Healthcare data is now more valuable to cyber crooks than credit card or social security numbers and criminals will go the extra mile to obtain it, according to Singapore-based security consultant, Olli Jarva.
Jarva made the comments following the a breach of SingHealth IT system which resulted in the personal data about 1.5 million people, including Singapore’s prime minister Lee Hsien Loong, being illegally accessed and copied.
The Singapore government described the attack, which is reported on Friday, as the “most serious breach of personal data” that the country has experienced. Cyber security is a top priority for the highly digitalised state of Singapore and the ASEAN bloc.
“The healthcare data breach outlines a new reality. Today, we are beginning to see a new and scary fact – healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it. This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers,” he said.
Jarva highlighted that it was time that security was ‘built into’ applications that store healthcare data.
“When we are designing and building the systems to be resilient for cyber-attacks, we have to start building security from within rather than relying on perimeter defence.
“This means that before a single line of code is written, we have already started to map down our potential security problems from a design standpoint,” he said.
Jarva said application security problems can be divided into two parts: flaws and bugs. Most of these software issues need to be caught early so they “don’t come back to haunt us later on,” he said.
“We have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it. We need to ‘shift-left’ with our thinking when it comes to security and tackle those issues earlier on in our software development lifecycle.
“If we leave these problems for later, the cost of fixing and reacting to breaches would be extremely costly and the effects many not devastating,” he said.
Jarva said that the healthcare industry shares the same cyber security shortcomings as other enterprises but with some added obstacles – the first being a lack of security and financial resources and expertise to correct this weakness.
Healthcare providers are also dealing with extremely heterogeneous environments. While they may standardise on laptop and servers, that also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners and treatment software such as those used to manage implantable pacemakers.
Finally, Jarva said systems in different parts of a healthcare organisation may not play well with each other – healthcare providers may have multiple business units that may not uniform cyber security effectiveness.
“Electronic health records promise to help practitioners and patients by simplifying the sharing of information,” he said.