- Building awareness around the issue is the first step: All panelists were of the opinion that building awareness of cybersecurity risks to healthcare data and institutions is the first step to take to mitigate attacks. This includes training CIOs and workers to understand the risks.
- We need a data protection law and a regulator: A strong data protection law, specifically designed for health data is needed, and there also needs to be a regulator for the healthcare industry like there is RBI and SEBI for the financial world.
- Only collect data that is necessary: Healthcare institutions should only collect the required level of information at each stage of the workflow.
- Security by design and standard protocols will help reduce risks: Products designed for the healthcare industry should adopt security and privacy by design and should adhere to standard protocols in order to reduce the risks of cyberattacks and data breaches.
- Periodic assessments should be done: Healthcare institutions should conduct periodic assessments of their cybersecurity position and the government should mandate this and issue certificates.
- Budgets for healthcare institutions vary a lot: There is no ideal budget that healthcare institutions can allocate. They should rather focus on figuring out where they currently stand in terms of cybersecurity and where they want to be and allocate the budget accordingly.
While we need the government to pass a data protection law and appoint a regulator to govern the healthcare space, the first measure to secure health data and mitigate cyberattacks on healthcare insutitons is to build awareness about this issue and reduce the amount of the data collected from patients. These were some of the suggestions shared by experts who participated in a panel discussion held by MediaNama on COVID-19 and Cyberattacks on Healthcare.
Pallavi Bedi, Senior Policy Officer at the Centre for Internet and Society, Arvind Sivaramakrishnan, Group CIO of Apollo Hospitals, Niranjan Ramakrishnan, CTO of Leixir Dental Lab Group and CEO of My Lab Connect, and Vishal Gondal, Founder of GOQii, participated in this panel discussion.
This discussion was held on July 28 in partnership with the CyberPeace Institute, and with support from Facebook.
Measures to strengthen the security of health data and healthcare infrastructure
- Build awareness: “First is awareness. At least in financial data, people are aware don’t give your OTP. In health data, there is no awareness,” Gondal said. Sivaramakrishnan concurred with this view and added: “If you just look at this as a technology problem or a policy problem, we would probably find a scapegoat to make this somebody else’s problem. Unless this becomes a fundamental core DNA of all operations of everybody involved in it. That’s when you’re going to have meaningful protection.”
- Data governance in terms of what and how information is collected: “For example, this morning I was asked to fill up a form for a milk vendor. I was surprised to see that some of the fields asking my Aadhaar card, my salary, my occupation, my net income and all sorts of details. The same thing applies to the hospital. What is the information we ask from the patient? Does it really make sense at every counter, at every place? ” Ramakrishnan asked. “I think the workflows have to be done in a way that we capture information that is required for that process. And also there’s enough attempt made by the organization to make the consumer, the patient or their family members understand the purpose of that particular information being collected,” Sivaramakrishnan added.
- Educate across the board: “Each person needs to understand what business function they are performing and what are the pitfalls of what they are doing. Does the procurement team know what it takes when you know you get a phishing email that talks about a certain procurement pattern? Does the finance team know what it takes when you get a message with some sort of online payment link or request for an online payment link? Does HR know what it takes when somebody says that they’re looking for some employment? Do they actually understand and perceive the importance of the role they are playing, which is why they are targets?” Sivaramakrishnan asked.
- Security and privacy by design: “Looking at it only from what an organization has to do, I think the first part of it is to look at security and privacy by design and I know systems that are existing today may not have thought of all those,” Sivaramakrishnan said.
- Standard protocols should be followed by third-party services: “If all systems can follow the industry-standard protocols that are relevant for the respective industries, then automatically your handshake is going to be that much more cleaner,” Sivaramakrishnan said. “We need to really have policies across the organization. We should come together and understand if you are going to handshake with a device like this, what are the different steps that we should follow and we should try and make it more structured rather than individual CIOs taking a decision. So bringing in any standardization or a certification program across the organization would really help,” Ramakrishnan added.
- Honest periodic assessments: “How can we assess periodically people, processes and technology honestly? Honestly, because we’re always shy and scared of a very honest self-assessment and I think we need to do that just to keep ourselves at pace to understand the risks. I think those are the organization governance rules that you have to look at. It’s not just merely investment it is just not merely having a very elegant and capable information security team. They’re as strong as the weakest link,” Sivaramakrishnan said.
- Appoint more qualified CIOs: A very small percentage of Chief Information Officers (CIOs) or Chief Information Security Officers (CISOs) who are running a healthcare organization are qualified for the job, Ramakrishnan said. “Most CIOs are not real engineers coming from an information security background. Not more than like 5% of the healthcare organizations of India have deputed qualified, trained CISOs on board,” Ramakrishnan added.
