India needs to research the always-changing strategies, methods, and practices of hackers and criminals. If India is perceived as an easy target, it will pay a heavy price.
The frequency and targets of cyberattacks on India are becoming increasingly serious.
Late November, patients at All India Institute of Medical Sciences in New Delhi began to experience extended wait times. Long lines snaked along the vast building and backed up for several yards.
Computers at the hospital had stopped working, so medical reports could not be generated. Though patients were still being treated, paper bills were being handed out. A massive cyberattack had compromised the health data of millions of patients.
The Delhi Police had a bigger problem at hand. They were in possession of an email that read, “What happened? Your files are encrypted? What is the price to repair? The price depends on how fast you can pay to us.”
The Delhi Police initially denied reports of a ransom demand. But they later confirmed that the servers at AIIMS were attacked, and data was being held for ransom. Police sources were quoted as saying the attack originated from China and Hong Kong.
Two weeks later, servers at AIIMS started limping back to normal.
This is not an isolated incident. Around the same time, across the street, Safdarjung Hospital also reported a cyberattack that incapacitated its servers for a day. Data was not breached and the servers were restored quickly.
Sree Saran Medical Centre in Tamil Nadu found that sensitive information of 150,000 patients is being sold on the dark web. And, the Indian Council of Medical Research has also disclosed that it was recently subjected to a cyberattack. ICMR claimed that the hackers tried to break through the website of India’s peak body for biomedical research 6000 times on November 30, 2022.
In the backdrop of the pandemic, healthcare sector has become an attractive target for cyberattacks. In one instance, Cisco India had alerted India of the possibilities of a spike in cyberattacks targeting the healthcare industry. Cyfirm, a Singapore-based threat-intelligence firm, had reportedly warned in March 2021 that major Indian pharmaceuticals such as Serum Institute, Bharat Biotech, Dr Reddy’s Labs, Abbot India, etc., could become targets to hackers from Russia, China, and North Korea as part of their efforts to steal critical data on vaccine research and trials. The company had identified 15 hacking campaigns, with seven from Russia, four from China, three from North Korea, and one from Iran.
The Indian healthcare sector is second in terms of the number of attacks, accounting for 7.7 percent of the total attacks on the healthcare industry worldwide in 2021, and 29.7 percent of all attacks in the Asia-Pacific region. The US is the number-one target, facing 28 percent of all the attacks on the healthcare sector worldwide in 2021. And the number of cyberattacks against the healthcare industry has increased by 95.34 percent in the period January–April 2022, as compared to the number of cyberattacks in 2021 during the same period. CyberPeace Foundation cites the number of cyberattacks against the healthcare industry in India as 1.9 million from January 2022 to November 2022.
Cyberattacks loom but funds underutilized
While the number of cyber attacks in the country has witnessed three-fold increase over as many years, the funds allocated by the government for cybersecurity have been underutilized with only ₹98.31 crore used of the total ₹213 crore sanctioned.
According to government data, in 2019, the total number of cyber security incidents tracked by Indian Computer Emergency Response Team (CERT-In) was 394,499. The number spiked to 1,158,208 in the year 2020 and further increased to 1,402,809 in 2021. This year, as many as 674,021 cyber security incidents were reported till June.
As per Information Technology Ministry, the government is operating an automated cyber threat exchange platform for proactively collecting, analyzing, and sharing tailored alerts with organizations across sectors for proactive threat-mitigation actions by them.
The government has issued guidelines for Chief Information Security Officers (CISOs) regarding their key roles and responsibilities for securing applications/infrastructure and compliance.
Besides, all the government websites and applications are regularly audited with respect to cyber security prior to their hosting. Moreover, the government has empaneled 97 security auditing organizations to support and audit implementation of Information Security Best Practices.
Cyber crime accelerated during the pandemic as cyber criminals took advantage of the crisis, causing immense disruption to the healthcare sector at a time when it was facing enormous patient care demands. Ransomware pay-outs and efforts to protect or harden healthcare systems and cyber defenses are affecting hospital financial flexibility by increasing ongoing operating expenses, according to Fitch Ratings.
