ITEM: Cyber attacks can be so costly to healthcare organizations in Asia Pacific that many of them are delaying digital transformation projects, according to a new Frost & Sullivan study.
The study – commissioned by Microsoft – calculates the cost of cyberattacks using an economic loss model created by F&S based on insights shared by survey respondents, and takes into account both direct financial losses (including loss of productivity, fines, remediation costs, etc) and indirect losses such as loss of customers and reputational damage.
F&S estimates that a large healthcare organization in APAC stands to lose an average of $23.3 million in economic losses due to a cyber attack, while mid-sized organizations face average economic losses of $17,000.
Notably, the biggest factor in those numbers was customer churn – which isn’t surprising, given that the most devastating types of attacks last year were web defacement and data theft.
The latter is fairly obvious – at a time when Facebook and other companies are making headlines for letting customer data fall into the wrong hands (and that’s as a consequence of their business model, not from data being stolen), customers are even more concerned about their personal medical data being exposed online, and have higher expectations of healthcare organizations to protect it. Also, as the F&S study points out, criminals aren’t just after personal data – they’re also targeting proprietary intellectual property.
Web defacement may not sound that serious as far as customer relations go, but it’s become a major issue for healthcare organizations as they move more services to the digital realm, from providing vital medial information to scheduling appointments and arranging for prescription top-ups.
In fact, the study found, 65% of healthcare organizations surveyed said they had “actually delayed the progress of digital transformation projects” due to the fear of cyber attacks.
That’s actually consistent with other verticals covered by the F&S/Microsoft survey – 60% of retail organizations and 63% of financial services firms in Asia Pacific have delayed digital transformation progress due to cybersecurity concerns, according to the report.
Which is ironic, since one of the hallmarks of any decent digital transformation project is – or at least is supposed to be – a security-by-design approach rather than the traditional bolt-on afterthought. But the majority of respondents either didn’t think about cyber security until well after the project commenced – or didn’t think about it at all. The 42% of organizations that looked at cyber security from a tactical standpoint saw it as merely a defense against cyber attacks – less than 20% viewed cyber security as a business differentiator or a digital transformation enabler.
Complicating things is the finding that where cyber security has been implemented, the solutions being deployed are insanely complex, due to the assumption that having a bigger portfolio of cybersecurity solutions makes you more secure. This isn’t always the case, and in the case of healthcare organizations, the complexity of managing a large portfolio of cyber security solutions often results in longer recovery time from cyber attacks, the report says:
… [50%] of the healthcare organizations with more than 50 cybersecurity solutions took more than a day to recover from cyberattacks, while 79% of organizations with 11 to 25 solutions required less than an hour.
This being a Microsoft-sponsored study, it looks at adoption of AI – not just for improving efficiency and workflow but also to strengthen their cyber security postures. The good news is that 81% of surveyed healthcare organizations “have either adopted or are considering an AI-based approach to enhance their cybersecurity strategy.”
On the other hand, a fat lot of good that’s going to do them if they’re putting their digital transformation programs on hold, unless they’re doing so to rethink the security aspect of their transformation plans – which is a good idea.
But it will likely take more than simply rejigging the plan to add security to the mix. As Kenny Yeo, F&S’s Industry Principal of Cyber Security, notes: “Embedding security and privacy into all aspects of digital interactions is not an option anymore – it needs to be mandated, and even more so for healthcare organizations as they handle sensitive and confidential data.”
That could mean scrapping the transformation project entirely and starting over – which is a tough business call. Still, with up to $23 million in losses and brand damage on the line, healthcare organization chiefs will have to make that age-old decision over which is the bigger tradeoff – spending the money to get security right, or getting hacked eventually, writing off the loss and hoping customers have short memories.