Axess Health | Blog

Cyber security: health establishments across board still ill-prepared…

Written by Roy Watson | Jun 6, 2023 7:09:42 AM

Moderator Neil Kinsley with (from left) Dr Newton, Prof Paruk, Peter Kanda and Dr Christian

Moderated by AxessHealth CEO, Neil Kinsley, the discussions highlighted the fact there were still questions around the continent’s preparedness for health system cyber security issues in most quarters.

“Cyber security systems around the world are often only geared towards big business, big hospitals and big pharma,” Newton added, after getting little or no response from the audience when asking how often those in practice had had security penetration tests.

“You have people in the practice inadvertently allowing data to go out, placing that data in a phishing environment and therefore quite easy to use subversely against both the practice and the patient.”

This, Newton indicated, represented a huge health data security risk: “Also a problem is it is where we have the least amount of activity happening.”

Picking up on this, moderator Kinsley acknowledged that security risks around telehealth in particular were now becoming well understood, but what about other tools such as wearables and those being applied in specialist health environments?

“The question is how do we manage security,” Prof Fathima Paruk, Professor and Head of Critical Care at the University of Pretoria, posed in response.

Earlier Prof Paruk, who is also the co-chair of the Africa Telehealth Collaboration, had presented a comprehensive appraisal of the use of AI in the critical care environment at her city’s Steve Biko Hospital in a talk on “Tele-ICU: Redefining and Transforming Healthcare”.

“We understand the risks that come with the benefits from technology, but what worries me is who is accountable when breaches occur. When they do occur we can’t stop the train!” she exclaimed, stressing that this was the type of management from an IT perspective that such institutions didn’t have as yet.

“We are really ill-prepared as a community.”

 

On the matter of security breaches, Peter Kanda, Chief Information Officer at Gertrude’s Childrens Hospital in Nairobi, Kenya, volunteered that it was cheaper to do a vulnerability test as opposed to handling a data breach: “Go for an independent IT guy, then deploy the solution,” he suggested.

“There’s been a lot of talk about standards and frameworks like HIPAA (the USA’s Health Insurance and Portability Accountability Act).

“I say take 20 per cent of the IT budget and channel it completely towards security,” he said, reiterating that the biggest threat was actually internal sources across the healthcare board.

Similar sentiments were shared by Care Connect CEO, Dr Rolan Christian, in his discussion contribution, highlighting the fact that his organisation had found that attacks were happening around people “because that was the entry point”: “We had to make people understand everyone’s data was now available on the internet.”

His advice to stakeholders, therefore, was that they must chose a methodology and framework specific to their business – including penetration testing – and incorporate staff education to prevent them from being a weak link in the phishing scheme.

“Spend money on finding the loopholes. Granted, it takes resources away from what you should be doing, but it is necessary to do it!”