting weak passwords, human fallacies continue to contribute significantly to HIT security threats.

Breaches and Malware Inherent Flaws

HIMSS Asia Pacific Exclusive Article | 02

PART 2: TOP 3 RISKS IN ASIA PACIFIC

Global Business Links and Third-party Risks

The PwC-released Global State of Information Security Survey 2015 discovered that a 64% surge in security incidents in Asia Pacific could be traced to market competitors. Some were suspected to be backed by nation-states (with China, Hong Kong and India accounting for most). About half of the respondents from China pointed to competitors as the source of security incidents, higher than any other nation.

While financial losses arising from security incidents has increased 22% over 2013, Asia Pacific saw a 13% decline in information security budgets in 2014.

The resolve to combat security threats needs to be strengthened.

Wide-spread Attacks in South East Asia and India

According to FireEye’s report titled “APT 30 and the Mechanics of a Long-Running Cyber-espionage Operation” (APT refers to Advanced Persistent Threat), there are worrying trends of a Chinese government-backed hacking body active since 2005. Apparently, the group’s main targets are governments and journalists across Southeast Asia and India.

So, what are the 3 top risks for Asia Pacific? Arguably, the following 3 grabbed our attention:

FireEye told eWeek that the group tended to use lures, especially those topical to the work of their victims. It would help to be more cautious of unexpected email, more so if you work on China issues.

Attack Tactics Getting More Sophisticated

In its H1 2014 Targeted Attack Trends Report for the Asia Pacific (APAC) region, Trend Micro informed that threat actors targeting the region are continually refining their targeted attack tactics. Constant ‘upgrading’ has enabled them to remain undetected.

Up to 80% of the targeted attack malware is expected to come via spear-phishing emails to employees in target organizations. Beware of email attachments such as Microsoft Office documents (57%), Trojans or Trojan spyware (53%) and RAR files (19%). Backdoors including those which could carry out remote commands, meanwhile, accounted for 46% of overall attacks.

HIMSS Asia Pacific Exclusive Article | 03

PART 3: WAYS TO MITIGATE RISKS

Establish Regional Healthcare IT Risk Management

Example: Deloitte Risk Innovation Centre which opened in May 2015 will drive innovative solutions in three priority initiatives – Cyber Risk, Future Healthcare and Smart Governance in South East Asia.

Secure Portable Devices and Sensitive Data in Healthcare

Example: Use multi-factor passwords and include token use.

Example: Use encryption software to protect sensitive data.

Everyone who lives in this cyber interconnected age has a responsibility to use cyber tools responsibly. Never fail to guard against the threats that come with it.

Protect Data Traffic along Network Pathways

Example: Egress filtering, which is monitoring, controlling and potentially restricting the flow of outbound information, will ensure unauthorized or malicious traffic never makes it to the Internet.

Assess and Test.

Example: Healthcare bodies should continually assess systems for potential vulnerabilities and fortify them without getting mired in unnecessary rules and regulations for attestation nor overlook overall needs.

PART 4: THE QUESTION OF BYOD

The benefits of BYOD are plenty. It has allowed healthcare organizations to reduce costs since employees can use their own personal devices for work purposes. Even though the company may need to invest in security and/or device management, this will still cost much less than buying devices for all employees.

BYOD has made working remotely and on-the-go convenient and efficient. Healthcare professionals no longer need to return to their work-desks from another onsite location or back to the office on rest-days whenever they need to check or retrieve a piece of information. These represent significant time savings. Clinicians also get greater comfort from using devices they are comfortable with. This is important since they would not have to tinkle with unfamiliar devices, wasting time and feeling frustrated. It will be more productive as well.

BYOD brings with it many conveniences. However, risks exist and require preventive measures.

Bring Your Own Device (BYOD) refers to the practice of allowing employees to bring and utilize their own computing/mobile devices—smartphones, tablets, laptops, etc.—within the office/company to be used for business/work purposes, including allowing them to connect

to a company’s secure network with said devices.

1

2

3

4

• Exposing the secured network to malicious apps and other malware

• Making company content available to others without being aware of it

• Leaking data through USB sticks, Dropbox and cloud backups or other apps

• Mixing personal and private data, leading to unintended data swap

• Crowding the data channels

• Straining technical support since the lines where business and personal have blurred

• Losing mobile devices through personal oversight or theft with whatever data or access possible with these items

It is, therefore, important to look for mitigating factors in this phenomena which has been rising since 2009.

Employees often use personal devices to access unsecured Wi-Fi networks or applications, opening up ‘doors’ for hackers to enter. Other risks include:

HIMSS Asia Pacific Exclusive Article | 04

• Avoid unsecured Wi-Fi networks

• Use a Virtual Private Network (VPN) or virtual desktop infrastructure (VDI) when working outside the office.

• Encrypt to add another layer of protection to patient information, as well as company and personal details

• Authenticate with multiple factors instead of using only a username and password access points

• Grant delivery of information based on roles within the healthcare environment and allow only types of information to be transmitted remotely

• Do not install software or mobile applications (apps) from unknown sources. (For the first quarter of 2013 alone, there were 932 cases of online banking malware victims in Singapore, out of 112,981 cases reported globally.)

