|
“Healthcare organisations require a holistic approach in managing cyber security risks, integrating information technology (IT), business workflow, data management processes, user access control management and disaster recovery.” |
Mr Edmond Lai,
Chief Digital Officer,
Hong Kong Productivity Council (HKPC)
|
|
|
|
|
Protecting patients' eHRs against different threats has become an important topic for HCPs |
|
|
The healthcare sector has been facing increasing cyber attacks over the past few years. Protecting patients’ electronic health records (eHRs) against different threats has become an important topic for healthcare providers (HCPs). In view of the high sensitivity of patient data, Mr Lai remarked that HCPs have the obligation to implement adequate safeguards and controls to enhance the privacy and security of every datum collected and uploaded.
“Hackers always try every possible way to attack a computer system,” said Mr Lai, “These attacks will put data privacy, business operations and service delivery at risk.”
Cyber Security Challenges in Healthcare
Many common cyber attacks in the healthcare sector can be damaging to patient privacy. They also seriously affect the business and data that HCPs are responsible for protecting. Mr Lai said phishing emails and ransomware are two common types of cyber attacks to the healthcare sector. |
|
“Ransomware denies users’ access to data by encrypting the data stored in systems until a ransom is paid, while phishing email attacks are attempts to steal sensitive information such as user credentials to commit crimes or access an organisation’s network for fraudulent activities and gain financial benefits,” he explained.
With reference to lessons learnt from cyber security incidents in the healthcare sector overseas, Mr Lai pointed out that there was also rising concern about insider threats. Disgruntled employees, negligent staff and vendors, insecure network and obsolete software, etc. can pose as much risk as cyber criminals. |
|
Ransomware and phishing emails are two common types of cyber attacks. Another threat evolving in healthcare cyber security is related to Internet of Medical Things |
|
|
|
With the advance in technology, Mr Lai added that another cyber threat evolving in healthcare is related to the use of new and emerging medical devices that collect health data and interconnect with healthcare IT systems through the Internet of Medical Things (IoMT). |
|
“With IoMT, medical devices can generate, analyse and transmit data through the Internet automatically. Although it facilitates data capturing and processing to provide easy reference for HCPs, it creates security threats as every connection can bring in a new attack surface,” he elaborated. If the security of IoMT is breached, the infected devices can be turned into a botnet and attack other computers. |
|
Cyber Security Planning by HCPs |
As cyber threats proliferate, Mr Lai urged enterprises, including HCPs, to place more emphasis and resources to improve their cyber security posture and enhance their cyber resilience capabilities. |
|
HKPC has been providing training and consultancy services on cyber security to both public organisations and private companies in Hong Kong. It also manages the government-funded Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) which coordinates computer and network security incident response and provides cyber security advice for local enterprises and Internet users.
“Cyber security is not only about technology. We advocate a holistic approach, incorporating the organisation’s business processes, operations and data to manage and mitigate the cyber security risks it faces.” |
|
HKPC has been providing training and consultancy services on cyber security to both public organisations and private companies in Hong Kong |
|
|
|
“It also includes data management and access control to clearly classify data and properly define access rights, as well as communications and disaster recovery mechanisms for organisations to respond and recover expeditiously in times of crisis,” said Mr Lai. He also stressed the importance of raising employees’ awareness on user account management and vigilance on cyber security threats. |
|
“On top of that, the whole security strategy has to be regularly reviewed for compliance and kept updated. Organisations need to conduct security awareness trainings and drills from time to time,” he added. |
|
Noting that some enterprises may not possess cyber security expertise, Mr Lai said that HKPC has been promoting “Security-as-a-Business(SECABiz)”, the inclusion of security solutions in IT vendors’ packaged products as one of the requirements or value-added services. In this way, enterprises are encouraged to install computer systems or software with a higher security standard with a view to preventing cyber attacks. |
|
|
Use of strong identity verification, such as biometric authentication can help minimise the risk of data breach |
|
|
Security Measures at User Side
With the Patient Portal of the Stage Two Development of the eHR Sharing System to be launched in 2020, registered patients can access some of their key eHRs through the Patient Portal mobile application (app). Talking about how to protect data privacy and security in the Patient Portal, Mr Lai suggested the use of strong identity verification, such as biometric authentication, to help minimise the risk of data breach. |
|
On user side, he highlighted that a good balance between convenience and security should be maintained in order to protect users’ health information. Concerted efforts on education and promotion of cyber security are also vital in enhancing the public’s understanding on potential security risks and measures to guard against cyber attacks. |
|
He suggested some basic mobile device security measures for users of the future Patient Portal: |
|
|
|
Download the Patient Portal mobile app from the official website or the official app stores |
|
|
Avoid logging in the Patient Portal with public devices or in public wifi network |
|
|
View and store personal information and eHRs at mobile devices on a need basis |
|
|
Never root or jailbreak mobile devices |
|
|
Create strong passwords for mobile devices/ wifi routers |
|
|
Apply software patches timely |
|
|
Update anti-virus software regularly |
|
|
Do not open suspicious emails |
|
|
Plan for precautionary measures in case mobile devices are lost |
|
|
New Cyber Security Initiatives for Healthcare Sector To specifically help healthcare organisations watch out for potential cyber attacks, HKCERT had collaborated with Microsoft Hong Kong to run the “Healthcare Cyber Security Watch Pilot Programme”, tapping its international experience and knowledge on cyber threats to early detect attacks targeted at the healthcare sector in Hong Kong.
“We will match the IP addresses provided by participating organisations with our cyber threat database for compromised systems, inform them immediately of any compromise detected and help them clean up their compromised systems. The service is free of charge,” remarked Mr Lai and he welcomed all local public and private hospitals, clinics and other HCPs to join the programme. |
|
HKCERT will match the IP addresses provided by participating organisations of the "Healthcare Cyber Security Watch Pilot Programme" with their cyber threat database for compromised systems, inform them of any compromise detected and help them clean up their compromised systems |
|
|
|
“All organisations, regardless of industry, location or size, are possible targets of cyber attacks. To increase awareness on cyber security risks in the healthcare sector, HKCERT will continue to keep an eye on the latest development and provide tailor-made trainings and guidelines to assist the industry in detecting, containing and eradicating cyber security incidents,” Mr Lai concluded. |
|
|
|
|