Cybersecurity considerations: Healthcare sector insights

Data breaches – Protected health information (PHI) has always been a lucrative target for cybercriminals. PHI breaches can lead to medical fraud through manipulation of medical records or impersonation for access to prescription medications. This could result in reputational damage and erosion of patient trust.

Outdated technology – Extensive use of outdated technology and infrastructure often leaves the door open to vulnerabilities that cybercriminals can exploit. Revamping the technology function remains a costly and time-intensive endeavor and is often a barrier to change. However, the same KPMG research showed

Insufficient staff training – Given their education and job responsibilities, many healthcare employees may lack an understanding of basic cybersecurity protocols. Without adequate training, there is a greater risk of threats such as phishing.

Regulatory non-compliance – Around the world, healthcare organisations operate under strict regulatory rules regarding patient data. Failure to comply with these regulations can lead to severe penalties.

End point complexity – Healthcare systems have unique endpoint complexity challenges due to their large groups of employees and vast physical infrastructures. With this comes organisations having to manage the devices used by thousands of staff, patients, and visitors.

Interoperable EHRs – A recent research report by the Partnership for Healthcare System Sustainability and Resilience touted the benefits of establishing interoperable clinical databases and EHRs as a “goal of the utmost importance for all health systems”. This report also stated that these systems “have the potential to greatly improve the everyday care of patients and create a rich and complete source of population-wide data to aid with planning and implementation of services, as well as research and development of new technologies, including artificial intelligence”².  Inoperable EHRs also link to patient portals and permit remote access by medical staff, key to improving experiences for both audiences. While these interoperable systems offer many benefits to healthcare systems, the very nature of the PHI they contain put them at risk for cyber-attack.

Forward-looking investments – To counter the risk of data breaches, organisations are encouraged to invest in advanced data encryption technologies and data breach detection systems. More investment in these areas can help lay a robust foundation for cybersecurity. Based on the KPMG Global Tech report 2024, Healthcare is indeed leading all other industries in prioritising and investing in next level security powered by web3 technologies such as blockchain and tokenisation.³

Efficiency from greater digitalisation – Increased digitalisation and integration of emerging technologies such as AI can help improve operational efficiency and patient care.

Better training programs – Training programs that ensure all staff members are well-versed in leading cybersecurity practices can not only reduce cyber risk but also reinforce a culture of security.

Advanced software systems – To meet complex, evolving regulatory requirements, organisations should invest in more sophisticated, compliant infrastructure and software systems that are future ready.

Vulnerability to attacks – Existing AI systems may have vulnerabilities that can be exploited to access sensitive patient data. Threat actors can weaponise these vulnerabilities. For instance, AI could be manipulated to introduce bias in diagnostics or treatment planning, resulting in compromised patient care.

Privacy concerns – The extensive use of patient data by AI software raises considerable privacy concerns as AI inherently involves accessing, processing and storing large amounts of sensitive data. Some key concerns include:

• Data sharing across platforms – AI systems may need to share data across platforms or with other AI systems for better predictive modeling and analysis. Each data transfer point is a potential security vulnerability.
• Breach of informed consent – When using AI systems, patients may not fully understand what their data may be used for, such as in machine learning algorithms or predictive modeling. In these cases, there might be a breach of informed consent.
• De-identification and anonymisation – AI can rely on de-identified or anonymised data for processing; however, with multiple datasets aggregated, it may be possible to re-identify anonymised data, which could compromise individual privacy.

Need for continuous monitoring – AI systems, due to their capacity for self-learning and making decisions, require continuous monitoring. This is required to check diagnosis accuracy, validate regulatory compliance and check for bias. This is especially important as AI is still in the early stages of integration within healthcare organisations. 

Enhanced precision – With proper security controls in place to safeguard from malicious algorithms, AI can help improve accuracy of diagnostics and treatment planning.

Trust building – Strict data privacy policies around AI can help build patient trust in healthcare organisations by demonstrating their commitment to maintaining patient confidentiality.

Visibility into risks – Robust AI systems can also be integral to running continuous vulnerability assessments for broad organisational technology environments. With visibility into key issues, organisations can identify potential risks in a timely manner and take proactive measures.

Vulnerabilities across the supply chain – The healthcare supply chain's web of suppliers, manufacturers, and service providers compounds cybersecurity challenges. Each vendor might have varying cybersecurity maturity levels, making the entire supply chain vulnerable to the weakest link. Ensuring consistent security measures across such a diverse network remains difficult.

Lack of standardisation – Interoperability and data sharing can pose security risks across the supply chain. The challenge is ensuring data flows securely between different systems, organisations, and devices. This not only requires robust encryption and secure data handling practices but also a level of standardisation that is difficult to achieve.

An improved overall security posture – By demanding higher cybersecurity standards from vendors, healthcare organisations can not only improve their own security posture but also elevate the overall security standards within the sector. This can be achieved through implementing stringent cybersecurity criteria in procurement contracts, conducting regular audits and offering support for smaller vendors to meet these standards.

A more integrated and resilient network – By adopting comprehensive cybersecurity frameworks and promoting interoperability standards, healthcare organisations can create a more cohesive and secure supply chain. This integration can facilitate better data sharing and collaboration, making the supply chain more adaptable to changes and better equipped to respond to cybersecurity threats.