New Delhi: The ransomware attack which paralysed the servers of India’s top government-run hospital All India Institute of Medical Sciences (AIIMS) New Delhi, has yet again brought to light the criticality of protecting patient data. Healthcare firms contain large volumes of sensitive data that hold high intrinsic value like financial credentials, insurance information, health-related patient data and prescription behaviour which needs protection.
With digital technologies being embraced full-fledged, the healthcare sector’s legacy systems and a lack of modern security architecture, leave the infrastructure vulnerable to the growing number of cybersecurity breaches. “The data makes for a goldmine for cyber attackers who orchestrate a breach to gain access to such data and then either demand a ransom against the threat of exposure or sell the data to the highest bidder. Unfortunately, the data is unlikely to remain private unless the ransom is paid, said Alex Nehmy – Director, Industry 4.0 Strategy (Asia Pacific & Japan), Palo Alto Networks.
Healthcare data is the most valuable on the black market because it typically contains all of an individual’s personally identifiable information, rather than just as opposed to a single piece of information found in a financial breach expressed David Bicknell, Principal Analyst, Thematic Intelligence, GlobalData.
Rising cyberattacks on healthcare systems
The healthcare industry in India has faced 1.9 million cyberattacks this year till November 28, as per data published by cybersecurity think tank CyberPeace Foundation and Autobot Infosec Private Ltd. According to Prashant Singh – Director IT & CIO – Max Healthcare, the AIIMS case is just one example. Still, as per multiple studies, there are two attacks happening in healthcare every day and the reason for these attacks were primarily to disrupt the operations and get the ransom.
Nehmy agreed that between 2020 and 2021 attacks on healthcare firms saw a steep rise. This situation is a particularly alarming one when considering a scattered and diverse healthcare space like India’s. “Eighty per cent of India’s healthcare industry belongs to entities within the public sector where a lack of operating funds puts advanced cybersecurity in the back seat. On their modernisation journeys, these firms are turning to technologies like IoMT (Internet of Medical Things) devices to drive efficiencies and positive patient outcomes. While this shift is necessary, the vulnerabilities that these devices introduce are not being accounted for even though they now make up for a sizable section of the attack surface of a hospital or healthcare organisation,” he said.
Nehmy believes that digital transformation has also added to the increased incidence of attacks which is particularly evident with hospitals that have turned to IoT to enhance their patient care and scale their operations cost-effectively. “IoT devices pose critical cybersecurity risks as a majority of these are built without security in mind and are difficult to update once deployed in the field, as they need to be available for patient use around the clock,” he added.
Measures to prevent cyberattacks
Fortunately, healthcare organisations today understand the importance of data protection and the need for cybersecurity techniques. However, experts believe that there is a need to follow these data-security measures in a methodological order to protect the systems from any kind of malicious cyber threat.
Singh believes that the lack of security patching which is a mandatory step in removing the vulnerabilities in the network and people using the organisation’s facility outside the office is making the systems more vulnerable to such cyberattacks.
Highlighting some of the key protecting measures, Singh cautioned that security patching is one area where a lot of organisations give very less importance. Stressing on the crucial measures for preventing such malicious attacks he states, “Every system that needs security patching needs to be updated within the time frame. SIEM (security information and event management)and SORE (security orchestration, automation and response) are techniques that should be implemented. People give significantly less importance to the complexity of the password. It is very important to have complex password rules and there should be regular intervals by which the passwords should be changed. Training and awareness programmes should be there in the organisation about phishing emails.”
Commenting on similar lines Bicknell said, “Educating staff and restricting access to data and applications is the best way to protect healthcare records. Having a backup plan, that has been reviewed and tested, is a priority in case of a ransomware incident. You cannot learn how to manage ransomware when it’s taking place. Everyone has to know the plan, and their role in it, and it has to be tried and tested in advance of any attack.”
Nehmy added that a comprehensive ‘zero trust’ architecture that can support the transformation while ensuring patient data privacy and regulatory compliance is essential. “Zero trust is a cybersecurity strategy that eliminates implicit trust by continuously validating every stage of digital interaction. Rooted in the principle of ‘never trust, always verify, zero trust is designed to protect modern digital healthcare environments. The principle applies least privilege access controls and policies with continuous trust verification and monitoring device behaviour to block zero-day attacks. Such an approach will become even more important for healthcare firms and governments pivoting to fully electronic health records as controlling who is able to access these records will be crucial in preventing a breach or leak.”
Digital transformation today is undoubtedly delivering improved patient care outcomes however it is equally important to ensure that tight cybersecurity measures are in place for the smooth functioning of healthcare organisations.