Information and data security is one of the top imperatives for healthcare executives today, given the sensitivity and volume of data handled by any individual healthcare facility, and the continued rise in cyberattacks on the industry.

Mr Yuan Yudistira

Siloam Hospitals is the largest private hospital operator in Indonesia, with over 41 hospitals and numerous clinics. We speak to Mr Yuan Yudistira, Head of Information Security – who oversees cybersecurity strategy, policy and implementation across all Siloam facilities – on his cybersecurity priorities and plans ahead.

 

Q: What are the key information security strategies you have implemented at Siloam?

Mr Yudistira: We make sure to follow the standard cybersecurity frameworks that have already been established and are proven in preventing cyberattacks or information breaches.

When we first started creating our security programme, we followed the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, and ISO 27000 (a series of information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission.)

We also invited a consultant to develop a framework and combined that with the NIST and ISO standards.

We then developed a yearly roadmap for the implementation. This will be a project that keeps on moving and progressing because the challenges to cybersecurity will never end.

Q. What are the main cybersecurity projects you are working on currently?

Mr Yudistira: This year, Siloam Hospitals group hit a major milestone – we have just migrated our core applications to the cloud. This includes the Hospital Information System, Laboratory Information System, Radiology Information System, and back office systems.

The migration of course impacts the security. We have to make sure the migration itself is safe, and also understand the different risks which come with different environments. For cloud security, we have ensured compliance to standards using cloud security posture management (CSPM).

Cloud offers a very complete set of tools we can use to move faster and shorten time to market. In our current configuration, we have an automatic scale up function – so if we need more resources, it will add more resources. Cloud will also automatically apply our basic hygiene policy which makes it easier for us. But for now we do need to familiarise ourselves with cloud services. It is still new for most of us who are more used to on-prem services.

Q. What are your main goals over the next year or so, especially with your new cloud infrastructure?

Mr Yudistira: We need to create the cloud-first security architecture, as we still have some dependency on on-prem. We also need to modernise applications using serverless, container-based approaches.

Then there is applying DevSecOps (development, security, and operations; a framework that integrates security throughout the entire IT lifecycle); as well as automating security testing and shifting security testing to the left – or sooner in the software and application development phase.

Q: Looking at the wider security landscape in healthcare, do you see risks continuing to increase in the future? How should hospitals tackle this?

Mr Yudistira: From our security monitoring, we see that attacks never stop. Our Security Operation Centre processes thousands of logs everyday from various sources, such as devices, software and users. If they see any validated attacks, they create a security ticket and escalate it to our second layer of incident response. We see roughly 50 security tickets every two weeks.

There are different types of security control that we do. In terms of administrative security control, we conduct security awareness, for example through user onboarding, newsletters or campaigns. We also have technical security control, to make sure users are given only the access they need.

About twice a year, we do a phishing (simulation) campaign, where we test whether users still click on suspicious links in emails. We do have email security which should block most phishing emails, but there is still a low possibility of these emails landing in users’ inboxes, so it is important to do user awareness.

Q. Do you see the rise of Artificial Intelligence (AI) changing healthcare cybersecurity?

Mr Yudistira: Attackers can use AI to craft “real-looking” campaigns that drives people to click on malicious links. But at the same time, AI can also be used to boost security, for example in threat hunting (analysis of large volumes of data in real-time to identify threats).

Another use case is in addressing brute force attacks (where attackers use trial and error to crack passwords and credentials). In the existing method, there is a threshold for the number of failed log-ins within minutes. But this can be overcome by advanced attackers who make sure the logins will not trigger the alarm. Modern technology such as AI may be able to understand human behaviour and tell whether the actions are by humans or robots (and allow quick action to be taken).

So yes, AI can be used by the bad guys, but we can also use it to enhance and speed up security.