A Frost & Sullivan study commissioned by Microsoft found that a cyberattack incident can cost a large healthcare organization in Asia Pacific an average of US$23.3 million in economic loss. For mid-sized healthcare organizations, the average economic loss was US$17,000. The study further revealed the highest economic impact of cybercrime was loss of customers and three out of five (60%) cybersecurity attacks against healthcare organizations over the last 12 months have resulted in job losses across different functions.
While the impact of data vulnerabilities and breaches can be costly and damaging to both healthcare organizations and their consumers, the study uncovered that almost half (45) of healthcare organizations in Asia Pacific had either experienced a security incident or were not sure if they had had a security incident as they had not performed proper forensics or data breach assessment. The study further revealed that instead of accelerating digital transformation to bolster their cybersecurity strategy to defend against future cyberattacks, more than three in five (65%) healthcare organizations across Asia Pacific had actually delayed the progress of digital transformation projects due to the fear of cyberattacks. Delaying digital transformation not only limits the healthcare organizations ability to reduce attack surface against multiple attacks but also prevents them from leveraging advanced technologies, such as artificial intelligence (AI), to detect and protect against sophisticated cyberattacks. Furthermore, digital transformation delays also hinder an organizations’ ability to better engage with patients, empower care teams, optimize clinical and operational effectiveness, and transform the care continuum.
These findings are part of “Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World” study launched in May 2018. The findings aim to provide business and IT decision makers in the healthcare sector with insights on the economic cost of cyberattacks and to help to identify any gaps in their cybersecurity strategies.
The initial study involved a survey of 1,300 business and IT decision makers ranging from mid-sized organizations (250 to 499 employees) to large-sized organizations (>than 500 employees), of which 11% belong to the healthcare industry.
In calculating the cost of cyberattacks, Frost & Sullivan created an economic loss model based on the insights shared by the respondents. This model factors in two kinds of losses which could result from a cybersecurity breach:
- Direct: Financial losses associated with a cybersecurity incident which includes loss of productivity, fines, remediation cost, etc; and
- Indirect: The opportunity cost to the organization such as customer churn due to reputational damage.
“With more and more healthcare organizations in Asia Pacific moving beyond digitization into transformation and rallying with innovation, building a strong foundation with security and compliance has become critical,” said Kenny Yeo, Industry Principal, Cyber Security, Frost & Sullivan. “Embedding security and privacy into all aspects of digital interactions is not an option anymore – it needs to be mandated, and even more so for healthcare organizations as they handle sensitive and confidential data,” he added.
Key Cyberthreats and Gaps in Healthcare Organizations’ Cybersecurity Approaches
While the availability of vast amounts of patient data is essential for healthcare organizations to innovate and turn the lifesaving potential of new research discoveries into reality, it also brings new cybersecurity challenges as these organizations increasingly become a lucrative target for cybercriminals.
Among the multitude of cyberthreats that healthcare organizations face, web defacement and data exfiltration have the highest impact and often result in the slowest recovery time:
- As healthcare organizations increasingly rely on online platforms to engage patients, the danger of web defacement is greater than before. It can disrupt important online services, such as medical appointments and medicine top-ups arrangements, as well as prevent patients from accessing vital information on medical conditions and treatments; and
- Data exfiltration has a very severe impact on healthcare organizations. Cybercriminals are constantly trying to infiltrate organizations’ systems to steal proprietary intellectual property (IP) as well as patients’ personally identifiable information (PII) to sell in the underground economy. Losing patients’ sensitive health data can lead to irreparable reputational damage, loss of trust and churn.
Besides external threats, the study also uncovered that many healthcare organizations’ security posture is being undermined by archaic approaches to cybersecurity:
- Tactical viewpoint towards cybersecurity: Despite the growing incidents of cyberattacks, the study revealed that a significant number of respondents (42%) have a tactical view of cybersecurity – to “only” safeguard the organization against cyberattacks. Less than one in five (19%) viewed cybersecurity as a business differentiator and an enabler for digital transformation.
- Security as an afterthought: As healthcare organizations do not see cybersecurity as an enabler for digital transformation, they usually apply security elements in a “bolt-on” fashion which hinders their ability to build a “secure-by-design” digital project, leading to cybersecurity risks and vulnerabilities.
The study further revealed that only 18% of healthcare organizations who had encountered cyberthreats considered “building” a cybersecurity strategy prior to initiating a digital transformation project, as compared to 33% of organizations that had not experienced any cyberattack. The remaining respondents either thought about cybersecurity only after the commencement of digital transformation projects or did not consider cybersecurity at all.
- Complex security environment impeding recovery time: Contrary to popular belief, a large portfolio of cybersecurity solutions may not be a good solution to bolster cybersecurity. In reality, the complexity of managing a large portfolio of cybersecurity solutions may lead to longer recovery time from cyberattacks.
The study showed that half (50%) of the healthcare organizations with more than 50 cybersecurity solutions took more than a day to recover from cyberattacks, while 79% of organizations with 11 to 25 solutions required less than an hour.
“Innovative technologies are dramatically shifting the way healthcare organizations can become more efficient, effective, and productive. However, as technology advances at a fast pace, so do cyberthreats,” said Keren Priyadarshini, Regional Business Lead, Worldwide Health, Microsoft Asia. “While Healthcare organizations in Asia Pacific are committed to the digital transformation of their business, it is as critical for them to be prepared to deal with cybersecurity threats that are growing more sophisticated and a regulatory environment that is getting more stringent.”
“With cybercriminals increasingly targeting health organizations, keeping patient information and other sensitive data secure while preserving privacy, maintaining the data’s confidentiality, integrity, and availability should be a key priority for healthcare organizations,” added Keren.
Bolstering Cybersecurity Using Artifical Intelligence
More and more healthcare organizations are relying on AI-powered systems and cognitive services to improve medical professionals’ efficiency and workflow and enhance clinical expertise at scale. Similarly, they are also leveraging AI to augment the security capabilities of their systems and strengthen the effectiveness of their cybersecurity teams. The study revealed that four out of five (81%) healthcare organizations have either adopted or are considering an AI-based approach to enhance their cybersecurity strategy.
“An AI-driven cybersecurity architecture can help healthcare organizations to increase the number of detections which would otherwise be missed while providing data signal interpretations and recommended actions for cybersecurity professionals. Such systems are particularly critical for healthcare organizations that are undergoing digital transformation journey as huge volumes of data in the cloud can be analyzed rapidly for security threats,” concluded Keren.
To understand the cost of cyberattacks in organizations across Asia Pacific, click here.
For more information on the cost and impact of cyberattacks across the different vertical sectors across Asia Pacific, Please visit:
Learn more on how Microsoft is helping modern enterprises stay secure in a digital world here.