Are you afraid of the dark web?

Digital technologies such as cloud-computing, block-chain and big data are changing the way government and industry use medical information in India. This calls for an urgent need to invest intensively in cyber security. Without data security and privacy laws, medical records in India are highly vulnerable

Way back in 2004, when Apple Inc’s enigmatic leader, Steve Jobs’ discovered about his unusually pancreatic cancer, the company choose to shroud  this information in secrecy, thinking this might have an adverse effect on its stocks and brand image. Untill the year 2008, speculations about his ill health kept floating, howbeit; Jobs constant innovations subdued all hearsay.

Then, Fortune magazine published a story on his illness in 2008 and how Jobs underwent a liver transplant in an effort to retain as much of his organ function as possible after his cancer had spread beyond the pancreas. Soon after the news broke out of his illness, Apple’s stock fell by two per cent, mentioned a report published by the Silicon Valley Business Journal. Apple continued to keep mum about Jobs illness which according to some stock analysts was a safe bet for the company. Offcourse, after Jobs death Apples’ stocks did plunge to a certain extent. Nevertheless, Jobs by then had already trained Tim Cook to take his place and so the company managed to hold on its strengths.

But, imagine what if Jobs’ health information were leaked way back in 2004 when he was first time diagnosed with cancer? How would the world react to this news? How would the company’s stock perform then? Would people still have faith in the innovations Jobs introduced after his illness? Could the company afford to take that risk?

Well, experts believe that securing this information for some years was a good business decision. Moreover, knowing the influence that Jobs had over several people’s lives, it was imperative to maintain his privacy.

So, is there a lesson for us to learn from this?

Potentially, there is an important lesson to learn about security of information from this example. Secrecy and security of information enabled Apple to retain its position as a market leader in innovation. Although the company did witness a slight plunge in its stock when the news was broken out in 2008, Apple and Jobs still continued to influence the world in many ways. They also prevented the world from a sudden setback and held back investors’ trust. Similarly, security of health information is paramount not only for large business organisations or influential people but for  every individual, industry and to a nation at large. Putting it in perspective to the healthcare sector, security of health information is an extremely important subject to every healthcare provider. It is not just an IT responsibility but a business priority.

Why cyber security is important to healthcare organisations?

Breach of health informations can be extremely perilous. We all know that cyberattacks can damage reputations, destroy customer trust and affect revenues, but in the healthcare scenario it is certainly beyond these basics.

Rajesh Maurya

Says Rajesh Maurya, Regional VP, India & SAARC, Fortinet, “While stolen credit card information can be quickly remedied via cancellation, healthcare records have boundless shelf life. If put in the wrong hands, the information from healthcare records can be fraudulently used to obtain and pay for treatments, prescriptions, or even costly surgeries.”

Additionally, Harshil Doshi, Strategic Security Solutions Consulting – India, Forcepoint provides an insight from a recently released 2018 Forcepoint security Labs predictions report. “Data aggregators will be the new gold mine for hackers and the recent Equifax breach in the US was one such example. Likewise, the healthcare sector holds tremendous amount of critical data like personal information, financial details and medical records of patients which offer potential long- term value to cyber criminals. Stealing healthcare records will emerge as a lucrative target for hackers. Also, healthcare industry is one of the critical sectors where preventing access to IT systems can trigger life-and-death consequences for patients under care and making it urgent for healthcare provider to seek immediate resolution,” he discloses.

Well, Doshi’s observation is indeed accurate about healthcare increasing becoming the hackers delight. A case in point was when the International Association of Athletics Foundation (IAAF) in Monaco publicly disclosed that they were victims of a massive cyber attack. An interesting observation in this case was that what was stolen was not the credit card numbers of athletes but their therapeutic use exemption (TUE) data.

Ishaq Quadri

Ishaq Quadri, Group CIO – KIMS Hospital, reminds us of December 2014, Anthem – the US’s second largest healthcare insurer cyber attack. This was said to be one of the largest hack to hit the healthcare industry in the US suffered at that time. About 80 million patient records were stolen in one single cyber attack. In a report published by Reuters, the FBI had observed malicious actors targeting healthcare systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/ or Personally Identifiable Information (PII). These actors were seen targeting multiple companies in the healthcare and medical devices industry typically targeting valuable intellectual property, such as medical devices and equipment development data.

Similarly, the WannaCry ransomware attack this year crippled several healthcare institutions, hospitals  and healthcare systems around the world including UK’s NHS.  The NHS was said to be the worst hit. Hospitals and doctors in parts of England were forced to turn away patients and cancel appointments after they were infected with the ransomware, which scrambled data on computers and demanded payments of $300 to $600 to restore access. People in affected areas were being advised to seek medical care only in emergencies.

According to Identity Theft Resource Center, 35.4 per cent of the data breaches reported in 2015 were in the healthcare industry. In addition, Maurya updates on the statistics on global healthcare cyberattacks. “In 2015, more than 113 million medical records were breached. To put this in perspective, if each case were a single individual then almost all the citizens in India’s major cities would have fallen victims. In 2016, we saw a single cyber criminal advertise more than 600,000 healthcare patient records for sale on the dark web. The records included the victims’ full names, social security numbers, birth dates, and more, which could be used for fraudulent activities,” he mentioned.

This indicates that investing in cyber-security is crucial to healthcare organisations. More so because healthcare seems to be the new golden goose for the dark web as mentioned by experts.

The India problem

Harshil Doshi

“Information security in general in India is a neglected area. Many organisations are either unaware or under the false pretext that their infrastructure is safe, robust and tenable. More often than not, the IT Heads start and end with anti virus software and firewall deployment. Information security is misconstrued to be a technology problem that can easily be solved with updated anti virus and firewalls. Another misconception is that the threat originates from external sources. Managements also are not sensitive on this front as it is reflected in the poor budget allocation for information security, licensed software purchases, and in majority of the cases there is no investment in a full time information security expert,” opines Quadri.

