Existing cybersecurity frameworks for healthcare across Asia-Pacific are not suited for remote care management. 

This is based on a new report by the Asia Pacific Medical Technology Association (APACMed) and L.E.K. Consulting which looked into the cybersecurity landscape of the region and how policies and other measures apply in the rising remote care segment. 

WHY IT MATTERS

Healthcare cybersecurity frameworks across APAC nations, the report noted, are "not fully adapted" to remote care solutions nor are these harmonised across jurisdictions. 

While policies allow data transfer between and beyond hospitals, these protections are also "not well-established" and challenges persist in enforcing them. 

Meanwhile, the regulation of medical devices that support remote care is "not as stringent as that of standard hardware medical devices," raising risks of data breaches.  

The report stressed the urgent need for the region to tailor these existing cybersecurity frameworks to support remote care management. A targeted approach may be "essential" to protect patient data and mitigate risks of cyber incidences, it said. 

An interesting suggestion from the report is a policy ensuring assessment for each medical device for remote care is customised based on their risk level instead of applying a blanket assessment process. It shall identify and classify the data collected and develop customised risk management strategies for each type of health data. 

"For example, [medical devices for remote care] connected to a network are at higher risk of data leakage compared to medical devices that are not connected to a network. Hence, for medical devices with lower risk levels, less stringent assessment processes can be applied to ensure sufficient innovation and competition in the remote care medical device market," the report further explained.

Current cybersecurity frameworks, the report said, can be localised based on existing national remote care environments. They can also follow globally accepted industry standards, such as the United States Department of Commerce's National Institute of Standards and Technology Cybersecurity Framework, General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act, to make global solutions rapidly available to local markets and allow local developers to quickly scale abroad.

As also recommended, these existing frameworks must be recognised across APAC jurisdictions; these can be translated into "clear technical requirements" for healthcare providers, manufacturers, and other stakeholders. A "consistent, transparent compliance and enforcement mechanisms" must also be established.

"Potential regulatory enhancements include introducing an integrated risk management program, incidence response protocol and mitigation measures, supplier cybersecurity requirements and enforcement measures to promote device security and competition," the report added.

In the long term, policymakers are encouraged to actively engage with their counterparts in other countries, as well as with industry experts to further refine their cybersecurity framework for remote care management. They should also look at funding partnerships among stakeholders. 

THE LARGER CONTEXT

The APAC remote care market, which is further segmented into telemedicine, health IT and analytics, and mobile health, has seen 15% annual growth since 2016; it can still grow to 20% each year until 2031, the report noted. Its growth is mainly driven by its affordability, increased adoption among healthcare providers, growing awareness among patients, an emphasis on new models of care (particularly telemedicine), and expanded use cases by manufacturers. 

The importance of implementing cybersecurity policies specific to remote care management cannot be overemphasised given healthcare's high susceptibility to cyberattacks. In recent years, APAC recorded high-profile data breaches, including the cases of private insurer Medibank in Australia, Waikato District Health Board in New Zealand, Fullerton Health in Singapore, OT&P Healthcare Group in Hong Kong, and India's COVID-19 vaccination platform CoWIN. 

"In comparison to other regions, APAC markets are generally still in the early stages of developing remote care management-specific cybersecurity frameworks. The maturity level of these frameworks remains relatively nascent, highlighting the need for continued efforts to establish robust regulatory measures and comprehensive cybersecurity frameworks that are tailored specifically to the unique challenges of [remote care management] in the APAC region," the APACMed and L.E.K. report emphasised.