• United States



Senior Writer

Cybersecurity in healthcare: It’s just not enough

Jun 08, 20174 mins
Healthcare IndustrySecurity

A recent finding revealed that Indian healthcare companies are spending less than 6 percent of the total IT budget on cybersecurity. Given the spate of recent cybersecurity attacks bringing the industry to its knees, is the healthcare sector a sitting duck for cyber thugs?

The worldwide spending on IT security is projected to increase 34 percent, reaching $101 billion by 2018. In comparison, the healthcare industry averages much lower, with less than six percent of the total IT budget being allocated to security.

What makes the situation even more precarious is that cybersecurity breaches are costing more. A Ponemon Institute survey revealed security breaches are averaging at $4 million an incident. The research goes on to highlight that the average cost per stolen record in the healthcare industry was $451. This is over twice the average global cost of a stolen record of $376.

However, healthcare organizations across the globe are sitting up and taking notice of the wide-scale implications of a cyber attack in their workplace.

The 2016 Harvey Nash-KPMG survey found that 52 percent of interviewed healthcare CIOs said they would be seeing IT budget increases in the next year.

IT spending has been listed as a top priority for healthcare executives in previous reports, which bodes well for the industry being able to keep Protected Health Information (PHI) secure.

It’s a common misconception that cyber criminals restrict their targets to the financial sector. But what happens when a bank is breached is that financial records are immediately sealed, and new records are generated for the individual. This is the action that financial institutions took when 3.2 million debit card records were compromised in 2016.

However, banks were able to get a grip on the situation by issuing new cards and a whole new set of credentials.

A discussion with Unique Kumar, CISO, Max Healthcare throws light on what CSOs in the healthcare space ought to do to mitigate risks and take back control.  

Do you think the healthcare sector should sit up and take cybersecurity more seriously?   

There are multiple factors to this: One is the need of security, and the other is the use case. But if you talk about cybersecurity, that is the need of the hour. However, what’s more important to know is the environment you’re working in.

In healthcare, customer data is very sensitive. So, the CISO needs to ensure that there are adequate controls in place to prevent a data breach.

The CISO needs to ensure that whatever needs to be done to protect this data is done. And that includes drafting a budget plan, sharing it with the management, getting it approved, and roll it out.

“Companies are talking about cyber insurance today, and I see people opening up to it and adopting it. In the Indian scenario, a lot of CISOs are not turning to cyber insurance as the market is not mature enough.”


– Unique Kumar

CISO, Max Healthcare

Earlier, hospitals used hand-written prescriptions, but now with everything getting digitized, the need for security is paramount.

We need to understand and adopt technologies that are fit for the current environment.

The trend of cyber insurance in the healthcare cybersecurity space

Companies are talking about cyber insurance today, and I see people opening up to it and adopting it. But at the same time, a lot of CISOs are not turning to cyber insurance as the market is not mature enough.

Insurance still holds a stigma in the Indian market. People believe that taking an insurance bodes some sort of an unpleasant occurrence, and that keeps them away from it.

But as the market matures, there will be a boom in cybersecurity insurance in the Indian market. No one will be ready to bear the amount of risk.

Once healthcare records are compromised, there’s nothing that can be done to change that data. You simply cannot change or mask an individual’s blood group or health ailments now, can you?

What are you takeaways for CSOs in the healthcare sector?I believe, in the future, budget forecasting will include the cost of cyber insurance. Companies need to explore cyber insurance and see whether it fits their needs.

The learning process is an ongoing process; every day, there’s a new learning. Each person in the leadership team must evaluate and be aware of what’s the sensitive data in the organization.

They must figure out what are the sensitive points and the loopholes in the system, and based on that, outline a strategy based on short-term and long-term goals.

For healthcare, it’s imperative that stringent controls are put in place for the applications where customer information is stored.

This content is part of a special series on IDG Security Daya day long global event, with the India chapter to be held in Mumbai on June 21, 2017.  

We invite you to join the conversation at #IDGSecurityDay. To keep up with the latest on security, follow  @cso_india  on Twitter and @CSOOnlineIndia on FB.

Senior Writer

An avid observer and chronicler of emerging technologies with a keen eye on AI and cybersecurity. With wide-ranging experience in writing long-tail features, Soumik has written extensively on the automotive, manufacturing and BFSI sectors. In the past, he has anchored CSO Alert - CSO India's cybersecurity bulletin and been a part of several video features and interviews.

More from this author