• Do not postpone anti-virus and patch updates

• Lock and look after your devices

• Enable data wipe on your device, in case your device is lost or stolen.

Cyber threats will never cease. Securing information must become as critical as creating and accessing that same information.

References:

http://www.nextech.com/blog/byod-in-healthcare-pt.-1-pros-cons-of-adopting-byod)

http://digital.asiaone.com/digital/news/staffs-mobile-devices-big-cyber-security-threat

http://www.nextech.com/blog/byod-in-healthcare-pt.-1-pros-cons-of-adopting-byod

http://www.mis-asia.com/resource/guest-blogs/patient-privacy-the-byod-risk-in-healthcare-organizations/

http://www.enduserexperience.info/articles/767506/patient-privacy-the-byod-risk-in-healthcare-organi/

http://events.futuregov.asia/articles/2012/aug/01/aus-e-health-drives-demand-byod/

https://www.dlapiper.com/en/us/insights/publications/2014/09/bring-our-own-device/

http://searchhealthit.techtarget.com/podcast/Podcast-Creating-a-secure-BYOD-environment-in-hospitals

http://www.cleardata.com/knowledge-hub/cloud-based-vdi-enhances-healthcare-byod-security/

http://sbr.com.sg/information-technology/commentary/10-ways-singapore-byod-users-help-secure-network

http://www.techrepublic.com/article/the-right-medicine-prescribing-byod-for-healthcare-it/

http://www.securedgenetworks.com/blog/6-Tips-for-BYOD-in-Healthcare

http://www.beckershospitalreview.com/healthcare-information-technology/top-3-security-threats-to-the-healthcare-industry-tips-to-avoid-them.html

http://www.healthcareitnews.com/news/top-5-security-threats-healthcare

http://www.cnbc.com/2014/12/19/top-5-cyber-security-risks-for-2015.html

http://www.healthcareinfosecurity.com/interviews/healthcares-biggest-security-threats-i-2055

http://www.bankinfosecurity.com/webinars/cloud-computing-in-healthcare-key-security-issues-w-200

http://www.pwc.com/sg/en/pressroom/pressrelease20141009.jhtml

http://www.idc.com/getdoc.jsp?containerId=prUS25270114

http://www.networksasia.net/article/security-threats-hackers-and-shadow-it-still-plague-health-it.1435888842

http://apac.trendmicro.com/apac/about-us/newsroom/releases/articles/20141119042842.html

http://business.asiaone.com/news/singapore-tackles-skills-gap-cyber-security-sector

http://events.futuregov.asia/articles/2009/jun/15/mobile-workforce-poses-threat-govt-cyber-security-/

http://www.forbes.com/sites/danmunro/2015/05/10/defenders-unite-against-cyber-threats-in-healthcare/

http://www.himss.org/library/healthcare-privacy-security/risk-assessment/mitigation-strategies

http://www.cio.com/article/2824080/hipaa-security-privacy/165675-12-tips-for-responding-to-rising-healthcare-it-security-threats.html

https://www.manageengine.com/products/netflow/healthcare_it_risk_mitigation.html

http://searchsecurity.techtarget.com/feature/How-to-assess-and-mitigate-information-security-threats

http://healthitsecurity.com/news/identifying-and-mitigating-healthcare-it-security-risks

http://ihealthtran.com/pdf/Successful%20Strategies%20for%20Healthcare%20Security_Privacy.pdf

http://www.healthcareitnews.com/news/6-tips-mitigate-cloud-computing-risks

http://www.healthcareinfosecurity.com/interviews/wearable-devices-security-risks-i-2764

Ways to overcome these risks include:

HIMSS Asia Pacific Exclusive Article | 05

HIMSS is committed to creating conducive Healthcare IT environments. Participate in our community engagement events.

Upcoming webinars:Topic: Strategy for Interoperability in eHealth between Countries and their Respective Healthcare OrganizationsWebinar Leader: Prof. Henrique Martins, MD, MPhil, PhD, CEO, Shared Services, MOH Portugal; President of the SPMS Board; EXPAND Project Coordinator, PortugalDate: Wednesday, 30 September 2015Time: 3pm – 4pm, Singapore timeClick here for registration details.

In Partnership with (with LIVE Q&A Session!)

Topic: HIMSS Analytics and Qlik Research Program: Review and Key Findings Webinar Leader: This is a rebroadcast of a US webinar by John Hoyt, Executive Vice President, HIMSS Analytics which will be followed by a LIVE Q&A session with David Bolton, Senior Director Market Development for Public Sector and Healthcare, QlikDate: TBCTime: TBCDetails will be posted shortly on www.himssasiapac.org. Stay tuned.

Upcoming Roadshow: HIMSS Asia Pacific Bangkok Roadshow and EMRAM Workshop:Date: Tuesday, 24 November 2015Theme: Data and Analytics – Clinical IntelligencePricings:RoadshowGovernment and Healthcare Providers: FreeVendors / Consultants: USD200

EMRAM Workshop USD150 per ticketClick here for registration details.