The issue of cyber security in Indian healthcare is compounded by the fact that our country has the maximum number of smartphone users. For 2017, the number of smartphone users in India is estimated to reach 299.24 million, with the number of smartphone users worldwide forecast to exceed 2.3 billion users by 2022, according to Satista- a statistic provider portal. Secondly, patients, healthcare providers and disease management platforms these days  are all connected to the web wherein a continuous exchange of information leave enough room for privacy breach. Moreover, medical devices such as patient monitors and medication-infusing pumps—many of which are life-sustaining or life-supporting—are also connected to the Internet to enable quicker  access of medical records. However, such medical devices and other mobile health solutions can become a double-edged sword if security of data is not maintained.

“Cyber criminals understand that many hospitals, doctors, and insurers are simply not prepared to counter today’s sheer volume and sophistication of attacks, such as MEDJACK (Medical Device Hijack by hackers), social engineering, and ransomware. As more healthcare institutions move their data online to provide more efficient and effective patient care, cyber criminals will likely continue to eye the industry as their number one target. For many healthcare organisations, it’s not if they’ll be hacked, but rather when,” Maurya cautions.

Besides, he opines that stolen credit cards on the dark web may go for a dollar, two, or three. Social security numbers in the US on their own may go for somewhere around $15. However, complete healthcare records are gold mines, reportedly going for as much as $60 each.

When asked about the digital and electronic technologies that are more prone to hacking and data theft, Quadri informed, “As the number of devices and gadgets multiply so is the case with the types and varieties of cyber-attacks. When it comes to handheld devices Android is found to be more vulnerable than iOS from Apple. From an operating system perspective, Microsoft Windows is more prone to an attack than its Linux counterparts.”

So, how much should healthcare organisation invest in cyber security?

Investment in cyber security

Says  Doshi, “The healthcare industry in India has been lagging behind in cyber security investment as compared to most major industries. However, given the spate of cyber security incidents globally in the healthcare sector, there is a growing realisation amongst healthcare services providers in India to secure their critical data, especially against growing number of ransomware attacks.  Also, medical devices are also difficult-to-update and they continue to run outdated and vulnerable operating systems.”

Maurya spells out that the sector is expected to spend about $ 7.5 million on security solutions in 2018 up from $ 6.4 million in 2017 according to Frost & Sullivan and security spends will continue to grow at a CAGR of 12.5 per cent till 2021.  “Fortinet works with leading healthcare service providers in India and I would say that they’re on the right track in terms of staffing and intent. When looking at the specific problems, is healthcare on the right track when it comes to protecting medical records? I would say they are,” he adds.

Yet there is more to do. “There is a problem with Internet of Things (IoT) and for most medical devices manufacturers,  network security is not a priority. We’re going to see many more automated attacks being launched in 2018 that can penetrate healthcare organisations by moving from corporate networks into critical care networks. Healthcare needs to start building trusted intelligence into its automated defense solutions because it’s a primed attack surface,” he further enumerates.

Apart from investment in good quality cyber security solutions, healthcare organisations need to incorporate a robust and integrated security strategy.

Maurya expounds on the five pre-requisites that healthcare organisations, especially hospitals need to do while adopting cyber security solutions.

Maintain good network hygiene: Ensure security posture is up-to-date with prevention and detection measures as well as develop and maintain good network hygiene, which includes systematic patching and updating of vulnerable systems, and replacing outdated technologies that are no longer supported.
Implement Internal Segmentation Firewall (ISFW): CSIOs in healthcare organisations need to implement internal segmentation firewalls (ISFWs) as the landscape of networks is wide, open and flat.  ISFWs operate inside the network instead of at the edge, allowing healthcare organisations to intelligently segment networks between patients, administrators, healthcare professionals and guests. ISFW can also identify types of devices – for example, between a patient information system and a life-saving heart monitor or infusion pump. It can then prioritise interconnected medical devices that need the highest degrees of protection and monitoring, and inspect and monitor all traffic moving between segments, all without impacting performance.
Focus on visibility: People are always trying to build a fortress against an invisible enemy. Instead of building a wall, one should use threat intelligence solutions to understand attacker profiles and what tactics and procedures they employ, and then start intelligently defending based on that information. Prioritise security around critical assets of an organisation. Otherwise if an asset is ransomed or attacked by a distributed denial of service, it will cost your business substantially.
Interoperability: Once you understand your enemy and have built appropriate solutions, tighten up the time to defense. Use proactive solutions and look at ways to create interoperability. Most organisations have many different solutions from different providers. Strive to reduce that complexity by further integrating and consolidating existing security devices with a security framework that utilises advanced threat intelligence sharing and an open architecture.
Establish a dedicated team: A dedicated team should be put in place to uncover the latest threat intelligence so that real-time threat and mitigation updates can be made expeditiously, before cyber criminals take advantage of any weaknesses in connected IoT devices or the critical services they provide.

Need for privacy and data security regulations

Going forward, with the government considering to link Aadhaar cards for multiple-use cases including medical records, the need for India to critically analyse the data security aspects doubles.

Inadequacy in regulations for data security in the healthcare sector is a significant concern. According to experts, India for now should take note of the best practices of countries which have a mature medical records governance systems. Taking into account the extremely sensitive nature of medical information and the adverse impact a breach can have, the government needs to fast-track the Healthcare Data Privacy and Security Act.

Simultaneously, solution providers will need to constantly upgrade their solutions with the changing times to provide solutions that have a human-centric approach to solving a security challenge. There is also a need to research on the application and use of behavioural sciences to develop better healthcare security solutions for India.

raelene.kambli@expressindia.com