This is only part of technological changes. The Internet of Things and big data is driving positive disruption worldwide in healthcare and other industries; in Singapore, a few institutions are already examining how mobility might save time, money, and trouble for procedures that don’t need an in-person visit. But there is a catch, Jeffrey Kok believes: here are warning signs on this expressway to digital health management that must not be ignored.
Cyberattacks
One catch is this: more digital data means more possibilities for cyberattacks. According to Kok, in last year’s CyberArk Global Advanced Threat Landscape Survey, 61% of the survey respondents from the U.S., Europe (France, Germany, and United Kingdom), Israel, and Asia Pacific (Australia, New Zealand, Singapore) stated that attacks impacting healthcare and hospital services are viewed as potentially the most catastrophic threat.IoT devices easily hacked
The main concern here is the ease with which IoT devices can be hacked. IoT devices are potentially the most vulnerable targets for cyber attackers today, for the very nature of their connectedness, the personal information they store, and the general lack of security protocols.IoT devices, like all digital technologies, come with administrative privileges to provide a certain level of security. However, we often overlook the need to change the factory default password on such devices – and default passwords are elementary and easy to hack
Potential damage
The potential damage from hacked IoT devices includes the loss of personal, private patient data, as well as provide a gateway into the larger hospital system. Certainly, online repositories of data enable nurses and other professionals to easily provide advice remotely, but what if cyber attackers should get access to such data?What’s more, the abovementioned survey revealed that 53% of the organisations (across all sectors) surveyed still store privileged and administrative passwords in a Word document or spreadsheet, whilst 39% use a shared server or USB stick. These passwords are easily stolen or lost.
A further threat is allowing third-party vendors access to internal networks. Organisations often overlook remote access controls, leaving an open door into the network. Singapore is the worst performer in this area, with 26% of Singaporean enterprises neglecting to secure third-party vendor access and 33% not monitoring at all.
Shared responsibility
Kok doesn’t just state possible threats, he also comes up with some counter measures: well-defined steps that organisations can take to manage these risks. For one thing: allowing IoT devices to communicate openly and freely can no longer continue. Whilst it is the responsibility of the vendors to make securing their devices easy – and industry-enforced standards and regulations may be necessary to enforce these practices, administrative privilege must be managed by both the customer and vendor.Staff training is another critical area.
A study by Ponemon Institute recently reported that 56% of security practitioners surveyed said company insiders are the primary cause of security breaches – not due to malicious actors, but simply bad security habits (like storing passwords in Word documents). The first line of defence against the well-intentioned insider is awareness and training. All employees should be educated to understand the risks, organisational policies, and the reasons for those policies.
Other areas of concern
Privileged accounts are another area of concern, says Kok. The lack of accountability and protection of privileged accounts is most often exploited by cyber attackers. The benefits of protective controls and detection capabilities on privileged accounts and credentials should not be overlooked, as part of a comprehensive security strategy.‘Finally, consumers must play their part by a determined and consistent effort to adopt best practices. These include changing default passwords on IoT devices, keeping firmware updated, choosing more secured & supported IoT devices, being aware of phishing attacks, and avoiding sharing of private information and passwords.’