Pankit, a veteran of IT industry, brings 20+ years of hardcore technology and leadership experience from the information technology industry to lead Sequretek. Prior to Sequretek, he was with Rolta as the President of Business Operations. He has also served in senior leadership capacity with NTT Data Inc, Intelligroup, Wipro and IBM India. His vast experience has given him the ability to manage and scale global business units and service lines rapidly and efficiently.
The past several months have tested humanity in more ways than one. Citizens, corporations, and governments all have had to re-invent their routines while minimizing disruptions. No other segment, however, has been more impacted than healthcare. From being on the frontlines of this war to adopting technology at an unprecedented speed and level, they have shown exceptional adaptability. There is no doubt that this transformation played an essential role in reducing the health impact of the pandemic.
What constitutes healthcare
The word “Healthcare” is pretty broad and sometimes gets interchangeably used with “Health care.” While the first defines the industry that creates an ecosystem that focuses on and facilitates human well-being, the latter is targeted to an individual, like taking care of a patient or offering treatment.
The major constituents of the “Healthcare” industry, therefore, will be the triumvirate of “3Ps”:
- “Patient,” a consumer of the service offered by the industry
- “Provider” includes Caregivers – hospitals, doctors, nurses, support staff; Manufacturers – pharma companies, medical devices; Service providers – pharmacies, laboratories, research, clinical trials
- “Payer” comprises of Insurance companies – who become the aggregator of financial risk; Governments – who step in as backstop to the sector; Corporates – who look to offer coverage as part of employee benefits
The above is not an exhaustive list but a representative picture of the entire healthcare ecosystem.
Healthcare to Healthtech
Harold Wolf, President, and CEO of Health Information and Management Systems Society while sharing his thoughts around innovation and technology at the “Future of Med 2020” conference mentioned “Digital health and health tech tools and capabilities have long been recognized as providing credible support for most of these challenges. With the pandemic and the advanced tools today, they’ve really put the spotlight on the capabilities and the opportunities for digital health.”
Traditionally, technology consumption in the healthcare segment has been slow, barring a few exceptions. However, in the recent past, each of the “3Ps” has been forced to embrace tech like never before. For “Patients,” it has meant interacting and getting treated using video calls, WhatsApp. The physical touchpoints have been reduced only to extreme cases.
While the “Providers” have had to innovate the most with taking in technologies that offered easy access, contact tracking and tracing, logistics of distribution, redefined and distributed supply chain, new vaccines, and drugs to repurposing existing ones for treatment. Technologies like IoT, Industry 4.0, genomics, mRNA found a firmer footing in the ecosystem. The “Payers” on the other hand, as per a recent McKinsey report, were also forced to rethink financial guarantees, streamline their pre authorization processes, and restructure their contracts, including new value-based payment arrangements, all as efforts to help support providers during the challenges of COVID-19 disruptions
Can cyber risks be far behind
Almost on cue that the COVID-19 virus started impacting the world, another virus, albeit the computer one, began holding the healthcare world hostage. According to Ponemon, Healthcare has the highest cost of a data breach at $7.1 Million per breach (10% increase over 2019), while Tenable suggests healthcare was the most hit segment in 2020.
Why the attacks?
The rapidity and the magnitude of the transformation, enabled by a close alignment between business needs and technology drivers, have resulted in several unintended challenges, the key to the increased cybersecurity risk for all the 3Ps.
As per Ponemon 2020 report, 50% of the breaches were linked to malware attacks in the healthcare segment, and the balance split almost evenly between poorly configured systems and human errors. The healthcare industry spends an average 4% of their IT budget on security against 15% in the financial services (2021 Security report by Herjavec Group) results in less than a quarter deploying security automation, making them an easier target.
Beyond the specific to the sector issues, other pandemic specific dynamics have crept in for the Providers and the Payers;
- Interchangeable use of assets for professional and personal purposes making it easier for attackers
- Inadequate testing of newly transformed digital processes for remote access creates loopholes
- Difficulty in enforcing corporate security policies around patching, malware detection, and secure networks
As far as the challenges for individuals (Patients) are concerned, they stem from the fact that;
Most of the individuals consuming the technology online are digital novices like kids, senior citizens, and homemakers. General lack of security awareness in this segment potentially exposes them to social engineering attackers
A lot of personal information is now getting shared on public platforms (though encrypted) like WhatsApp. There isn’t much accountability on how and where this data will end up.
What are the steps companies and individuals can take?
In this always-on world, a permanent vigil is an essential element of staying ahead of cybersecurity threats. It starts with a change in mindset where all the constituents, i.e., users, implementers, and securers of technology, shoulder their responsibility to ensure that there are no loopholes for someone to exploit.
Social engineering is the most effective attack vector that targets the users, especially the digital novices. We all have traveled enough time through the airports. We have heard this constant announcement on PA systems “if you find any unidentified or suspicious object at the airport, it needs to be reported to the security staff.” This one statement has stopped more bomb attacks than all other security measures put together. Much the same way, there is a need to bring awareness and curb our Curiosity, Hubris, Apathy, and Ignorance instincts, which the attackers use to carry out social engineering attacks.
Most technology implementers lack an understanding of security best practices and hygiene; this coupled with time pressure results in poorly designed, coded, and tested technology projects. It’s during subsequent audits or a breach that one realizes the loopholes that got left out. Organizations need to incorporate security practices as part of the gating criteria as part of the design and project go-live.
Security professionals have an unenviable job of being the last line of defense, with their budgets viewed more as a cost line item than a risk premium. They need to understand and talk business context; this will allow the organization to make decisions that align with the risks they face. As per a recent report by Fire Eye, 35% of the company’s security products have overlapping features, and 80% of the products are misconfigured, leading to gaps in cyber defense. Therefore, it is essential for security professionals not to get caught up in the three-letter acronym products and their feature sets. They need to look at what exists in their environment, ensure it is appropriately implemented, follow it up with a proper monitoring and response mechanism before looking at additional investments.
In summary
The reality of “Healthcare” being “Health-Tech” is already onto us, and the pace set during the past few months will only accelerate, resulting in an increased security risk. While several countries have woken up to this threat and legislated compliance controls, some laggards still exist in the race. A combination of increased technology consumption, leading to higher security risk and therefore onerous compliance, creates a vicious cycle. For the stakeholders, this means that unless they take proactive steps to build the security framework as part of their day-to-day operations, it may be too high a barrier to overcome.