Cyberattacks could cost large Asia-Pacific healthcare groups an average of $32 million: study

For mid-sized healthcare organisations, economic loss was found to be an average of US$17,000. (PHOTO: Getty Images)

A cyberattack could cost a large healthcare organisation in Asia-Pacific an average of US$23.3 million (S$31.7 million) in economic losses, according to a joint study by Microsoft and market research company Frost & Sullivan.

For mid-sized healthcare organisations – defined as groups with 250 to 499 staff – the economic losses were found to be an average of US$17,000. The study also defined large healthcare organisations as those with 500 or more staff.

The study’s findings, released on Tuesday (12 February), also showed that almost half – 45 per cent – of healthcare organisations in Asia-Pacific had either experienced a security incident or were not sure if they had had a security incident as they had not performed proper forensics or data breach assessment.

Launched in May last year, the “Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World” study involved a survey conducted with 1,300 respondents from 13 markets, including Singapore.

The other markets were Australia, China, Hong Kong, Indonesia, India, Japan, Korea, Malaysia, New Zealand, Philippines, Taiwan, and Thailand.

Out of the 1,300 respondents, all business and IT decision-makers involved in shaping their organisations’ cybersecurity strategies, 11 per cent were from the healthcare industry.

Impact of cybercrime

(INFOGRAPHIC: Microsoft and Frost & Sullivan)

The highest economic impact of cybercrime was found to be the loss of customers. Three out of five cybersecurity attacks against healthcare organisations over the last 12 months have resulted in job losses across different functions, the study revealed.

More than three in five healthcare organisations across Asia-Pacific also delayed the progress of digital transformation projects due to the fear of cyberattacks.

“With more and more healthcare organisations in Asia-Pacific moving beyond digitisation into transformation and rallying with innovation, building a strong foundation with security and compliance has become critical,” said Kenny Yeo, industry principal of cybersecurity at Frost & Sullivan.

“Embedding security and privacy into all aspects of digital interactions is not an option anymore – it needs to be mandated, and even more so for healthcare organisations as they handle sensitive and confidential data.”

Patient data a ‘lucrative target’

The press release also noted that the availability of vast amounts of patient data also brings new cybersecurity challenges as these organisations “increasingly become a lucrative target for cybercriminals”.

Web defacement and data exfiltration have the highest impact and often result in the slowest recovery time, it added.

The latter can disrupt important online services, such as medical appointments, as well as prevent patients from accessing vital information on medical conditions and treatments.

“Cybercriminals are constantly trying to infiltrate organisations’ systems to steal proprietary intellectual property as well as patients’ personally identifiable information to sell in the underground economy,” said the press release.

Losing patients’ sensitive health data can lead to irreparable reputational damage, loss of trust and churn, it added.

Few building cybersecurity strategy

The study also found that only 18 per cent of healthcare organisations which had encountered cyberthreats considered building a cybersecurity strategy prior to initiating a digital transformation project, as compared to 33 per cent of organisations that had not experienced any cyberattack.

The remaining respondents either thought about cybersecurity only after the commencement of digital transformation projects or did not consider it at all.

“While healthcare organisations in Asia-Pacific are committed to the digital transformation of their business, it is as critical for them to be prepared to deal with cybersecurity threats that are growing more sophisticated and a regulatory environment that is getting more stringent,” said Keren Priyadarshini, regional business lead for worldwide health at Microsoft Asia.

“With cybercriminals increasingly targeting health organisations, keeping patient information and other sensitive data secure while preserving privacy, maintaining the data’s confidentiality, integrity, and availability should be a key priority for healthcare organisations,” she added.

Attacks in Singapore

The personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s database during Singapore’s worst-ever cyberattack, which occurred between 27 June and 4 July last year.

The data comprised patients’ demographic records and the dispensed medication records of about 159,000 individuals. Lee’s personal and outpatient medication data was specifically targeted and repeatedly accessed.

Local authorities have declined to elaborate on the identity of the attacker.

However, according to a redacted report by a Committee of Inquiry (COI), the attacker bore the characteristics of an Advanced Persistent Threat group. Such outfits usually gain access to a network and remain undetected for extended periods of time.

In the report released on 10 January, the COI established that the attacker first gained access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations before moving laterally in the network several months later.

During the COI hearings, which were held from September to November 2018, details of numerous lapses by Integrated Health Information Systems (IHis) staff were revealed.

For example, a veteran IHis database administrator had not immediately recognised that the multiple failed attempts to log in to the SingHealth database she encountered on 4 July amounted to a “serious security incident”.

The COI also concluded that IHiS staff did not have “adequate levels of cybersecurity awareness, training and resources” and that some key appointment holders failed to take “appropriate, effective or timely action”.

More Singapore stories:

ERP charges at three gantries to be removed during peak morning hours

Singaporean jailed 7 weeks for evading NS for over 3 years

Singaporeans to enjoy automated immigration clearance in New Zealand