Lines Of Defence
The boom in cloud technology in the 21st century offers a wealth of benefits. Businesses using the cloud can save time and money while boosting efficiency and profits. Everyday lives are made easier and more comfortable in a wealth of spheres from travel to healthcare.
But if there's a downside, then it's the risk of cyber attacks. Kok-Tin Gan, Partner, Cyber Security and Privacy of PwC Hong Kong, says that the current tech landscape has seen a rise in cyber attacks in the last few years. “These have been targeted at all kinds of business from banks to travel and chain stores.”
“A notable trend is that more attacks have been aimed at small to medium enterprises, some of which do not have enough resources or investment to do something about them,” says Kok-Tin. “Whereas larger enterprises have more strength and power to combat cyber attacks. In order to successfully deal with cyber attacks, every business, whether large or small, must ensure that they have the right investment, training and facilities.”
High target for cyber criminals - Tourism, Bank, Healthcare
Global cyber attacks can strike anywhere, including Hong Kong and other Asian countries. But as Chalee Vorakulpipat, Head of Cyber Security, National Electronics and Computer Technology Centre (NECTEC), explains, the tourism industry is a notable area of vulnerability. “Hong Kong is one of the main destinations for tourists from around the world, so the tourism industry is dependent upon reliable computer systems such as an online reservation and payment system. If these systems are attacked, not only the tourists cannot access to the systems, but also they will no longer trust, resulting in choosing to visit another country.”
In terms of which industries are most affected by cyber attacks, Chalee says that this is dependent on how much each industry invests in security protection. “Basically, attackers need a motivation to attack. If an industry exhibits a lot of system vulnerabilities mostly due to low investments, and it can give an impact to the national level, this industry will be the main target. In the most cases, critical infrastructure sectors meet these criteria.”
Banks are still a high target for cyber criminals, as Kok-Tin Gan explains. “Because more people bank online today, areas such as money transfer and stocks are targeted by cyber criminals. Last year saw a lot of attacks and hacks on stock making companies.”
Another risk area is healthcare. “In the Smart Healthcare and Smart Hospitals of the future, smart medical devices and applications are connected to form the 'Internet of Medical Things', or IoMT, in short,” says Bryan So, Principal Consultant (Smart Healthcare, MedTech & Optics), Hong Kong Productivity Council. “Smart enabling technologies (for example, smart health analytics of critical vital signals, digital persona for chronic disease management, and AI-health management) permeate the whole network, which are linked by data exchange platforms.”
Bryan explains that with IoMT in place, the medical services will benefit from improved quality and enhanced efficiency. But the ever-increasing network interfaces and growing volume of data flowing across various untrusted or non-standardised security networks will also put the sector at the mercy of cyber criminals. “The disruption of medical and healthcare services, loss of critical data such as patient’s medical history, delays in treatment, or even fatal accidents can be some of the undesirable results. Therefore, sound cyber security capabilities are critical for medical professionals to ensure their service quality in the smart era.”
In recent years, there have been several cyber attacks targeting the local healthcare sector. A 2014 example saw the personal details and health history of more than 10,000 liver and digestive disease patients forcibly encrypted in a ransom attack. In 2016, the Immunisation Record System of the Department of Health’s Clinical Information Management System was suspected to be intruded. “The hacker had possibly gained access to the temporary files generated under the system, which involved about 17,000 files of personal and clinical information of clients of the Department,” says Bryan.
“These cyber attacks pose different impacts to relevant stakeholders,” says Bryan. “For example, local device manufacturers may not have sufficient knowledge in implementing the appropriate cyber security measures due to the product and risk management concerns. This may hinder the IoMT product realisation.”
“Some medical device distributors may not be fully aware of the potential loopholes during the installation and maintenance of connected device, which may lead to the increase in cyber security vulnerability to the users’ environment.”