Attacks may also hinder revenue generation and the ability to recover costs in a timely manner, particularly if they affect a hospital’s ability to bill patients when financial records are compromised or systems become locked. The recovery time and costs, associated with breaches of critical data, not only pose significant financial burdens but also hamper the ability of healthcare institutions to provide care, which could ultimately have human costs.
Hospital and health system databases contain critical and sensitive patient data, which are highly sought after by cyber criminals for ransomware and double-extortion schemes.
Cyber breaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs, and federal enforcement actions due to regulations around patient confidentiality,
During the Covid-19 pandemic, increased remote work for nonessential staff opened up opportunities for infiltration as did the sector’s ongoing use of integrated technology, such as smart medical monitoring devices, telehealth, and other virtual care capabilities. Software for such devices and heavy medical equipment, such as CT scanners and MRI machines, are often proprietary and designed with patient care and not necessarily cyber risk in mind, Fitch analysts wrote.
Also, the large costs of such equipment generally mean that institutions, particularly smaller hospitals, may rely on these devices for many years even with outdated or unsupported software, leading to gaps in institutional security systems.
Cybersecurity is a considerable administrative expense and may lower returns given the growing frequency of attacks, according to analysts. The healthcare industry worldwide will spend upwards of USD 125 billion cumulatively on cybersecurity products and services from 2020 through 2025, according to Cybersecurity Ventures.
The key to reducing risks is the identification of gaps in security areas and IT systems where risks to critical assets are highest, including hardware and software on mobile devices, laptops, workstations, and servers, Fitch analysts wrote.
In India, it has serious implications too. The cyber attacks have sparked concern across India’s hospitals since it comes at a time when the government has been pushing them to transition to online and paperless operations under the Ayushman Bharat Digital Mission. Following this incident, several hospitals across the country have been reviewing their cybersecurity systems. And some have decided to temporarily postpone their plan to switch to a cloud-based server to store hospital data.
Under the Ayushman Bharat Digital Mission, the health records of each person will be linked to a unique 14-digit health account number, similar to an Aadhaar number. The idea is to enable paperless records, so that a patient can visit different hospitals without carrying all their medical files. By providing their account number and granting access, a patient can enable a doctor to view their records.
Currently, many government hospitals operate on a hybrid model of manual paperwork and digital records. The new system is expected to gradually do away with the need to store medical reports in physical copies. Each hospital that registers for the Ayushman Bharat Digital Mission will store its patient information, such as prescriptions, diagnostic reports, treatment administered, on its own server or a cloud-based storage. They will link relevant reports to the patient’s health account number.
Other hospitals can view this information, provided the patient grants them access to their records. The medical files are essentially stored on hospital A’s server. The patient is only giving access to hospital B to see that particular file from hospital A’s server. The catch is that the entire system is decentralized – it is not like Aadhaar, where all data is stored centrally.
In a decentralized system, all hospitals, clinics, nursing homes, private practitioners, and diagnostic laboratories that register under the Ayushman Bharat Digital Mission are responsible for storing and protecting patient data gathered at their end. While the Ayushman Bharat Digital Mission will not store patient data on its central database, it will create a larger ecosystem where hospitals can network over the internet.
The National Health Authority will keep checks and balances for hospitals to maintain layers of security when they enter the ecosystem. But the government is not providing the software, each hospital will have to appoint a software provider to maintain their database. And a breach is likely to occur if a hospital is unable to ensure high-level security. A security lapse by a hospital or doctor may compromise that hospital’s system and its entire Ayushman Bharat data.
While it is unlikely that a breach in one hospital will compromise other hospitals’ databases, the fact that the National Health Authority has not made its software code, which will power this system public is a major weakness. Private hospitals are reluctant to register for the Ayushman Bharat Digital Mission – of the 173,000 who have signed up, only 27,986 are privately run. For government hospitals, registration is mandatory. The government will have to move in now. A protocol for hospitals to follow needs to be defined. Currently, a hospital invests what it deems fit when it comes to cyber security.
India needs to put together robust cybersecurity systems and strong data-protection laws. If there is a plan to have one unique national health ID, then the cybersecurity of such massive amounts of data will have to be the responsibility of the government.
The attack on a hospital as large as AIIMS is an eye opener, and a warning that cannot not be ignored!