Mumbai: As the need for digital solutions is increasing, so are the risks of cyber security breaches. Digital is an enabler, and in an era booming with digital innovations, India has made quite an impact in adopting digital solutions. This has also brought the country to a crossroads where the adoption of digital solutions has opened various avenues for rampant cyber attacks. Over the years various sectors across the nation have faced security breaches where malicious actors have exploited vulnerabilities, which has given rise to a surge in cyber-attacks.
ETHealthworld spoke to some cyber security experts and researchers to understand the current scenario and why organisations are becoming more vulnerable, even though there are solutions to prevent such incidents from occurring in the first place. As India traverses through the realm of digital, understanding the threats and nipping the threats in the bud becomes all the more imperative in safeguarding national interests and ensuring the resilience of its digital infrastructure.
Healthcare organisations/institutions failing to thwart cyber attacks
Healthcare organisations struggle to thwart cyberattacks due to a combination of factors. Firstly, they store valuable patient data that is highly attractive to cybercriminals. Secondly, resource constraints often prioritise patient care over cybersecurity investment, leaving vulnerabilities. Thirdly, reliance on outdated legacy systems makes it challenging to maintain security. Trishneet Arora, CEO and Founder, TAC Security, commented, “Human error, from falling for phishing scams to weak passwords, contributes to vulnerabilities. The rapid digital transformation introduces new attack surfaces, while the evolving threat landscape constantly outpaces security measures. Regulatory compliance, like HIPAA, adds complexity. Addressing these challenges requires a mindset shift towards prioritising cybersecurity, adequate resources, staff training, and collaboration with experts.Jeremiah Fowler, Co-Founder and Cyber Security Researcher, Security Discovery citing a recent incident shared, “There is a difference between a full-on cyber attack and a data exposure due to misconfigured security controls. In this case, they may lock the back door with security measures but Redcliffe Labs left the front door open with all of the test results. Traditionally, the medical field was in the business of practicing medicine, but as we transform to a technology-based healthcare system the cyber security officers are as important as nurses and doctors.”
Commenting on why healthcare organisations/institutions fail to thwart cyber attacks, Prabhat Pankaj, Chief Technology Officer, Redcliffe Labs shared, “Healthcare organisations store a vast amount of sensitive data of patients, making it a primary target of cybercriminals. It takes multiple efforts to safeguard the data. Some of the common reasons for cyber attacks increasing the vulnerability of healthcare websites are:
Lack of focus: The primary focus on making customer services accessible, and smoother and not placing system security on top of the funnel can be one of the reasons for not being able to thwart cyber attacks.
Lack of awareness: The lack of awareness, improper training, and insufficient measures for data security make their system vulnerable.
Limited budget: Healthcare organisations often operate on limited budgets, most of which are often used for optimising care, leading to insufficient investment in cybersecurity measures.
Complex ecosystem: Healthcare networks are intricate, involving various systems to address multiple facilities of the healthcare ecosystem. Securing this complex ecosystem is challenging, especially when different components have varying security levels.
However, healthcare organisations can proactively address cybersecurity challenges by implementing robust measures. This includes adapting to evolving threats, allocating resources efficiently, upgrading systems, safeguarding patient data, conducting regular staff training, ensuring compliance with regulations, mitigating insider risks, data encryption, and fostering cybersecurity awareness. Apart from that, there can be periodic checks on the systems if the invaders can hack the system. These steps are essential to maintaining a positive and proactive stance in safeguarding operations against cyber attacks.”
“Healthcare systems provide a large surface area for attacks designed to be data breaches. Organisations with a primary business focus on the delivery of healthcare services and diagnostics are often not prepared to deal with sophisticated attacks on the data infrastructure. The multiple systems which combine to deliver the core business drivers are often inadequately set up to detect, identify and thwart attacks. The IT infrastructure needs to catch up in applying critical security updates and fixes the vendor provides. There is a need to have operational command and control of IT infrastructure focused on mitigating risk,” expressed Sankarshan Mukhopadhyay, Vice President- Customer Experience, Dhiway.
Data security is a huge challenge, securing data
Data governance is a critical part of the IT strategy. It is essential to examine the data flows to identify and evaluate the risks inherent in designing multiple IT systems and IT infrastructure in the cloud. Both data at rest and data in transit need to be secured from various attackers, and this requires the expertise to design and implement standard operating procedures, run regular audits, and undertake security certifications for the adoption of best practices. “Securing the data of a business is a combination of using best practices in secure IT infrastructure, data encryption, and robust identification and authentication mechanisms for access to data,” shared Mukhopadhyay.
Fowler added, “Data security has to be a top focus and companies need to invest in security. It is hard when companies can’t see a return on investment in data security when they are making substantial profits. Leaders in the industry need to understand that the cost of data security is now a part of the business and data is equally as valuable as any product or service they provide.”
Sharing views on how to secure data, Pankaj remarked, “Data security is becoming a significant challenge due to the increasing volume of digital information, challenges in handling Big Data, unethical hacking leading to cyber threats, and the proliferation of connected devices. To secure data effectively, organisations can implement several measures:
Data encryption: Implementing the encryption techniques to protect sensitive data available online including the stored data and data that needs to be transferred using different online applications.
