4 cyber priorities for Hong Kong’s hospitals
By Yun Xuan Poon
Interview with Fuller Yu, Chief Information Security Officer of Hong Kong’s Hospital Authority.
As the world wrestles with the pandemic, much of healthcare will continue to be delivered digitally. Hospitals are rethinking their cyber defenses to ensure nothing comes in the way of saving lives.
Hong Kong, for one, believes AI will be a crucial part of healthcare’s defense strategy. Fuller Yu, Chief Information Security Officer of Hong Kong's Hospital Authority, shares four priorities for securing its public hospitals and clinics.
1. Sniff out intruders with AI
Healthcare needs a fundamental shift in its cyber strategy, believes Yu. Rather than fencing themselves in with firewall after firewall, hospitals need to assume intruders have already made it past their peripheral guards.
“This is not an ‘if’ question. It’s a ‘when’ question,” he says. IT teams need to constantly look for intruders and amp up their detection capabilities.
This is where AI can help. With the volume and speed of data collection today, security officials can bring in AI to analyse and understand trends. It can then flag uncommon behaviour, Yu notes.
For instance, if a nurse who only needs to access the clinical system suddenly logs into finance accounts, it may be a sign of trouble.
Healthcare providers around the world have also turned to AI to boost their cybersecurity defenses. Halifax Health, a nonprofit hospital based in Florida, uses AI in firewalls to detect inconspicuous attacks. Tech giant IBM has built an AI tool to speed up routine security assessments and cut response times, wrote HealthTech Magazine.
2. Protect medical devices
Hospital Authority’s second priority is securing its medical devices. These machines collect reams of valuable, sensitive patient data, but often run on outdated and buggy systems, Yu says.
This makes them highly vulnerable to hackers. Once attackers enter a medical device, they could shut entire healthcare systems down.
The stakes are high. “Lots of healthcare institutions have undergone a paperless transformation” and brought their services online, notes Yu. Crashing these systems could bring healthcare to a grinding halt.
These medical devices often run on external systems, which complicates security. “We have no actual control of those medical devices because they’re often from vendors,” he says. A neglectful vendor could be sending an already-compromised device to the hospital networks.
IT teams will need to conduct internal assessments regularly and ensure vendors meet the hospital’s minimum security standards, Yu notes. Top US government agencies were recently breached because they used faulty products from cybersecurity company SolarWinds - the same could befall healthcare.
3. Make employees part of the defence
Third, Hospital Authority will focus on increasing employees’ cyber awareness. “More than 90 per cent of cyber incidents start with phishing attacks” that target individuals, Yu shares.
Yu’s team will run phishing drills for staff. IT teams send out bogus emails, and employees who fall for the ruse would be prompted to revisit cybersecurity training materials. “Make them a part of the defense, rather than the weakest link,” says Yu.
[blockquote]“Make [employees] a part of the defense, rather than the weakest link."[/blockquote]
The Authority has created online training programmes, which will become mandatory for all staff, he says. These come in bite-sized, 15-minute videos to make cyber hygiene relatable and fun. For instance, these teach staff to identify the four techniques phishing emails often use to lure unsuspecting victims in: greed, curiosity, urgency, fear.
Yu’s office also shares the latest news on online scams, such as Whatsapp fraud tactics, along with what to do when employees receive suspicious messages. It even provides tips on how to secure home networks, since more people are working remotely.
4. Collaborate
Collaborations are key in responding to attacks, says Yu. “The faster we can share intelligence, the faster we can prepare for the next attack.” After all, cyber attacks often span countries.
The Hospital Authority is part of the Global Digital Health Partnership, which helps governments and healthcare organisations in the shift to digital care. Hong Kong, along with the World Health Organisation, is one of the founding members of the alliance.
Cybersecurity is one of its key focus areas. It will work on developing an international early warning and alert system, and building a platform to share best cyber practices, wrote the Partnership’s website.
The Hong Kong Computer Emergency Response Team Coordination Centre has also partnered with Microsoft to launch the city’s first Healthcare Cyber Security Watch Programme in 2019. It will keep Hong Kong’s healthcare sector updated on the latest cyber risks, wrote Microsoft.
As the healthcare sector focuses on delivering vaccines and saving lives, it must also think about protecting its networks from scheming hackers looking to take their systems down. For Hong Kong, AI, training and collaborations will be key for their strategy.