advertisement
Your People Remain The Weakest Link
The human factor in cybersecurity is a conversation that never gets old. That was no exception today with the cybersecurity panel at the Smart Health Summit in Johannesburg. It is particularly poignant when you keep in mind the fact that health data is far more prone to attacks from every which way more than any other industry, including the banking sector.
Many lack awareness of cybersecurity risks and best practices. They may not be familiar with common threats such as phishing, social engineering, or malware, making them more susceptible to falling victim to cyberattacks. Throw in human error. Even with the best intentions, individuals can inadvertently click on malicious links, download infected files, or share sensitive information with unauthorized parties. These errors can create vulnerabilities and open the door to cyber threats. Cybercriminals also make it a point to exploit human psychology and manipulate individuals through social engineering techniques. They may impersonate trusted individuals or organisations, create a sense of urgency, or appeal to emotions to trick people into revealing sensitive information or performing actions that compromise security.
How many times have you reset your password and used the same one or barely varied it across multiple accounts? Multi-factor authentication secures accounts but not using it leaves accounts more vulnerable to unauthorised access. Hacked? Chances are while not applicable to all cybersecurity incidents, insiders with malicious intent can pose a significant risk to organisations. Employees or contractors who have authorised access to sensitive systems and data may intentionally misuse their privileges or compromise security measures.
advertisement
Organisations also tend to overlook the importance of cybersecurity training and education for their employees. All their employees. Without proper training in identifying and responding to cyber threats, employees are not likely to recognise and mitigate potential risks. It doesn’t help that there is an overreliance on technology. While critical, relying solely on technical solutions without considering human factors is a mistake. Cybersecurity is a shared responsibility that involves both technology and human awareness and actions. Employees are more effective defenders against cyber threats and greatly reduce their vulnerability as the weakest link.
Dr Grant Newton, CEO of CDE Healthcare remarked on what the experience is like on the ground citing that “There is a still that deer in the headlights feeling among practitioners. Cybersecurity is perceived as though it is often only geared towards big businesses. Think about it. How many medical practitioners have actually had a penetration test in their private practice that is about the human element as much as the cyber element?”
Telehealth also introduces risks with its innovativeness. Wearables, for instance, are connected to smartphones, constantly transmitting data that comes with unmissable cybersecurity risks. Prof Fathima Paruk from the University of the Witwatersrand observed, “I am very concerned about both internal and external breaches but what worries me is who is accountable and once the breaches occur, you can’t stop the train. We have disaster planning management In medicine, but we don’t have that in the IT community.”
advertisement
Dr Rolan Christian, CEO of Care Connect falls back on ISO certification that he says is “Meant to assure clients.” ISO certification demonstrates that an organisation has implemented and maintained effective management systems and practices aligned with the requirements established by the specific ISO standard. It indicates that the organisation follows internationally recognised best practices, ensuring it meets certain criteria.
In addition, “Chose a methodology and framework specific to their business including penetration testing, and incorporate staff education to prevent them from being a weak link in the phishing scheme. After we complied, we found that attacks were happening around people because that was the entry point. We had to make people understand everyone’s data was now available on the internet.”
Add to that auditing. “No one loves that, but we had to know if we are adhering to the frameworks and constitution we put in place. Spend money on finding the loopholes. We complied as much as we could and used that to give our stakeholders assurances. Granted, it takes resources away from what you should be doing, but it is necessary to do it.”
advertisement
How, though? Peter Kanda, CIO, Gertrude’s Children’s Hospital said “Go for an independent IT guy, then deploy the solution. There’s been a lot of talk about standards and frameworks like HIPAA. It is cheaper to do a vulnerability test as opposed to handling a data breach. I say take 20 per cent of the IT budget and channel it completely towards security. The biggest threat is actually internal for both small businesses to large corporations.”
Grant believes cybersecurity would not be such a vulnerability if one simple thing was done – dumbing down all the tech speak. “Start with a small process, and, it is important to dumb it down a bit for clinicians, help them understand the holes. AI is going to help because it will make things cheaper and easier. At the same time, we must also not underestimate quantum computing. It’s coming. And I don’t think we appreciate that. Quantum wants to stretch across 2,000 doctors to collect your data, so you want to use it like you would a big corporate. So, don’t take it lightly.”
In conclusion, make sure your platform of choice is secure, compliant with data privacy laws and do your homework on that. No matter what you do, however, you are best served remembering that it is the people who are the weak point.