What India should do to improve cybersecurity in Healthcare — Ambassador Latha Reddy, Co-Chair of the Global Commission on the Stability of Cyberspace – #NAMA

In her closing address, Ambassador Latha Reddy shared a list of policy and organisational recommendations for improving cybersecurity in healthcare.

“In our discussion on all the technical and technology related aspects of how we control data, we must not lose sight of the fact that this has very genuine effects on our people, on our citizens, on individuals. We need to focus also on the impact of attacks from a human perspective. It’s not just a technical approach. We need a human approach. The health of every individual is at stake,” Ambassador Latha Reddy, Co-Chair of the Global Commission on the Stability of Cyberspace, said, speaking at MediaNama’s discussion on COVID-19 and Cyberattacks on Healthcare. MediaNama held this discussion on the 28th of July 2021, with support from the CyberPeace Institute and Facebook.

“Unless we take a global international approach towards global healthcare issues, we’re not going to be able to, essentially”, she said. “Could this be rooted in the WHO constitution, as well as other key organisations? Can the UN itself be the forum, or do look at a multi-sectoral fora to be established? Do we use existing international health regulations for underpinning the treaty? These are questions that need to be answered, but until and unless there’s a detailed international discussion, it is not easily possible to come forward with the answers.” Ambassador Reddy said that she was encouraged to see the call by 51 world leaders, calling for more cooperation in healthcare. “25 leaders have specifically written and have called for international cooperation in this area. We may need is an international treaty for dealing with pandemic and other health crisis. I would say that no one is safe until everyone is safe, as has been reiterated often”.

On India’s role in establishing norms related to cyberattacks in healthcare, Ambassador Reddy said that, based on her experience of interacting with the UN in different capacities, “India’s input is always welcome, because we’re seen as a county that can talk to all countries, and can talk to different points of view, without a rigid ideology. We could play a role, because we’re seen as an emerging and advanced country, huge population. Especially as far as cyber issues are concerned, India is seen as a major player because we have one of the largest datasets in the world. India would be listened to, and India’s position would be listened to by others. Once a forum is created, India would certainly be a part of it. India has been very active, in the Open Ended Working Group in the UN. We’ve worked closely with the World Health Organisation on immunisation programs. I don’t see any reason why India shouldn’t be active internationally, or in creating some kind of consensus on healthcare protection.

What we ought to do

In her closing address, Ambassador Reddy, who was previously the Deputy National Security Advisor for India, shared a list of recommendations for improving cybersecurity in healthcare:

1. Policy recommendations:

• Healthcare infrastructure should be designated critical infrastructure: “It is necessary to specifically say that Healthcare is Critical Information Infrastructure. If you don’t do that, it won’t automatically be taken seriously. NCIIPC needs to add healthcare infra as critical information infrastructure, and this needs to be done through a gazette notification. Healthcare matters as much as transport and other areas that have been specifically nationally, and we should encourage it internationally as well.”
• Consolidated standards for healthcare cybersecurity: “Standards must be consolidated and laid down from all healthcare institutions. I admit it is difficult because you have everything ranging from a small district health center to a huge multi-speciality hospital with substantial resources. Perhaps Graded standards can be evolved depending on the size and capacity of the institution. But I think consolidated standards are important: right now some institutions are following ICD-10, some are following Snowmed CT, and some don’t follow any standards at all. There needs to be a standard or a set of standards.”
• Establish regulatory mechanisms: “We need national, regional and global regulatory mechanisms to be established.”
• An RBI like body for healthcare: “As [Vishal Gondal, Founder of GOQii] had mentioned, we have the RBI for financial institutions and banks. Perhaps we need a coordination agency for healthcare. How else do you ensure that there is implementation, and there are consequences to violating [standards]. How are you going to create the regulatory mechanisms, unless you either create or transform one of the existing institutions ? Perhaps an agency under the union health ministry could be set up, which then specifically looks at this aspect of regulatory controls which are mandatory for the country. This a model which could be replicated in many countries. It already exists in some countries.”
• Separate legislation for healthcare: “I would agree with Pallavi [Bedi, Senior Policy Officer, Centre for Internet and Society], who said that we need a sector specific legislation for healthcare. It should clearly be designated that this is for the purpose for regulating healthcare.”
• DPA with a healthcare division: “The Data Protection agency in India and others should have a specific division dealing with healthcare issues exclusively.”
• CERT for healthcare: “We need a central CERT specifically for healthcare. I don’t think at the moment, we have one, as far as I am aware. One at the national level and one at the state level will help us cope with situations like what we find ourselves in now, with the pandemic.”
• Identify risks across health sectors: “We have to clearly look at all the health sectors at risk, including laboratories, vaccine manufacturers, health insurance, biomedical research institutions, pharmaceutical companies, and finally, the patients themselves. All of these aspects have to be covered when we’re looking at what are the risk factors involved.”
• Defense against espionage: “We need to build specific defences against cyber espionage. It could be espionage by hackers, by states, for the sake of collecting intellectual property and stealing technology. I think that is an aspect that has to be looked at.”
• Improvement in attribution capabilities: “Attribution is key when you’re trying to identify where the attacks are coming from. You need to figure out who has initiated the attack? Is it a random group of hackers, an organised entity or a nation state? We need to develop our attribution capabilities. Then we have to have political will to take action accordingly.”
• Address disinformation: “We need a game-plan to respond to the disinformation infodemic. We need to contradict the false narrative straight away. Get the truth out there. Share verified, accurate and detailed information. We need an alternative narrative strategy which is ready to swing into place, based on verifiable facts.”

2. Organisational recommendations:

• Security by design in healthcare: “You must build security into design, both for devices and platforms that healthcare institutions are using. If you don’t have it by design, it’s a much more complex process.”
• Cybercrisis management Plans: “We need to create cyber crisis management plans for all agencies and organizations in healthcare. Perhaps this has to be mandated.”
• Allocate higher budgets to healthcare: “Lt. Gen (Dr) Rajesh Pant mentioned that only 5% of [IT] budget is being allocated by healthcare institutions for cybersecurity, whereas banks are spending 15-20%. The question is: how do we encourage more spending on cybersecurity in healthcare? Can this be made obligatory? Or do you reward institutions who effectively spend to protect institutions against cyberattacks.”
• “Building a robust cybersecurity framework is very important for each healthcare institution.”
• Ransomware Insurance: “I agree with Gen Pant who said that this is the year of ransomware. The very fact that in 2018, the average ransomware demanded was $6000 and today it is over $200,000 makes it clear that Ransomware would rank number one. How do we protect against these? Are there specific insurance policies that institutions can take out to guard against ransomware payments that they may be forced to make? Can you pay ransom to criminals under a legal system? Institutions need to protect themselves. Some of the larger institutions which may be public companies, are answerable to their shareholders, and we certainly don’t want a situation where healthcare institutions start to go bankrupt.”

3. Other recommendations:

• Increase Cyberhygiene: “We need to increase cyberhygiene across all institutions in healthcare. We need to make people understand what is the purpose of cyberhygiene, whether it is the patients or institutions that are sharing data. If you don’t do that effectively, you can’t protect data.”
• Training for cybersecurity professionals: “We need more training of cybersecurity professionals, and to bring in familiarity with medical technology. The kind frameworks that need to be built for healthcare institutions might be different from others.”