As Singapore’s healthcare sector recovers from its second biggest data leak in less than a year due to a slip up by a third-party vendor, one of the questions that is on many people’s mind is whether organisations should outsource IT jobs.

On one hand, third-party vendors are supposedly more specialised in the role that they are engaged to fulfil and that they should diligently keep data safe from harm. And on the other hand, in many cases, outsourcing IT jobs is a more prudent approach to keep cost low.

So how then can a healthcare organisation have the best of both worlds while minimising similar incidences from happening?

Here’s Yeo Siang Tiong, General Manager of Southeast Asia at Kaspersky Lab sharing his thoughts on the recent cyber-security lapses; insights into why the healthcare sector is a hotbed for cyber attacks; and what can be done to vendors when their inability resulted in a data breach.

---

Whether IT tasks are performed by the vendor or in-house, the challenge has always been managing an infrastructure built over diverse and overlapping technology waves, often with gaps between the layers that enable hacker access. Legacy systems, especially those more than a decade old, are extremely vulnerable and often integrated too deeply into an organisation’s infrastructure to be replaced. As security threats intensify over the coming years, replacing these systems with modern IT must be a priority.

To fully evaluate and raise an organisation’s level of cyberthreat immunity, it’s essential that organisations ensure that the vendor clearly understands the processes involved into the day-to-day operations of different players in the healthcare sector, the nature of systems to be defended, their key assets and the impact a successful attack could have. The prevention of generic attacks should go hand in hand with developing effective protection, detection and response mechanisms against targeted attacks.

Safeguards for the safety and security of systems and data

It is better for organisations to ensure they have a combination of the following:

• A  professional IT team
• A team who is dedicated to overseeing the company’s IT networks and cybersecurity-related assets and who are well-versed with the latest trends and threats.
• Implementing holistic security solutions
• It is almost crucial to note that companies should not just implement security solutions on the perimeter but also internally—across the network.
• Ensure everyone follows the best security practices
• Educate your staff on the dos and don’ts of proper company protocols to ensure their actions will not make the company vulnerable.

Healthcare sector, a hotbed for cyberattacks

Healthcare IT systems have become attractive targets for cybercriminals. That is because healthcare organisations are increasingly holding more and more lucrative patient data — personal and financial information that cybercriminals can use to commit identity fraud.

As more critical medical equipment and devices move online, the stakes for security are high — malicious actors hijacking and controlling them could have deadly consequences.

If not tackled effectively, security concerns could hamper the development of mobile and wearable devices, which have exploded on the healthcare scene in recent years. Cloud-powered and enabled by the ubiquity of smart mobile devices and online storage, these tools have the potential to transform preventative and outpatient care.

We are heartened that the Singapore government is stepping up its cybersecurity processes and doing the necessary steps to show how companies should take cybersecurity seriously. Healthcare institutions are among organisations that the public place the most trust in, especially as they contain personal data and confidential health information. The danger must be taken seriously as the average cost of a data breach now stands at $1.23 million, 25% higher than losses 1-2 years ago. In light of potential financial losses coupled with tainted reputation, it is more crucial than ever for the health industry to beef up and invest in holistic and multilayer cybersecurity capability. This is critical for Singapore to be a truly Smart Nation. We hope this incident will serve as a lesson not just for the healthcare industry but also for all companies and institutions that prevention and early detection of attacks is a must.

Possible legal ramifications when a vendor is involved in a data breach

In response to the growing threat to data security, regulators in literally every jurisdiction have enacted or are scrambling to enact laws and regulations to impose data security and privacy obligations on businesses. Even within a single jurisdiction, a number of government entities may all have authority to take action against a business that fails to comply with applicable standards.

A single security breach may subject a business to enforcement actions from a wide range of regulators, not to mention possible claims for damages by customers, business partners, shareholders, and others. The U.S. for example, uses a sector-based approach to protect the privacy and security of personal information. Other approaches, for example in the European Union, provide a unified standard, but offer heightened protection for certain types of highly sensitive information (e.g., healthcare information, union membership etc). Actual implementation of the standards into law is dependent on the member country.

Even if liability is relatively limited, the vendor’s business reputation may be irreparably harmed from the adverse publicity and loss in customer and vendor’s partner confidence.