Access control: Ensuring strict access control policies. Limiting data access to authorised personnel only and not sharing the data with people external to the organisation.
Regular software updates: Keep all software, including operating systems and applications, up to date. Software updates often include security patches that protect against known vulnerabilities.
Integrating firewalls and intrusion detection systems: Installing firewalls to monitor and control incoming and outgoing network traffic. Also, there should be proper alerts for the administrators to get notified immediately about potential security threats.
Using only the authorised software integrations: In case the integration of any external software is required to run a set of operations, please ensure the use of integrating robust and reliable software. Also, check if that particular system is robust or vulnerable.
By adopting these practices, organisations can significantly enhance their data security and mitigate the risks associated with cyber threats. These measures can be personalised by training the professionals and identifying the potential threats to the website. In case the security integrations are outsourced, the complete control should be at the organisation’s end.”
Data security is increasingly challenging due to the growing volume and complexity of data, coupled with sophisticated cyber threats. The expansion of digital environments and remote work has widened the attack surface. “To keep data secure, organisations must employ robust encryption, access controls, and regular security audits. Implementing multi-factor authentication and intrusion detection systems is crucial. Employee training to prevent human errors and social engineering attacks is essential. Regular software patching and updates help fix vulnerabilities. Collaborating with cybersecurity experts and staying abreast of emerging threats is vital. A comprehensive, proactive, and layered approach to data security is necessary to mitigate risks effectively,” said Arora.
Public health sectors establishing robust cybersecurity mechanism system
According to a recent report by the American cyber security and intelligence agency Resecurity’s HUNTER investigators, an alleged data leak of over 81 crore Indian citizens (Aadhaar card, passport details, names, phone numbers and addresses) from the database of the Indian Council of Medical Research (ICMR) was up for sale on the dark web by a threat actor going by the handle of ‘pwn0001’ on X (Twitter). Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology, Government of India addressing a press conference in Bhopal, said that there is evidence of leakage and investigation is going on, but the data was not stolen.
Commenting on how the public sector can prevent such breaches, Fowler mentioned, “Hire an internal team and use an outside vendor who works separately together. I see many mistakes when companies just outsource to vendors who are not providing real-time monitoring for outside access or automate penetration testing and miss critical vulnerabilities. The company that collects sensitive data then usually passes the risk to the contractors and loses the chain of control in the process. This is a massive risk and companies must be aware of who is accessing their data and what is exposed. Not knowing this information is a massive risk.”
“The public health sector, such as the Indian Council of Medical Research (ICMR), needs a robust cybersecurity system to safeguard sensitive health data and maintain public trust. Recent breaches highlight the risks associated with valuable patient information. A robust cybersecurity system involves implementing strong encryption, regular software updates, intrusion detection, and access controls to protect against cyber threats. Continuous employee training and awareness programmes are essential in preventing human errors. Collaborating with cybersecurity experts and sharing threat intelligence can help in staying ahead of evolving threats. The public health sector’s cybersecurity mechanisms are critical for ensuring data privacy, healthcare continuity, and maintaining public confidence,” added Arora
Data is a critical IT asset and applying the best practices to protect this asset is necessary. A robust cybersecurity stance based on standards and guidelines will also include the establishment of a risk matrix which provides the necessary input for creating policies that mitigate the damage from system and network attacks. “The combination of a policy with standardised audits and compliance flows will go a long way in ensuring that highly vulnerable large data pools like health data are securely managed in well-designed IT systems hosted in the cloud or, in on-premises data centres, remarked Mukhopadhyay.
Implementing immediate remedial measures during a cyber threat/attack incident
During a cyber threat or attack incident, swift and effective remedial measures are crucial to minimise damage and mitigate risks. Arora explained, “These immediate steps should include: Isolation: Isolate affected systems from the network to prevent further compromise. Notification: Alert relevant stakeholders, including IT and security teams, management, and legal authorities. Investigation: Conduct a forensic analysis to understand the extent and nature of the breach. Containment: Implement measures to stop the attack and prevent lateral movement within the network. Eradication: Remove malware, backdoors, and vulnerabilities, ensuring a secure environment. Recovery: Restore affected systems and data from secure backups. Communication: Maintain clear, coordinated communication with stakeholders, both internal and external, while complying with legal and regulatory requirements. Documentation: Thoroughly document the incident for post-incident analysis and compliance purposes.
Bodies like CERT and the Indian Computer Emergency Response Team (CERT-In) have created guidance for organisations dealing with ongoing cyberattack incidents. Starting with the detection and identification of the path of attack, the guidelines also require adequate reporting to be put in place such that stakeholders are regularly updated. “Best cybersecurity practices also mandate that the impacted systems and IT infrastructure are fenced off from other businesses as quickly as possible to begin service recovery and provision of service-level agreements,” remarked Mukhopadhyay.