Common kinds of cyber attack - attacking, phishing, ransomware
Common forms of cyber attacks today include attacking availability such as DDoS and attacking privacy. “Attacking availability of critical infrastructure such as telecommunication, hospital and bank resulting in out-of-service violations can give huge impacts to the country and its people in terms of financial loss, safety loss, and loss of life,” says Chalee Vorakulpipat. “Also, attacking privacy can threaten homeland security and be highly related to legal issues. The best example is a case that a hospital discloses a patient's sensitive information to the third party without permission.”
Another of the most common kinds of cyber attack is phishing. “This is one of the most easiest and effective methods of getting into an organisation and creating disruption,” says Kok-Tin Gan.
One of the most common forms of cyber attacks on hospitals or clinics is ransomware, described by Bryan So as “a malicious software that encrypts or removes access to computer files until the payment is made to the attackers.”
“Multiple healthcare organisations or hospitals worldwide have been reported to be the victim of ransomware attack, with massive loss or encryption of patient’s information or medical history.”
“For example, in May last year, the WannaCry ransomware attack created chaos to tens of thousands of computers in over 150 countries. In the UK alone, over a third of its public health networks were affected by the attack. Victimised hospitals were unable to access basic medical records. At least 6,900 patient appointments and surgical operations were cancelled as a result.”
This form of attack can create a huge impact to healthcare organisations, as it can grow from a fringe cyber attack to widespread influence. “With one of the prominent characteristics of extremely quick encryption by the ransomware, a large amount of information can be affected within a short period of time,” says Bryan. “As a result, hospitals or healthcare organisations cannot operate functionally and smoothly with the inaccessibility of information.”
Ways to keep you safe from cyber attacks
The good news, though, is that there are many measures to successfully combat cyber attacks. Bryan So lists a number of examples: “Applying good password policy and strong authentication technologies to deter account compromise; implementing network segmentation of infrastructure and privileged account management to reduce the attack surfaces; and effective operational procedures such as regular security patching to close security loopholes of healthcare devices.”
“Also, cyber security awareness training shall be organised to update stakeholders with contemporary security cyber threats and the latest knowledge in cyber defence.”
With regards to the future, in the long run, Bryan concludes that cyber security still poses numerous threats towards the healthcare industry from various aspects. These threats range from the adoption of electronic health record systems without up-to-date security control and the high-risk information sharing platform across end-point devices, to the heterogeneous systems with different security levels connected to the same networked system: “All in all, more channels mean more opportunities for the hackers to gain access into the system.”
As well as this, Bryan adds that the increase in the sophistication and variety of cyber attacks presents another long-term threat to the safe cyber environment of the healthcare industry.
So to minimise the risk of cyber attacks, the healthcare industry should speedily upgrade with the adequate knowledge, skills and resources. “For example, the organisation may incorporate more cyber security consideration in network architecture design,” says Bryan. “Also, a dedicated security incident response team can be set up to provide a more effective response to tackle cyber security breaches within the healthcare organisation.”
“Awareness and capability trainings are also recommended to all relevant stakeholders to enhance their understanding of the underlying principle of cyber security and preventive measures to weed out the chance of cyber attacks.”
Chalee Vorakulpipat says that people need to understand the importance of cybersecurity protection and prevention. It should start from the top-level management, and security should be implemented using a top-down approach. “This ensures that the top-give management explicitly show the direction on cybersecurity, so it is easy to enable any security programs.”
Because the threat of cyber attacks has become more serious in the last few years, Kok-Tin Gan concludes that a greater global understanding of this problem is required in order to take future action. “We have seen more high target organisations affected by cyber criminals, and one of the most unsettling aspects is that these attacks can happen from anywhere around the world.”
“So to help do something about future attacks, globally, we all need to co-operate. We need to have a greater understanding of the impact that such an attack can have. It's a scary thing having money or valuable information stolen. What global society needs to do is to understand the root cause of cyber attacks and analyse their nature.”
“By having a greater understanding and awareness, we can be better prepared for future attacks and take the relevant steps to prevent them from occurring in the future.”