Trust in the healthcare sector depends on information security

When I look more closely at the healthcare sector, I see that concerns about data security and environmental protection are not much different from other segments of the economy (banking, e-commerce and others). Since 2018, Law No. When Law No. 13,787, which requires the digitization of patient records, came into force, cybersecurity concerns increased significantly.

In an environment where connectivity is critical to healthcare operations, cybersecurity cannot be ignored. This is a shared responsibility that requires cooperation between different sectors. Additionally, since many attacks begin with human error, training healthcare professionals is one of the pillars of this defense.

Telemedicine is another point that affects security risks. Remote care, which has clear advantages in terms of ease of access to doctors and consultations and cost reduction for healthcare institutions, depends on the intensive use of data and the transmission of sensitive information; This raises legal concerns and important ethical rules regarding LGPD3. (law 13,709/18).

This Law also regulates the processing of personal data in Brazil and aims to protect the natural person’s fundamental rights to freedom and privacy and the free development of his personality.

In recent years, the healthcare industry has become one of the main targets of cybercriminals. Ransomware attacks, phishing and exploits cause operational disruptions in hospitals and clinics, putting lives at risk.

Data theft, in particular, has proven to be a critical threat. In many cases, facing the pressure of urgently resuming services, healthcare institutions are forced to accept payment.

A study by Tenable in 2022 noted that more than 40 billion records were exposed worldwide in the previous year. In Brazil alone, volume exceeded 815 million. The sectors most affected by security breaches globally were healthcare (24.7%), education (12.9%) and public (10.8%). In Brazil the picture was slightly different; Those most affected were the government (29.8%) and the financial sector (27%).

Two years later, this segment remains among the most attacked by cybercrime, and in Brazil its positions have risen, now ranking third behind only the Services and Government sectors. This data is part of a survey conducted by Kaspersky. It is also stated that more than 106 thousand ransomware attack attempts were blocked in the country until May this year, and 6.5 thousand of these attempts took place in the healthcare sector.

The impact of a cyber attack on the healthcare industry is twofold. First, it compromises patient safety as diagnoses, treatments, and medical procedures may be delayed. Secondly, it affects the reputation and financial sustainability of the organization, which may face regulatory fines and lawsuits for personal data breaches.

Compliance and regulation

Compliance is a key responsibility for healthcare institutions, as the General Data Protection Law requires organizations to take technical and administrative measures to protect personal data. This includes enforcing security policies, access control, anonymizing data, and responding to security incidents.

Additionally, regulators require organizations to maintain an “active compliance posture,” meaning they continually assess and mitigate cybersecurity risks. This requires the adoption of practices such as periodic audits, employee training, threat monitoring and partnerships with cybersecurity companies.

To overcome these challenges, healthcare organizations need to take a proactive and ongoing approach to cybersecurity. Below I list some apps that can help with this process.

1. Cyber ​​risk assessment: Identify critical assets and assess relevant vulnerabilities. This allows you to prioritize areas that need more protection.
2. Implementation of security controls: Adopt cutting-edge security solutions such as intrusion detection systems, data encryption and multi-factor authentication.
3. Education and awareness: Ensure your employees recognize phishing attempts, understand the importance of compliance, and know how to respond to a security incident.
4. Incident monitoring and response: Establish incident response teams and continuous monitoring systems to detect suspicious activity and respond quickly.
5. Strategic partnerships: Work with companies that specialize in cybersecurity and regulatory authorities to keep applications up-to-date with new threats and regulatory requirements.

Protecting critical patient information and ensuring regulatory compliance is critical to maintaining institutions’ trust and operational integrity. Companies that invest in cybersecurity not only prevent financial and operational losses, but also provide a more reliable environment for patients and employees.

An example of effective cyber risk mitigation can be seen at Drogaria Araujo, the largest pharmacy chain in Minas Gerais and the fifth largest in Brazil. By adopting a strategic and integrated approach to cyber security, the company ensured operational continuity and achieved 25% cost savings by identifying and prioritizing critical vulnerabilities.

This model highlights how a proactive security view can not only protect sensitive data but also optimize resources and strengthen organizational resilience in the face of healthcare challenges.

****

General Manager of Tenable in Brazil since June 2019. Capella, who has more than 20 years of experience in the cybersecurity industry, was responsible for opening and managing Palo Alto Networks in Brazil and previously operating IronPort in the country. He also held management and business development roles at IBM, Xerox and Embratel. The manager holds a Business Administration degree from UFRJ and an MBA in Marketing and Strategies from the same institution.