In the face of cyber threats, a proactive and positive response is crucial. When an attack occurs, immediate steps must include isolating affected systems and bringing in experts to handle the situation. Transparent communication is vital, allowing everyone to be aware and prepared. Systems can be restored using secure backups, and vulnerabilities should be patched promptly. Also, regular analysis is essential to prevent future attacks.
“Across the healthcare industry, investing in cybersecurity measures and training IT professionals with the latest updates is fundamental. Compliance with all the cyber regulations is a must. This robust approach showcases a steadfast commitment to safeguarding sensitive information,” added Pankaj.
Hackers attacking pharma/healthcare organisations
Hackers have been targeting pharmaceutical and healthcare organisations for several reasons. These sectors store valuable and sensitive data, such as patient records, medical research, and intellectual property, which can be sold or ransomed on the dark web. Additionally, the COVID-19 pandemic has increased the value of healthcare-related information and research, making it an attractive target. Arora expressed, “Pharmaceutical companies also hold valuable drug development data, which can be monetised or exploited. Moreover, these sectors often have complex and interconnected systems that may have vulnerabilities, making them susceptible to cyberattacks. The healthcare industry’s focus on patient care can sometimes lead to underinvestment in cybersecurity, further enticing attackers,” said Arora.
“Health data is the most valuable on the dark web. Health data doesn’t expire like a credit card and can be a risk for many years after it has been exposed. Simply put, health data is by far the most valuable target for criminals,” mentioned Fowler.
“Electronic health records (EHRs) and electronic medical records (EMRs) are not just a complete data set about a patient. Today, the data stores include insurance and credit information and additional contextual data related to various other services. With healthcare organisations slowly catching up with the need for a good cybersecurity posture, the risks from data breaches and other attacks will continue to rise,” added Mukhopadhyay.
Delving into the details of why hackers are attacking pharma/healthcare organisations, Pankaj shared, “Pharmaceutical and healthcare organisations are the latest and favourite hunts for cyber attacks for several reasons, including:
The presence of valuable data in one place: Pharma and healthcare organisations store sensitive data like patient records, research findings, and intellectual property. This information is valuable in the black market and can fetch high prices. By attacking a single site, the hackers can get voluminous data.
Making money through ransom payments: Hackers often use ransomware attacks to encrypt crucial data and demand ransom payments for decryption keys. Healthcare organisations needing immediate access to patient data and committed to securing the patient data are more likely to pay easily to safeguard the data.
Patient data monetisation: Stolen patient records are sold on the dark web, where cybercriminals can use or sell them for various malicious purposes or even to competitors to get a higher value for the available data. So, it becomes a two-way source of income for them.
As far as pharmaceutical data is concerned, there are higher chances of attacking pharmaceutical sites to access the drug formulation and unveil the launch of upcoming drugs or crack the existing formulas.”
Emphasis laid on cyber-security and its criticality in today’s time
Health services organisations and institutions need to ramp up their focus on infrastructure security, network security, application security and data governance. Without planned investments in these verticals, these organisations run a risk of cyberattacks and exposing their stakeholders to data breaches.
“Today, there are adequate standards, models, and approaches in place which enable any organisation to create a good plan for cybersecurity and take a responsible approach towards safeguarding their infrastructure and information systems,” shared Mukhopadhyay.
Pankaj added, “With the regular increase in cybercrime and cyber attacks, organisations, as well as the government, are putting regular efforts into improving cyber security to handle large datasets and enhancing data privacy for all the crucial data available online. In today’s digital age, it is crucial. Protecting data ensures trust, compliance, and business continuity. If there is a proactive approach taken to enhance cybersecurity and safeguard information, people will be able to adapt to the evergrowing digitisation in all industries. So, emphasising cyber-security is necessary to bolster confidence and support innovation in the community.”
Arora concluded, “Organisations dealing with large datasets are increasingly emphasising cybersecurity measures due to the critical importance of data protection. In today’s digital age, data is a valuable asset, and breaches can result in severe financial and reputational damage. With the growth in cyber threats and regulations like GDPR and HIPAA, the emphasis on cybersecurity is paramount. Large datasets often contain sensitive information, making them attractive targets for cyberattacks. Therefore, robust cybersecurity measures, including encryption, access controls, threat detection, and employee training, are crucial to safeguard data integrity, maintain trust with customers, and ensure regulatory compliance in this data-driven world.”
The Government of India Ministry of Electronics and Information Technology (MeitY) CERT-In issued directions on April 28, 2022, under sub-section (6) of Section 70B of the Information Technology Act, 2000, relating to information security practices, procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet. With cybersecurity breaches becoming inevitable, robust infrastructure and policies need to be in place to take immediate action in case of a cyberattack or threat. As the nation grapples with the ever-rising incidents of cyber attacks, cybersecurity can no longer be an optional safeguard but an absolute necessity in this interconnected world. There is also a need for public-private collaborations with an immense focus on education and awareness. To thwart threats and breaches, fostering a culture of cybersecurity and staying vigilant with a proactive approach will aid India in establishing a robust digital health infrastructure.