In this interaction, General Pant explained why healthcare is a prime target for cyberattacks and identified the required steps to strengthen health infrastructure against such attacks.
“2020 was the year of phishing and 2021 is going to be the year of ransomware,” Lt. General (Dr.) Rajesh Pant, National Cybersecurity Coordinator, Government of India, said in his keynote address at an online discussion held by MediaNama in partnership with the CyberPeace Institute on July 28, 2021. The event focused on COVID-19 and Cyberattacks on Healthcare in which General Pant singled out ransomware as the most pressing cybersecurity challenge of 2021.
Why it matters? The COVID-19 pandemic has cast a spotlight on healthcare technology and its importance. India is in the process of digitising its healthcare records with the introduction of the National Digital Health Mission, Unique Health ID, databases of healthcare professionals and health facilities, and so on. Given India’s population of 1.3 billion, this process initiated by the government could mean the collection and storage of huge troves of sensitive data which might attract hackers and criminal elements hoping to steal this data.
Key points to note in General Pant’s address
India reported an increase of 37 percent in cyberattacks on healthcare organisations in November and December last year. The number rose by 45 percent worldwide over the same year and the biggest increase was seen in the number of ransomware attacks, General Pant revealed.
General Pant also listed the impacts of a cyberattack as:
- Delays in treatments
- Cancellation of non-emergency procedures
- Theft of patient, customer data, intellectual property, or scientific research data
- Business disruption and financial theft
- Loss of revenue, and costs associated with restoring operations and improvement to the cyber-security defenses
- Regulatory fines and legal liability
- Reputational damage and litigation from affected individuals
Why is the healthcare sector targeted by cyberattacks?
Financial gain: “Private patient information is worth a lot of money. It’s become increasingly important for hospitals to keep their information secure with GDPR coming into play this year but hospitals store an incredible amount of patient data which is worth a lot to the criminals,” General Pant said.
Devices are an easy entry point for attackers: “Medical devices are an easy entry point for attackers. There is a lot of automation in hospitals these days so devices like X-rays, insulin pumps, defibrillators, play a critical role in modern healthcare but they are not made with security in mind. The devices can be used to launch an attack on a server to which they are linked. In a worst-case scenario, a medical device can be taken over by hackers thereby preventing healthcare organizations from providing life-saving treatment to patients. It compels the staff to access data remotely which in turn opens up more opportunities for attack,” he explained.
People prefer convenience over security: “Workers do not want to disrupt convenient working practices with the introduction of new technology. The long working hours and deadlines of healthcare staff leave them with no time or resources to add online security processes to their workload. Moreover, medical professionals are not educated in dealing with online threats as it is not a part of curricula in medical colleges. There should be a discussion and the medical training syllabus should include a cyber security module which covers IT as well as cyber physical systems,” he stated.
Multiple devices and shareable information: “The number of devices used in hospitals makes it difficult to stay on top of security. Healthcare information needs to be open and shareable. It has to be put on a server that is facing the internet from where the patient can access this data. It exposes the linkage to that particular hospital, and that is how attacks can take place. Small healthcare organisations are at a greater risk because they are often seen as an easy target to be used as a backdoor to target large healthcare enterprises. There is a need for global attention towards cyber-attacks on healthcare,” he said.
The primary threat factors
Ransomware: “I call last year as the year of phishing, I am calling this year as the year of ransomware in light of the Colonial Pipeline attack in the U.S. The ransom in several ransomware attacks has been paid. The ransomware gangs showed their true colours by infecting hospitals in the middle of the COVID-19 pandemic when they were least prepared. The attack renders the healthcare industry inoperable as critical processes are slowed down forcing hospitals to use pen and paper. In January 2021, Checkpoint researchers found that ransomware strains called Ryuk and REvil have dominated the threat landscape. Most attackers follow a double extortion tactic that means, besides the data encryption, they steal the most valuable files so that their authors can pressurise the victims into submitting the ransom. The ultimatum is as follows: pay-up or the patient’s records will be uploaded on a public shaming site,” General Pant said.
Data breach: “Data breach is the second-most common attack in the healthcare sector. The research confirms that the health industry experiences more data breaches than any other sector. The value of health data is around $400 on the dark web as compared to $5 for credit card information. The data is used to create fake insurance claims allowing for purchase or resale of medical equipment, and procurement of some medicines which are banned and only prescribed to certain people. Criminals also use this data to illegally gain access to prescriptions for their own use or for resale,” he said.
