Saudi Vision 2030: Cybersecurity through the lens of patient safety
Like the rest of the world during the pandemic, healthcare organisations in Saudi Arabia are no longer centralised, but are now spread across remote work settings, making them vulnerable to varied threats from unsuitable hardware and non-firewalled systems. This has been in tandem with Saudi Arabia's national strategy for digital transformation that has incorporated five-year goals for which three executive plans were drawn from 2006 until 2022, with digital health as one of its core components. Although strategies have been put in place to launch and fortify technologies such as user data collection, augmented reality and telehealth, questions around adequate protection for evolving cybersecurity threats posed to these technologies has certainly become a needed conversation in the current climate.
Dr Saif Abed, founding partner and director of cybersecurity advisory services at AbedGraham explains how he thinks Saudia Arabia's strong investment in digitalisation has raised awareness around cyber-attacks: "Any time a significant investment is made to accelerate digital transformation you have to consider both benefits and risks associated with it. The strong track record of investment across the Middle East has clearly been successful when it comes to enhancing digital maturity and this now places the region in a strong position to make investments across people, processes and technology that can preserve patient safety and clinical services.
"At a time when the rest of the world is suffering from terrible cyber-attacks on healthcare and life sciences facilities, the Middle East has a strong foundation to counter this moving forward through increased awareness and action."
Global cybersecurity lessons
Looking globally at other regions and countries, there has been a rise in cyber-attacks since the pandemic began, particularly in healthcare, with ransomware attacks targeting hospitals and research facilities. According to a statement issued by global technology company Acronis, cybercriminals “will target the government agencies, healthcare facilities and medical professionals treating patients during the COVID-19 crisis,” after it found a surge in ransomware detections in Europe by up to seven per cent in the last week of February 2020, followed by a 10% increase the week after.
Global attitudes and action towards cybersecurity prevention has highlighted areas we can learn from in regards to successful approaches to cyber-attacks: "Globally, we must always be learning from one other irrespective of the region since we all have the same goal of preventing patient harm.
"Particularly interesting areas that I think the Middle East is in a position to learn more about, based on developments in the US and UK, include how to address medical IoT security and clinical risk analysis respectively," explains Abed.
"There are many emerging regulations, advisory statements and technologies in the market that are addressing medical IoT which the Middle East can act on. In terms of clinical risk analysis of network threats and vulnerabilities, this is an exciting emerging area that can turbocharge risk management for CISOs, CIOs and CMIOs across their organisations," adds Abed.
Digital maturity outgrowing security maturity
The rapid growth of digital maturity outgrowing security maturity during the pandemic has also been an area of concern for many healthcare organisations: "This is something I coined in a graphic I call the’ Healthcare Maturity Paradox’," said Abed.
"Essentially, when digital maturity increases it’s normally not matched by an equal investment in security maturity and the gaps between these two areas, or lines on a chart, is what makes healthcare organisations attractive targets for attackers. I call that the ‘Attacker’s Arbitrage Opportunity’.
"The best way to address this is to always ensure that as part of an investment in a digital project that there is a baseline risk assessment conducted that captures clinical, organisational, financial and reputational damage risks and that investments are made based on this in people, processes and technology to preserve the security posture of a digital transformation initiative."
Resources and raising awareness
Multiple resources are now available not just for technical members of the team but other staff members across the healthcare organisations to prevent ransomware attacks and to raise awareness around the topic: "We’re fortunate today to have more resources than ever before when it comes to cybersecurity," notes Abed.
"HIMSS of course provides a treasure trove of resources in this area. There are also a range of agencies that such as the EU Cybersecurity Agency, MITRE and the FDA that provide great information that is increasingly accessible at a non-technical level. Other than that the best resource is often your peer group so regional meetings and conferences are a great way to raise awareness and share best practice."
Furthermore, as awareness and education on the topic grows, cybersecurity in healthcare will also need to consequently evolve: "Firstly, healthcare organisations over time are going to have greater transparency of what’s on their network, because you can’t control what you don’t know about.
"Secondly, cybersecurity will stop being a technical subject and instead will be seen through the lens of patient safety and measurable business outcomes. That means more proactive and constructive engagement with non-technical senior stakeholders," concludes Abed.