A cyberattack is any attempt to gain unauthorized access to a computer, computer system, or computer network for the purpose of disabling, disrupting, or controlling computer systems or altering, blocking, deleting, tampering with, or stealing data stored in those systems. Ransomware is a type of malware that encrypts the victim’s files, blocks access to a computer system, and requires users to pay a ransom to decrypt the files.
Recently, the All India Institute of Medical Sciences (AIIMS) in New Delhi, the country’s leading public healthcare facility, fell victim to a severe ransomware attack that crippled routine healthcare services and affected thousands of patients. The core servers of AIIMS were hijacked by an unknown cyber attacker. The data of nearly four crore patients was compromised and put to ransom. The Delhi Police had registered this attack as a case of cyber terrorism.
This incident has prompted several hospitals across the country to review their cybersecurity systems. These security concerns are even more important given that the Indian government recently launched the Ayushman Bharat Digital Mission (ABDM). The ABDM architecture is decentralized, meaning that all hospitals, clinics, nursing homes, registered physicians, and diagnostic labs registered under ABDM are responsible for storing and protecting patient data collected from them.
In the context of the large-scale digital transformation of health delivery systems initiated by the Indian government, the questions that come to the fore are, to what extent are Indian hospitals prepared to protect their computer systems and patient data from potential cybersecurity attacks and what is the shock response strategy of hospitals to recover from a cybersecurity attack and ensure business continuity and resilience against cybersecurity attacks.
Although the ABDM architecture is decentralized and a breach at one hospital is unlikely to compromise other hospitals’ databases, there is no sure way for hospitals to be certain of this. Implementing hospital data linkage and sharing on the Ayushman Bharat network depends largely on the ability of software vendors to connect hospital data to the ABDM network. Managing and controlling cyberattack intrusion into hospital data linked to the Ayushman Bharat network will depend largely on the security policies implemented by software vendors. The National Health Authority that is spearheading the digital health transformation in India needs to publish common standard guidelines for software implementers and healthcare organizations to manage and control cyberattack intrusion into patient health data linked to the Ayushman Bharat network.
Healthcare is more vulnerable to cyber risks than other sectors because of the low awareness among healthcare providers about the need to protect health data. Hospitals hold a great deal of confidential data, and the shift to electronic medical records has made that data even more vulnerable. Hackers find patients’ health data a lucrative option to sell in the Dark web market. Even if hackers only lock the data, hospitals cannot afford to lose access to the data for a long period and are more vulnerable than other organizations to pay a ransom.
Hospitals are also a relatively easy target because they have a “wide attack surface”. It is difficult to control physical access to equipment, and many medical devices use older operating systems that are difficult to update and easier for hackers to exploit. Healthcare organizations largely focus on securing their data by putting firewall protections but the main attack vector for hospital cyberattacks is people, through phishing or more targeted spearphishing attacks, in which hackers use misleading emails or websites to gather information.
In India, individual physicians are not protecting their data either. Therefore, before unifying all patients’ health information linked to their ABHA number, India’s healthcare cyber system needs to be put in order. Appropriate security measures and policies should be published by the National Health Authority to protect health information provider systems from cyber risks. A comprehensive strategy for the protection and resilience of healthcare provider systems from a cyber-attack needs to be defined and implemented in India to gain the confidence of private hospitals before they join the Ayushman Bharat program network.
Since telehealth services in India or globally have to be conducted digitally, patients need to submit their personal data through the Internet. Additionally, their financial information is encoded into the health service’s internal system. Consequently, without robust cybersecurity measures and regulations in place, this information becomes easily accessible to hackers and cybercriminals. Cybersecurity experts have noticed that the number of incidents has doubled since people transitioned to using digital services following the pandemic.
How to safeguard our systems against cyber threats?
There are certain safeguards available in India against cyber threats. These include the Information Technology Act 2000 (Amended in 2008) dealing with cybercrimes, the National Critical Information Infrastructure Protection Center (NCIIPC) to protect the nation’s critical information infrastructure, and the setting up of the CERT-IN as the national cyber emergency response team. However, a lot more is required to be done by healthcare organizations to protect themselves from cyber-attacks and recover from attacks with minimum damages in a shorter turnaround time.