Training and certification programs make a huge impact: “We started a program for most of the CIOs of hospitals and health care organizations to undergo a five weeks program. I think that’s a good start because you need at least to have a few champions within the organization who understand what they are dealing with and who can learn from the other industries and bring it back to the healthcare industry. So programs like this and certification programs definitely make a huge impact,” Ramakrishnan said.
Tech industries can help by making solutions more affordable and functional: “Tech industry can make the solutions more affordable to healthcare, as the general expectations are for lower costs on healthcare. The second aspect, the tech industry can also make the solutions more functional in terms of support and its steady-state rather than make it sound like rocket science, which always needs more and more services around it,” Sivaramakrishnan said.
Policy changes to improve cybersecurity
- Regulators like RBI and SEBI for the healthcare industry: “We see this in the financial world. There is RBI, there is SEBI, there are so many regulators, enforcers. And there is an assumption that people are afraid of the law because they are going to be challenged by some regulator. With health care, nobody knows who’s in control. Who is afraid of who? Nobody knows. So while we have the private sector, we need to have both judicial and government and police and all these enforcers otherwise this is all going to be chaotical. People spend money in compliance only if they are afraid of the consequences. Right now, there are no consequences,” Gondal said.
- Pass data protection law and designate health care as critical infrastructure: “I would first say that get a data protection law, and a data protection law specifically for health care and make healthcare a critical infrastructure service,” Bedi said.
- Polices like HIPAA in the US: “There should be clarity of policies when it comes to health. In the US, everybody swears by HIPAA. Similarly, in Europe, the regulations are becoming tighter and tighter,” Gondal said.
- Mandatory assessment programs: “I would suggest there should be an assessment program that should be made mandatory for all healthcare organisations. It could be a simple certification,” Ramakrishnan said.
- Draconian laws are needed: “I would say draconian law for anybody who works on the data or brings out products or services, that’s built on data that is not acquired through official channels. So if you close the need for a data market, then somebody saying that records are worth five hundred rupees or whatever, the number would be automatically switched off,” Sivaramakrishnan said.
- Self-regulation is not enough: Commenting on if disclosure norms will help, Bedi said: “That could be one way forward. But at the end of the day, we do need regulations and we do need laws in place so that if the organizations don’t do it, there’s a place to go for redressal. Just leaving it to self-regulation, may not work. You need to have some sort of regulation to see this happen.”
- Proactive government policies: “Start looking at better governance policies, governance policies that are not just reactive, but also proactive so that we can start ensuring that every activity we do is catered to from a privacy and security standpoint,” Sivaramakrishnan added.
Budgets for cybersecurity in healthcare institutions
- Less than 1.5 to 2 percent: “Based on my previous understanding, anywhere between 1.5 to 2 percentage of turnover is for the maintenance budget and 4 to 5 percentage if it’s a kind of greenfield or complete revamp of IT,” Ramakrishnan said. So from that, a percentage is allotted to cybersecurity, he added.
- No ideal expenditure: There is no ideal expenditure, Sivaramakrishnan said. “I think first set your house in order. You need to understand who you are, what you are and what you want and what is it going to take for you. Then look at what is your capability to spend and then figure out what is your distance from where you are to what you understand is steady-state. And then start talking about in steady-state there will be so much percentage of a budget that you will be able to allocate. For some people, the loss of information would be small. So they might spend 0.5 percent, for some others that would literally be their business. So they might end up spending even 10 to 12 percent of it,” he said.
- First place to cut costs: “A couple of days back in our strategy meeting, they were asking for projections for the next two years. So we put some 110k worth of, you know network contract monitoring tool. The first question was why is so much money assigned to this particular tool. Why don’t you buy it by next year. So, the first place where they wanted to kind of remove the capex is cybersecurity,” Ramakrishnan said.
- Cannot give assurance of safety: “I think assurance is what they expect which unfortunately the CISOs cannot give: if in case they assign that budget to me, can I give an assurance that our entire infrastructure and everything is completely secured? Honestly, the answer is no because I think the people who are trying to enter are much smarter than all of us. For them all they need is just one door to enter, you know when we are trying to cover like 100 doors, they’re just looking at one door to enter and it’s much easier to do that.” Ramakrishnan said.
The comments have been edited for clarity and brevity.
- Agenda And Reading List: Cyberattacks On Healthcare
- 416 Crores Allocated This Year To Strengthen Nation’s Cybersecurity, Here Are Some Measures Taken So Far: IT Ministry
- IT Ministry Reveals Over 6 Lakh Cybersecurity Incidents In First Half Of 2021, No Comment On If Critical Infrastructure Was Targetted
- The Policy Changes The US Government Has Initiated To Overhaul Its Cybersecurity
Have something to add? Subscribe to MediaNama and post your comment