APAC healthcare providers losing $23m to cyber attacks

Cyber attacks could cost healthcare organisations in the Asia-Pacific (APAC) region an average of $23.3m, underscoring the growing risks faced by an industry that is increasingly adopting data analytics and online platforms to improve patient care.

According to a Microsoft-commissioned study by Frost & Sullivan, these losses comprise direct losses stemming from customer disruption, fines and productivity losses ($10.5m), as well as indirect losses from customer churn and falling share prices ($12.8m).

Kenny Yeo, industry principal for cyber security at Frost & Sullivan, said as more healthcare organisations in APAC go beyond digitisation and focus more on innovation, it has become critical to build a strong digital foundation underpinned by security and compliance.

“Embedding security and privacy into all aspects of digital interactions is not an option anymore – it needs to be mandated, and even more so for healthcare organisations as they handle sensitive and confidential data,” he added.

The clarion call to shore up cyber security comes amid several high profile cyber attacks aimed at healthcare organisations across the region in the past year alone.

In July 2018, the Singapore government revealed that the non-medical personal details of 1.5 million patients had been illegally accessed and copied in a deliberate, targeted and well-planned cyber attack. About a month later, Hong Kong’s health department reported that some of its computers were hit by ransomware, blocking access to healthcare-related data.

Australian healthcare organisations were not spared from data breaches either. Nearly a quarter of data breaches reported under Australia’s mandatory data breach regime took place in the healthcare sector, shortly after the notification rules kicked off in February 2018.

The reality could be worse, given that almost half of healthcare organisations in APAC – according to Frost & Sullivan’s study – had either experienced a security incident or were not sure if they had had a security incident as they had not performed proper forensics or data breach assessment.

Despite being high-profile targets, healthcare organisations appeared to be ill-equipped to mitigate and respond to cyber threats, with a significant number of respondents (42%) taking a tactical view of cyber security to only protect their organisations.

Less than one in five (19%) viewed cyber security as a business differentiator and an enabler for digital transformation, while only 18% who had encountered cyber threats considered building a cyber security strategy prior to initiating a digital transformation project, as compared to 33% of those that had not experienced any attack.

To fend off cyber attacks, four out of five (81%) healthcare organisations said they have either adopted or are considering an artificial intelligence (AI)-based approach to enhance their cyber security strategy.

A separate study by KPMG found that 86% of CEOs believed AI will be the silver bullet for cyber security challenges, but at least one expert has called for the need to tamper expectations surrounding the technology.

Daryl Pereira, partner and head of the cyber security practice at KPMG Singapore, said although AI can detect anomalies and security issues faster than humans can, the same tools are also available to cyber criminals.

There is also a lack of understanding about how AI applications learn, which could lead to the exploitation of weaknesses in an organisation’s cyber security set-up, he said.

“AI is not a silver bullet – when you look at the technology, you have to make sure that senior management is aware of its risks and you don’t invest in it unless you already have good cyber hygiene.”