Hospitals must create a culture of cybersecurity. Healthcare provider systems need to train all employees on cybersecurity and strengthen their firewalls. Employee training should include simulated phishing attacks, which can reduce the number of clicks on malicious links by two-thirds. As with any other emergency, such as a fire or flood, health delivery systems must have procedures in place to minimize disruption in case of any cyber-attack.
Since electronic records would not be available in the event of a cyber-attack, the health delivery systems must ensure that all their personnel are able to access paper records to ensure business continuity of operations. Health provider systems should classify all digital assets according to their business importance. In this way, these systems can more effectively prioritize their cybersecurity and threat mitigation efforts. Regular generation of vulnerability reports followed by an annual audit should be done. This will highlight the loopholes in the organization’s cyber-attack preparedness.
Healthcare organizations’ IT and security teams need to keep abreast with the latest threats, threat drivers, and attack vectors. This will help them develop better defenses and educate their staff about the latest attacks and fraud attempts. The security teams should implement appropriate controls around data segregation and infrastructure security. Continuous monitoring mechanisms are also important to ensure that the controls are effective and working in a desirable manner.
The healthcare provider systems should regularly backup data and manage and control who has access to this data. Healthcare entities should save three copies of each type of data in two different formats including one offline. This is an industry best practice to make healthcare organizations cyber secure.
Health provider systems should invest in emerging technologies that enable the organization to automatically scan and secure data, log data modification activities as they occur, and immediately alert IT teams about unusual or unauthorized behavior. Organizations would also benefit by implementing an enterprise security incident detection and response program as part of their larger cybersecurity plan. Crisis management must be integrated into the business resilience strategy, and steps should be taken to find out what can be done at the organizational level to tackle different types of breaches.
Healthcare provider organizations should make a good incident response plan that includes a playbook for containing ransomware damage, restoring services and data, and recovering from the attack in case of a cyber-attack.
Hospital CIOs should establish granular governance and reporting mechanisms that provide an in-depth view of the organization’s IT assets and ecosystem. These mechanisms and tools should be able to handle all risk and compliance-related reporting requirements across business operations, and also deliver security risk intelligence in a way that makes sense to business heads and senior management. An annual review of software should be conducted as and when software is changed/updated whatever is earlier.
Healthcare provider organizations should install next-generation firewall systems as well as deploy up-to-date security software installed on all machines. The organization should deploy tools to detect and prevent ransomware attacks on the critical exchange servers where they would upload data for exchange with the Ayushman Bharat network. Some of these tools that the healthcare information providers may implement, should include the use of advanced endpoint protection that can learn to identify malicious files and activity based on the attributes of known malware, deploy tools to monitor network traffic activity, user actions, and system behavior patterns to alert and mediate any breaches, implement web shielding protection to protect web apps and internet traffic, implement email cloud security and implement dark web monitoring intelligence on critical servers and databases.
Security practices like using biometric authentication of users before accessing telehealth services, encrypting health data in transit, and implementing transport-level security for the exchange of data over telehealth services will help to prevent cyber-attacks over telehealth services.
Cyber resilience and well-defined shock response should be the most important strategy for a healthcare provider organization to recover quickly from a disaster and continue business as usual while trying to prevent, detect, control, and remediate threats against its data and IT infrastructure. This is possible if the healthcare organization identifies critical assets, systems, and data, understands the resources that support all critical functions within a business and protects critical infrastructure services, able to detect strange events and suspected data breaches or leaks before major damage occurs, respond to a detected breach or outage and implement end-to-end contingency plan to ensure that business operations continue as usual in the event of a cyberattack. The healthcare organization should plan for appropriate redundancies for critical components to restore any affected infrastructure, capabilities, or services that were compromised during a cybersecurity incident. This step focuses on a timely return to normal operations. Implementing well-established cyber resilience will help healthcare organizations ensure business continuity even after a potential cyber-attack.
What can governments do? Addressing cybersecurity risks in healthcare has become particularly important in the context of large-scale digital transformation of healthcare systems in India. The Government should devise a National cyber security strategy to monitor the cyber readiness of all the healthcare provider organizations. The National Health Authority should develop guidelines and a framework for preventing and protecting against cyberattacks for programs that are becoming part of the Ayushman Bharat program network. The cyber readiness audit should be mandatorily implemented for software vendors and healthcare organizations that wish to become a part of the Ayushman Bharat network or are involved in the digital transformation of their healthcare systems to ensure better and safer care for their patients.