Clearly, there is a lot of hullabaloo around cyber security for hospitals since the cyber-attack that crippled AIIMS Delhi was reported on November 23 last year. Even two months after the attack, the IT systems of the country’s premier hospital were not fully restored. Was the AIIMS incident a one-off cyber-attack on a hospital in India? The number of cyber-attacks on the Indian healthcare industry was second highest globally, with 7.7 % of total incidence on the segment being witnessed in the country in 2021, cyber security intelligence firm CloudSEK reported in September last year, months ahead of the AIIMS attack. Globally, the Healthcare sector is a top target for cyber attacks. In May 2017, the NHS, was brought to a standstill for several days due to the WannaCry ransomware outbreak, affecting hospitals and GP surgeries across England and Scotland. Although the NHS was not specifically targeted, the attack highlighted security vulnerabilities and resulted in the cancellation of thousands of appointments and operations, together with the frantic relocation of emergency patients from stricken emergency centres.
So, what is there to steal from hospitals and why is the healthcare sector attractive to cyber attackers? Hospitals are attractive targets for cyber attackers mainly as most have weak cyber security infrastructure in place due to a lack of awareness of the risks involved and budget constraints. Cyber attackers choose the healthcare sector as they store a large amount of sensitive data, including patient information, medical records, and financial information. This information can be valuable to cyber criminals who can sell it on the dark web or use it to commit identity theft.
Hospitals and healthcare providers are vulnerable to a range of cyber-attacks, but some of the most commonly reported types of attacks include:
- Ransomware attacks: Ransomware attacks are a type of malware that encrypts files on a victim's computer and demands payment in exchange for the decryption key. Hospitals and healthcare providers are attractive targets for ransomware attacks because of the sensitive nature of the data they hold, and the potential impact on patient care if their systems are disrupted.
- Phishing attacks: Phishing attacks are a common tactic used by cybercriminals to steal sensitive information such as login credentials and personal data. Phishing emails can be difficult to distinguish from legitimate emails, and employees may inadvertently click on links or download attachments that contain malware.
- Distributed Denial of Service (DDoS) attacks: DDoS attacks are a type of cyber-attack where the attacker floods a target system with traffic in order to overwhelm it and cause it to crash or become unavailable. DDoS attacks can be used to disrupt hospital operations and cause significant downtime.
- Insider threats: Insider threats can come from employees or contractors who have access to sensitive data and systems. These threats can include accidental data breaches or deliberate malicious activity, such as stealing patient data or installing malware.
- Unpatched vulnerabilities: Hospitals and healthcare providers are often reliant on legacy systems and software that may have known vulnerabilities. Cybercriminals can exploit these vulnerabilities to gain unauthorized access to hospital systems or steal sensitive data.
There are several common mistakes that hospitals make which can make them vulnerable to cyber-attacks:
- Lack of cybersecurity awareness: Many hospitals do not prioritize cybersecurity awareness training for their employees, which can lead to human error and increase the risk of successful cyber attacks. Employees may unknowingly click on phishing emails, use weak passwords, or fall victim to social engineering tactics.
- Outdated software and systems: Hospitals may be using outdated or unsupported software and systems that are no longer receiving security patches or updates. This can leave vulnerabilities in the system that can be exploited by attackers.
- Poor network segmentation: Many hospitals have networks that are not properly segmented, meaning that sensitive patient data is accessible from multiple areas of the network. This can make it easier for attackers to move laterally within the network and gain access to critical systems and data.
- Lack of disaster recovery and business continuity planning: Hospitals need to have plans in place for disaster recovery and business continuity in the event of a cyber-attack. Without these plans, hospitals may not be able to quickly recover from an attack, resulting in prolonged downtime and potentially putting patient lives at risk.
- Insufficient access controls: Hospitals may not have sufficient access controls in place to limit the access of employees to sensitive patient data. This can make it easier for attackers to steal large amounts of data in a single attack.
Professional Advice for Hospitals to Act
In a panel discussion recently on cyber security solutions that a mid-size hospital should immediately deploy for securing their networks, Mr. Sourish Dey from Trisim Global Solutions which is a Kolkata headquartered Cyber Security solutions provider suggested that “ Hospital CISOs are implementing or upgrading two important tools. First is Network Management Software or NMS for complete visibility of the network and bandwidth and also for log management and patch management. Next is Security Information and Event Management Software or SIEM for collecting, analyzing, and correlating security-related data to detect and respond to security threats quickly. Both NMS and SIEM is essential for compliance to government guidelines and best practices. Along with that, we are advising hospitals to immediately move from legacy signature-based anti-virus for their workstations and servers to Next Generation and End-point security solutions that use a variety of techniques, including behaviour-based detection, machine learning, and artificial intelligence, to identify and stop threats in real-time and not just scan for known threats.”
Mr. Alok Tripathi, an independent cyber security professional added that “Large hospital chains now have dedicated CISOs, but standalone hospitals are not yet ready to accept the reality that cyber security is essential for their survival and qualified CISOs are must-have. Lot of unpatched systems including medical devices running legacy software make the IT network vulnerable. There is hardly any cyber security awareness among the staff. I have a message for them. At least, get the basics in place. Take professional help to create a Cyber Security Policy. Go for an NMS with capabilities for patch management and asset management. Put access privileges and network segmentation in place. Get proper anti-virus and end-point security. Update the firewalls. And most importantly, go for regular Cyber Security audits.”
Regulatory requirements for data protection and cyber security
One of the primary laws related to data protection in India is the Information Technology (IT) Act, which was enacted in 2000 and amended in 2008. The act includes provisions related to the protection of personal information and the prevention of unauthorized access to computer systems. However, India is yet to enact a specific law for the healthcare sector in line with the Health Insurance Portability and Accountability Act (HIPAA) which is a US federal law that sets standards for the protection of patients' electronic health information and applies to covered entities such as healthcare providers, health plans, and healthcare clearinghouses. The Indian version of the General Data Protection Regulation (GDPR) is currently under review. The GDPR regulation established by the European Union (EU) applies to any organization that processes the personal data of EU residents, including healthcare organizations.
Mr. Dey and Mr. Triptathi shared some statistics and upcoming regulatory requirements which should get hospitals to action immediately. The healthcare industry in India faced more than 19 Lac cyber-attacks last year, as per a report by CyberPeace Foundation. Currently, all organizations are required to report cyber security incidents to CERT-In. Soon, there will be mandatory reporting of and strict penalties for data breaches under the digital data protection bill, which is being formulated by the Ministry of Electronics and information technology. Mr. Dey summarized “the Government is taking steps towards implementing the Personal Data Protection Bill and the proposed Digital Information Security in Healthcare Act (DISHA). Similar to HIPAA in the United States, DISHA will enforce the implementation of more robust data security measures. Although this may require additional investments, it is crucial to safeguard personally identifiable information (PII) and protected health information (PHI). The significance of protecting such sensitive data cannot be overstated and the ball in the court of hospital administrators to act right now.”