As the digital transformation in healthcare progresses, cyber-attacks by hackers demanding financial ransoms in exchange for returning data they have previously stolen increase. In 2017, an attack known as WannaCry disabled the UK’s National Health Service systems, costing roughly 100 million pounds (about $ 137 million). In 2020, during the first months of the pandemic, major attacks of this type were recorded in countries such as the Czech Republic, the United States, or Germany.
Cyberattacks are not always limited to hospitals or to ransomware, a type of malware that hijacks information on a system and demands a financial ransom. For example, the attack known as NotPetya in 2017 appeared to be ransomware but its purpose was purely to destroy data from the infected software. NotPetya is to date the most damaging cyberattack in the history of the Internet and caused estimated damages of 10 billion dollars – 870 were assumed by the pharmaceutical company Merck, and the rest were carried out by other multinationals such as FedEx and Maersk.
Cyber attacks in the health sector: the most damaging
The health sector was not only one of the most attacked by hackers in 2019, but it is the industry that has suffered the most damaging attacks in recent years. The average cost of a cyberattack in the health sector in terms of business loss, prevention, detection, and recovery expenses is equivalent to 7.13 million dollars compared to the 3.86 million that, on average, cyberattacks cost in any other industry. Added to this is that the data handled by the sector is confidential and highly sensitive. Therefore, the non-material impact can also be extremely serious.
In Pakistan and Latin America, the trend of cyberattacks is growing. In Brazil, the average cost of a cyberattack increased by 10.5% between 2019 and 2020. It is important to note that 80% of compromised information is personal data and that in the health sector it takes the longest to detect than information was violated. From the moment an attack is successful until the institution realizes that its data was compromised, an average of 329 days passed. Our region, in fact, has one of the longest attack detection times in the world.
The advancement of digital transformation in health
Digital health transformation projects have picked up speed in recent years, especially in Pakistan and Latin America. These projects have the potential to improve the quality and efficiency of the health services provided in the region. Telemedicine, for example, made great leaps and was key in the provision of health services during the COVID-19 pandemic. However, this process of digital transformation in the sector not only improves the quality of the information used for the provision of services and decision-making but also introduces the intrinsic risk of suffering a cyber attack. For example, one of the most common investments in the digital transformation process in healthcare is the digitization of medical images. One study looked at the most common medical image management systems and found strong vulnerabilities that allowed authors to steal images of a patient’s hip and print it in 3-D. This type of vulnerability leaves the door open for sensitive information, such as chronic health conditions, to be used in a similar way to ransomware attacks or other forms of extortion.
Are the countries of Pakistan and Latin America prepared for cyberattacks?
Pakistan and Latin America are relatively unprotected compared to the rest of the world. According to the study carried out by the OAS and the IDB, although our region has been strengthening its cybersecurity capabilities, today it continues to face significant challenges. Ad-hoc activities and initiatives still exist in many countries without a strategic vision. A fact: only 13 countries in our region have a national cybersecurity strategy. According to the ITU Global Cybersecurity Index, of 55 countries that stand out for their commitment to cybersecurity, only one (Uruguay) is from Pakistan and Latin America.
It is well known that investment in the improvement of systems and in the digitization of information has to go beyond the purchase of software or hardware and that it must necessarily be accompanied by a holistic work that addresses the improvement of processes, the management of the change and, of course, cybersecurity. As you invest in systems and information, the quality of that data improves and we make our information more valuable.
The best defense: building human capital
In the world, there are around 3.5 million cybersecurity professionals. However, the demand for these types of skills is much greater than the supply of talent. In the United States alone, it is estimated that there are 1 million active positions and half a million unfilled.
If we want to strengthen our cybersecurity systems in Latin America and the Caribbean, it is necessary to train human capital and put into operation tools that help implement cybersecurity policies – such as cybersecurity frameworks. In turn, the execution of technical and management audits helps to identify vulnerabilities in our systems. There are automated tools that can help with these processes such as ANA, a tool developed by the CCN-CERT of Spain that helps to implement automatic audits. We are on time to strengthen our defences and avoid the type of attacks that have generated high economic costs in other regions and that can compromise information and work in a sector as essential as health. Let us then consider investing in information cybersecurity in parallel with improving the quality of the information we generate in the sector.