Close this search box.

We are creating some awesome events for you. Kindly bear with us.

EXCLUSIVE – Cyberthreats are a business risk – Communicating the message to senior management in healthcare

EXCLUSIVE - Cyberthreats are a business risk - Communicating the message to senior management in healthcare

The first instalment of a two-part OpenGov Breakfast Leadership Dialogue series on “Expanding Cybersecurity Threats in the Healthcare Sector” was held in Sydney on the 17th of August. Select officials from the public and private health care areas in New South Wales participated in this invitation-only, closed-door session.

The healthcare industry is on the cusp of a technology-driven metamorphosis. Hospitals and healthcare agencies operate in a complex network of patients, doctors, nurses, pharmacists, technicians and administrators.

This web is being turned into a connected network by advances in ICT. In addition to long-gestating advances like telemedicine, IoT in the form of wearable devices, unprecedented volumes of big data, and the flexibility of clouds have the potential to irrevocably transform thinking and operations in the sector. The pace of change is only going to accelerate, and along with the sophistication, number and speed of threats. 

Mt. Mohit Sagar, Editor-in-chief of OpenGov Asia, kicked off the conversation asking the participating executives what keeps them awake at night.

The responses ranged from concerns over data confidentiality, end-user education, consistency in policies, resource constraints and constantly evolving threat situation.

An apt analogy of Swiss Cheese came up in view of the proliferating number of security vulnerabilities.

Cybersecurity healthcare Opengov

Mr. Sagar summarised the current threat landscape and talked about insider threats and Dwell Time, the time elapsed from infection to remediation. Dwell time is the key metric which demonstrates the preparedness of an organisation for security incidents. Currently it is at dismal 205 days. 

Mr. Guy Eilon, Country Manager of Forcepoint in Australia, stressed the importance of awareness and education and highlighted three primary risks he sees dominating conversations. The first is the evolving business environment driving decisions such as moving to the cloud. IT is not usually involved in the decision-making and consequently, security becomes an add-on, an afterthought. Secondly, over 90% of security investment is directed at external threats, but majority threats are internal, whether malicious or accidental.

Last but not the least, was the added complexity from profusion of vendors and products in the market. How do you manage the hundreds of thousands of logs obtained from different systems?

Guest Speaker, Mr. Lim Soo Tong, CIO of Jurong Health Services (JHS), under Integrated Health Information Services, an IT organisation under the Ministry of Health, presented the Singapore perspective on security in health IT. He started by talking about the agencies responsible, and the different levels of framework, right on from a body under the Prime Minister’s Office to one level lower at the Ministry of Health then implementation level policies and guidelines at the level of IHiS.

Mr. Soo Tong shared his experience on initially allowing Bring your Own Device (BYOD) but gradually realising that even with security measures and policies, potential gaps for data leakages remain too many to plug. JHS is considering revoking BYOD privileges by the end of August, 2016.

He also tackled the issue of network segmentation. His preference would be to provide controlled/limited access, with users allowed to log on to a dynamic list of white-listed sites, in contrast with blacklisting. When questioned by a participant over the number of remote users, he explained the difficulty of knowing the exact number.

Dialogue questions and discussion

The very first question posed to the delegates regarding the main driver for their information security expenditure sparked off a fascinating discussion. The overwhelming favourite was “Protecting criticial assets from being compromised”, garnering 86% of the vote. 

“Compliance with laws and regulations” came a distant second at 14%. Adam Vaughan, from Wolper Hospital and Chatswood Private pointed out patient privacy laws are in place but are not enforced yet. That will change soon and regulations might become an important driver for security expenditure decisions. Peter Bates from St. Vincent’s Health said that laws and regulations might help to get things done.

There were no votes for the option “Protecting the organisation’s reputation” reflecting the way IT and cybersecurity is viewed in many organisations.
Mr. Sagar asked if IT is viewed as an expense or an investment. Majority of delegates agreed that IT operations are still looked at as an expense, even in the era of high-profile digital transformation projects. Tens of millions of dollars might be spent on a project, but there is little thought or budgeting devoted to day-to-day operations.

Cybersecurity healthcare Opengov

The conversation moved to how best ICT professionals can present the case for security to the Board or Senior Management. A case has to be made for IT and IT security as a business enabler.

The next question was about the security threats causing maximum concern. “Data identity thefts” was the top choice with 43% of the delegates selecting it. In response, Mr. Eilon mentioned that 65% of data leakages worldwide happen due to insider incidents, mostly accidental.

Mr. Jason Mitchell from Primary Healthcare gave an idea of the volume of data being stored by healthcare bodies. They hold on to data for decades, not disposing off even one X-ray. Currently in most organisations this data is stored in a de-centralised fashion, in many different systems, leading to huge security concerns.

Shifting the data to centralised storage might be the best option if “All Data” has to be secured. It is difficult to sift through and classify the data.

The discussion moved to user behaviour and how timely alerts might make the difference between a catastrophe causing massive financial and reputational damage and prevention or containment. For instance, if one person suddenly starts handling 20 patient records daily, up from 5 earlier, it could be an alert. It might be a regular, approved change in that individual’s responsibility and authorisation. But it might very well be an erroneous access expansion. Each such small mistake could open up a new potential point of data leakage in the system.

“Process/ system failures” and “Employee negligence” obtained 29% and 14% votes respectively. Randeep Rana, Head of Technology from HCF Insurance spoke about how there needs to be shift from reacting after the event to planning and prevention. Regarding the point of employee behaviour, most delegates said that from their observations, employees will click on external links, irrespective of security training. It’s a kind of social reaction. 

Following questions on challenges with security architecture and important security measures, the dialogue circled back to the issue of communicating the urgency of acting on escalating risks to senior management.

The consensus was that the case has to be made by the people who are aware of the systems and the environment, namely the ICT executives. But it has to be simplified and put forth in a language the business heads can understand.

Anecdotal evidence shows that the mentality of Boards is changing gradually. In 71% of the attendee’s organisations, the ultimate responsibility for security lies with the relevant Minister/CEO/President, which in itself is a huge step forward.

But in 28% of organisations attending the dialogue the onus is still laid on CIOs, CSOs or Heads of Security. Moreover, 33% do not formally evaluate effectiveness of security spend.

Approaches to IT risk management are not changing fast enough. Cybersecurity is still frequently viewed as an IT Problem. But it is a matter of Business Risk. A thorough risk assessment by an external third party could make all the difference, demonstrating the risks in lucid, easy-to-understand terms, providing undeniable evidence and the decisive push in the right direction.  


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.