DDoS attack: “Activists and cybercriminals use the distributed denial-of-service attack to overwhelm a network and render it inoperable. They pose a serious risk to the healthcare sector which needs access to the network to provide proper patient care, or needs access to the internet to send and receive emails, prescriptions, records, and information,” he remarked.
Insiders: “Organisations are preoccupied with defending their company from external threats that they forget to keep track of insiders. An insider poses a threat because their legitimate access to proprietary systems is able to bypass traditional cyber security defenses such as intrusion detection devices or physical security,” he commented.
Business email compromise: “In this attack, scammers use a spoofed email or a compromised account to trick employees into initiating a money transfer to a fraudulent account. This attack has many variations and causes loss of money from the corporate side, or goods, or even the prescription of drugs. In recent years, the aspect of data espionage, and stealing research work on vaccines has become very important,” he conveyed to the attendees.
How can Indian healthcare sector improve its cyber security?
Risk assessment: “The healthcare sector has to prioritise critical data and cyber-physical assets. One has to do a risk analysis and see where the actual patient data is, and from a cyber physical system point of view, which are your most critical machines that need to be protected. Once it is done, the organisations can ensure that cyber defenses for these assets are put in place,” General Pant noted.
Network segmentation: “The entire network must be divided into segments adding that it is one of the easiest techniques. Segmentation is done even within the cloud. In addition, data backup is a very simple technique. Even if you take a data backup every six hours, only patient data of the last six hours may not be there in a worst-case scenario. I would strongly suggest a data backup plan be there and recovery systems and data recovery mechanisms must be in place. We have a cyber crisis management plan at a national level but a cyber crisis management plan must be practiced at an enterprise level,” he said.
Dealing with insiders: “The best way to deal with insiders is often your other employees. Employers must train their employees to deal with this threat. They must know how to recognise and report an insider threat and prevent them from inadvertently becoming one. There are some artificial intelligence techniques which practise behavioural analytics which can identify employees working on an application that they are not supposed to use and put up red flags,” he said.
Shortage of personnel at NCIIPC
“The Union government is committed to training 500,000 cyber-skilled personnel by 2018 in the 2013 National Cyber Security Policy. The plan struggled in its implementation because there was no action plan on the standard to which people were to be trained, and who would train them,” General Pant said.
“There is a programme of MeitY called Information Security Education and Awareness (ISEA), which is being conducted by CDAG, Hyderabad. They are doing a good job of training people. IITs and other institutions, say that B. Tech and M.Tech in cyber security are picking up. The moment people realise that this degree will help them in getting a well-paying job and the companies know that without cybersecurity, they cannot survive, an ecosystem will be created,” he added.
Designating healthcare as critical information infrastructure
“The government has created an organisation called the National Critical Information Infrastructure Protection Centre (NCIIPC). It has classified critical sectors into six broad divisions including the strategic sectors, transportation, finance, BFSI, etc. The health sector has approached the NCIIPC and recommended some of the systems which should be a part of protected systems as per the concept of the NCIIPC,” General Pant said.
Minimum security requirements in the National Digital Health Mission
“Organisations should spend at least ten percent of their IT budget on cybersecurity. Automation and cyber security go hand in hand. In the case of SMEs, they prefer to go for managed services rather than their own IT cell and cyber security professionals because they cost money. Unified health interface or UHI shall enable public and private solutions and apps to plug in and be a part of the national digital ecosystem. 11.9 lakh health IDs have been generated; 3106 doctors and 1490 facilities have registered on the platform. It is a work in progress,” he revealed.
Requisites for ensuring the security of Indian citizens’ data collected by devices
“Security standards are not present in the devices and wearables entering the market. Singapore has started something called cyber security labeling of IoT (Internet of things) devices where they give stars like the ones denoting energy consumption. India needs to have legislation in place as it is a serious problem because they are seeking consent for things, especially in tier-II and rural areas which we do not normally see but they cannot be penalised unless there are laws in place,” he said.
- Nearly 12 Lakh Cyber Security Incidents Observed In 2020: MHA
- ‘National Cyber Security Strategy Will Have Framework For Cyber Insurance’: Rajesh Pant
- Promoting Encryption Should Be ‘Primary Focus Area’ Of National Cyber Security Strategy 2020: Internet Freedom Foundation
Have something to add? Subscribe to MediaNama and post your comment