An appreciation for the importance of cybersecurity in healthcare institutions with insights from Chief Technology Officer (CTO) for Asia Pacific and Japan of Aruba, a Hewlett Packard Enterprise company, Carlos Gómez Gallego.
Since 2011, the National Electronic Health Record (NEHR) in Singapore has been rolling out in stages to both public and private healthcare institutions throughout the country. The Ministry of Health, Singapore and the Integrated Health Information Systems (IHiS) has worked with precautionary measure to make the system secure. All these were done to support one goal, ” One Patient, One Health Record”. Thus, providing healthcare professionals a consolidated and holistic understanding of a patient’s history.
Despite the clear benefits of having electronic health records (EHR) for disease management and improving quality of patient outcomes,1 there are the risks that entails the use of EHR. The increase use of Internet of Things (IoT) devices in healthcare for patient self-management of disease also provides another potential access point for security breaches.
In the past years, Singapore has been vulnerable to a number of cyberattacks, in the survey conducted in January 2019 by Carbon Black showed that 92 percent of organizations in Singapore have experienced and increased in the number of attacks.2 Mid-2018 Singapore saw one of its worst cases of cyber-attacks hit its largest healthcare institution, SingHealth. This attack involved the data breach of one and a half million records of patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1st May 2015 to 4th July 2018.3
With all these cybersecurity risks and the rise of digitalization of healthcare more has to be done to safeguard sensitive patient data and at the same time leverage on the digital transformations for better patient outcomes. Carlos Gómez Gallego, CTO, Asia Pacific and Japan of Aruba, a Hewlett Packard Enterprise company enlightened us on what the networking and security solutions company does to empower healthcare institutions to ensure that proper cybersecurity protocols are in place.
How important is cybersecurity for healthcare institutions?
As industries undergo digital transformations and become increasingly digitized, specifically for healthcare where patient outcomes depend on technology the security of information in healthcare systems is key. Ultimately technology needs to enhance patient outcomes, with all the benefits of technology comes its security risks. We need to get the best out of the technology while still protecting personal information generated from patients and healthcare professionals.
Traditionally, in healthcare, we tend to bring the patient to the medical device, and they may be consequently transferred to another room for another test which is quite inefficient. These days, the idea is that we can bring the technology to the patient. So, if the doctor or the nurse is able to access via wireless networking, for example, information about medical imaging or about patient data, and you can go through a tablet for example show that information directly to the patient and talk them through. It’s with all of the benefits that we want from the technology for the patient outcomes, but there is a risk as well and the security risk that we need to protect and being conscious of that is critical.
What types of cybersecurity would be most catered towards healthcare institutions?
One key concern of cybersecurity is ransomware attacks, for example if all the computers in the hospital were attacked by ransomware, the healthcare professionals will not be able to look up information about the patient or enter data.
Besides providing the network services to the healthcare professionals, we also provide access for the patients and their families. Particularly for patients who are staying in the hospital for extended periods we would not want them to be tying up the bandwidth. This is a different type of cybersecurity challenge, and it is an important one as well. We have to ensure that the healthcare professionals have sufficient access to the bandwidth while also providing it the to patients without impacting each other.
As Singapore prepares to welcome 5G networks next year, how will Aruba tie in with the launch?
Aruba does a lot of work on Wi-Fi together with the telecommunications industry, the implementation of 5G is a complimentary technology to the current wireless technology. We believe that Wi-Fi will predominantly be for indoor access and 5G will be for outdoor access. Aruba has been providing wireless networks for healthcare systems for many years now albeit the evolution from 2G to 5G has its role. Many medical devices that are connected to networks mainly connect via Wi-Fi or LAN cable networks. All of them require the right cybersecurity which is what Aruba does for wireless networks and LAN cable networks.
From reports in previous years in Singapore we do not have a good track record in terms of healthcare cybersecurity. How will Aruba apply lesson from these attacks?
Firstly, one of the most important things that we can provide to our healthcare customers is visibility in relation to the devices connected to the network. The second step would be the separation of patient devices from staff devices and other medical devices. As mentioned in an earlier question the separation will be such that these components will not impact each other. For example, we wouldn’t want any patient data to be accessible through the guest network. Another area would be to ensure that the wireless network that is deployed is predominantly secure. Especially in a hospital we need to ensure that the network is encrypted to prevent any leak of information to those who have access to the wireless network.
Could you elaborate more about the visibility of the network that you mentioned?
Visibility refers to the type of device that is connected to the network in the hospital and whether there might be a potential threat. We are able to provide visibility into whether some of the devices have the latest updates and are not vulnerable to potential cyber-attacks.
As the healthcare network is used majority of the time by healthcare professionals and maybe most of them are not IT trained. So how do you feel they can play an active role in terms of doing their part for cyber security?
In the past few years there have been some very high-profile security breaches not just in Singapore but globally. The good thing about these is that it can raise awareness of the possibility of such attacks to everyone thus increasing the general awareness of such attacks.
Communication is one way for healthcare professionals to help mitigate such attacks. If any thing suspicious is observed or receiving an email from an unknown source. These are general best practices to preventing cyber-attacks that are not specific to just the healthcare industry but applicable across the board.
Healthcare professionals should be seen as part of the solution not part of the problem from a cybersecurity perspective. IT teams are shrinking across organizations and have to be able to handle more work. If we are able to make healthcare professionals part of the extended IT team then organizations will have a bigger team to help address IT problems. Having said that we need to be clear that healthcare professionals should be focused on the patients and not on being cybersecurity experts. But having a general understanding of cybersecurity and the potential risks of cyber-attacks is also important.
It is also the onus of the IT departments to help communicate and educate the healthcare professionals on cybersecurity and help everyone understand to be part of the solution. [APBN]
- Wikström, K., Toivakka, M., Rautiainen, P., Tirkkonen, H., Repo, T., & Laatikainen, T. (2019). Electronic Health Records as Valuable Data Sources in the Health Care Quality Improvement Process. Health services research and managerial epidemiology, 6, 2333392819852879. doi:10.1177/2333392819852879
- Baharudin, H, (2019, April 2), Nearly all organisations in Singapore have suffered close to 4 cyber-attacks in past year: Survey. Retrieved from: https://www.straitstimes.com/tech/nearly-all-organisations-in-singapore-have-suffered-close-to-4-cyber-attacks-in-past-year
- The Straits Times, (2018, July 20), SingHealth cyber-attack: How it unfolded. Retrieved from: https://graphics.straitstimes.com/STI/STIMEDIA/Interactives/2018/07/sg-cyber-breach/index.shtml
About the Interviewee
Carlos Gómez Gallego is, is the chief technology officer of Asia Pacific & Japan for Aruba, a Hewlett Packard Enterprise Company. In his role, Carlos oversees an advanced technology software development team aimed at rapid prototyping and incubating of new innovations around security and IoT. Since joining Aruba, he has served as the Senior Director of Product Management for Network Services, as well as overseeing the launch and management of the highly successful ClearPass product group.