After a fatal incident caused by a ransomware attack, Hong Kong still isn’t taking cybersecurity seriously – even though life is on the line.
The first reported death caused by a cyberattack in a German hospital has raised the alarm for the future security of healthcare facilities, but it seems like Hong Kong has yet to catch on.
On 17 September, the University Hospital Düsseldorf suffered a ransomware attack shutting down its IT system. Consequently, a woman in life-threatening condition was turned away by the hospital and sent to another roughly 32 kilometres away, causing a treatment delay that results in her death.
Similar non-fatal incidents have happened before. In 2017, a worldwide cyberattack was launched against different countries. The ransomware attack, dubbed “WannaCry”, encrypted files and data on Windows computers and demanded ransom payment for decryption. While many were affected by the attack, the healthcare industry was specifically hit. In the UK, hospital services were temporarily suspended as hospitals were not able to access patient records.
These incidents sparked discussion on healthcare cybersecurity. Hong Kong’s healthcare system was not affected by the ransomware attack, but it could be vulnerable to similar security breaches down the line, according to Michael Gazeley, Managing Director and Co-founder of Network Box Corporation, a Managed Security Service Provider.
“At some point, if the [cyberattack pattern] holds true, Hong Kong would end up getting hit one day too. And in the vast majority of organisations in Hong Kong, there really is almost no thought or planning that goes into cybersecurity,” Mr Gazeley tells Harbour Times.
He notes that management of organisations in Hong Kong should make sure data is restored as fast as possible when encountering cyberattacks. He also states the potential negative outcomes to the organisations if they fail to protect their data.
Mr Gazeley poses the following hypothetical questions that need to be considered in a worst case scenario: “If those people grab all my client’s information and other things that are private and publish it, what’s going to happen to my organisation?”.
Network Box Corporation has emphasised the importance of cybersecurity to organisations in Hong Kong for over 20 years. Unfortunately, they have not been very successful.
“[The management] sees buying or investing in cybersecurity equipment and services as a cost and they don’t see immediate return from it. It’s very short-sighted because if everything is stopped or if their data is stolen, that’s a massive blow,” says Mr Gazeley.
He further explains that the healthcare industry would be hit harder than others if a cyberattack is launched against them.
“If you’re a lawyer and you lose your data, it’s very annoying but you’re perhaps not going to die. But if a hospital gets locked down and you can’t have a clinical operation because their system doesn’t function, then you could die,” he posits.
Joshua Chu, a lawyer who previously worked as the head of IT with Evangel Hospital, states that one of the key issues the Hospital Authority needs to address is to ensure the data flow integrity of patients going back and forth between private and public institutions.
“Patient data are, after all, some of the most sensitive information out there with the consequences of inadvertent risks ranging from embarrassment to real damage to potentially being fatal,” Mr Chu adds.
He also notes that more measures should be taken in improving Hong Kong’s healthcare cybersecurity. This includes ensuring the risk of unauthorised access is largely mitigated, and when there are risks make sure all access can be traced so that victims will have recourse.
Harbour Times has reached out to The Hospital Authority for comment, but a representative has yet to respond.
Printer: R&R Publishing Limited, Suite 705, 7F, Cheong K. Building, 84-86 Des Voeux Road, Central, Hong Kong