A year back, hospital administrators at a trust run hospital in Mumbai found their systems locked, with an encrypted message by the cyber attackers demanding ransom in Bitcoins to unlock it. The hospital lost 15 days’ data related to bill payments and patient history. In an interview with Viveka Roychowdhury, Shomiron Dasgupta, CEO, DNIF rues the fact that given this scenario, hospitals in India spend around 5 per cent or even less of their budget on IT security while banks in India spend around 15-20 per cent of their budget on IT security. As the COVID-19 pandemic has seen a sudden shift to digital healthcare services, he warns that these are prone to cyberattacks since the EHRs are shared through an insecure network with multiple users. The sector is also vulnerable to medjacking of medical devices such as MRI, ventilators
The COVID-19 pandemic has seen an increased dependence on the migration of healthcare delivery systems to the digital realm, be it telemedicine for doctor-patient consultations to electronic health records, etc. As infection levels are projected to rise and fall over the next year, there is an explosion of health data. Are hospitals and healthcare systems in India capable of supporting this increased load?
The Indian healthcare sector is blooming to become the sixth-largest market globally as predicted by Indian Pharmaceutical Congress. Maintenance of Electronic Health Records (EHR) is a new adoption in the Indian healthcare industry, which consists of patients’ past medical history, recent tests and diagnosis, progress, and medications. They are combined in a single database to reduce the incidence of medical errors and redundant tests, thus reducing delays in treatment, also helping patients to make well-informed decisions and streamlining clinical workflow. The medical sector in India is technologically advancing and so are the risks. In the black market, stolen medical records hold a higher value than credit card numbers. The medical data sold consists of sensitive information like date of birth, policy numbers, payment, and billing details. The consequences of theft lead to the creation of fake identities and launch other illicit activities. Unlike hospitals, banks can immediately block accounts if any suspicious activity is detected. The medical identity theft detection in the healthcare industry is not quick, giving hackers adequate time to cause more damage. Banks in India spend 15-20 per cent of their budget on IT security, while a hospital may only spend 5 per cent or even lesser, which poses a challenge to cybersecurity becoming a focal point in the healthcare sector.
In June 2019 a trust run hospital in Mumbai was affected by a cyber-attack where the hospital administrators found their systems locked, with an encrypted message by the attackers demanding ransom in Bitcoins to unlock it. The hospital had lost 15 days’ data related to bill payments and patient history. Digitisation in the Indian healthcare sector is taking baby steps but lack of awareness about cyberattacks and safeguarding medical data are still at a nascent stage.
Which means that hospitals in India do not as yet have the systems in place to protect patient confidentiality and themselves from data theft?
As said that the concern of cybersecurity in healthcare is at a nascent stage in India. We need a robust framework to prevent medical data breaches. In Indian healthcare organisations, there are two kinds of patient information: patient identification information and health information. This information is handled by different departments and information systems. The patients do not have ownership of their medical information and third-party administrators are the ones who control the health data locally. The technologies offered by third- party administrators to healthcare organisations share data are making it susceptible to various attacks by malware, cyberattacks, and ultimately, leading to severe data breaches.
To help threats in the healthcare industry, DNIF, our Big data platform allows scalable architecture for integrating large volumes of data generated from emails, endpoint logs, and network logs. It can also integrate with all types of Electronic Medical Records (EMR) applications that allow more insights into low-level transactional details. With healthcare-specific visualisation, our dashboards can offer a rich set of use cases to detect cyber threats. DNIF Next-Gen SIEM works beyond the signature-based detection of a conventional SIEM solution to hunt hidden threats in the healthcare IT infrastructure. DNIF reports can be customised basis the organisational needs and give critical input for managerial decisions.
The Indian Computer Emergency Response Team has reportedly warned about the possibility of a major phishing attack, where cybercriminals plan to gather the email ids of 2 million Indian citizens with an email having the subject line ‘COVID Free Testing’ which impersonates an established medical institution. What are the other lures being used by hackers to dupe doctors, patients, and healthcare administration staff?
Healthcare professionals are at the forefront of battling the Coronavirus and are at a high risk of getting infected. With more emphasis on minimising physical interactions, several hospitals and start-ups are providing health consultations online. A study says that the healthcare IT market is expected to reach USD 390.7 billion market shares by 2024, with a 15.8 per cent forecast CAGR growth. The lockdown since March saw a 500 per cent rise in online doctor consultations. However, every innovation comes with hidden risks, digital healthcare services are prone to cyberattacks since the EHRs are shared through an insecure network with multiple users, that are susceptible to be compromised by the malware. This scooping of information results in committing fraud, identity theft, or credit card scams. They can also alter the data in the dashboard by changing the patient’s appointment time, changing medical history, or changing the drug doses prescribed which can be life-threatening. The hackers might launch attacks on newly introduced, less secure e-medical portals and might impersonate a trusted healthcare provider to entice the helpless consumers to click on malicious emails.
Masks, sanitisers, and PPE kits are the need of the hour for hospitals and they require these in bulk. However, cybercriminals are capitalising on this opportunity by luring the hospitals to click on emails informing about fake discount offers.
Explain the concept of ‘medjacking’. What are the red flags of such incidents?
Medjacking is a medical device hijack. This hijack can allow attackers to create backdoors in hospital networks and exploit the main healthcare systems by breaking into the unpatched and outdated medical devices. Hackers are aware of the fact that medical devices have no such threat detection mechanism thus giving them no visibility or control. Medical devices such as MRI, ventilators and are directly connected to computers and once they get a hold of the devices, it might lead to them getting access to all the vital medical records. The consequences of hacking devices can lead to the display of faulty results giving incorrect diagnosis and even jeopardising patients’ life, also maligning the reputation of the equipment manufacturer.
How can patients, healthcare practitioners, and institutions detect and protect themselves from such threats?
As technology advances, the sophistication of attacks becomes intense and sooner or later your organisation is going to be cyber-attacked, here are some ways to protect you and your organisation.
- Practising good cyber hygiene: Lack of employee diligence makes systems vulnerable to hacking. It is important to make employees selective and cognizant about malicious emails with sensational email headlines and unexpected email attachments or emails from an unknown or untrusted source with subject line-‘Breaking news’.
- Building firewalls of protection: Organisations should create a balance among prevention, detection, and containment, and proactively build firewalls of protection as well as implement detective controls and response mechanisms.
- Virtual Private Network: A Virtual Private Network is a tool that provides a pathway that makes your communication and other online activities secured. A VPN configuration ensures that the privacy of data and interactions exchanged over the web are secured.
What role can the Government play in such a scenario, besides implementing a similar strategy for public healthcare institutions?
The adoption of tech advancements and digitisation in the healthcare industry is taking place gradually in India. The Government of India has established the National Critical Information Infrastructure Protection Centre under the amendment of the provisions of section 70A of the Information Technology (IT) Act, 2000 which conducts cybersecurity exercises to keep a check of the cybersecurity status and preparedness of the sectors. The sectors it considers critical are power and energy, banking, financial services and insurance, telecom, transport, strategic and public enterprises. With the emergence of telemedicine portals and healthcare going online, the government should now consider the healthcare sector prone to cyberattacks and should conduct regular workshops to make healthcare institutions cognizant of cyber hygiene. The government should appoint Chief Information Security Officers who can identify the security requirements that come up with each technological innovation.