By Kanishk Gaur
One major reason India could put up a spirited fight against the Covid-19 pandemic was the CoWIN platform, which helped keep an efficient track of vaccinations rendered public in the country. The backbone which supported one of the most extensive vaccination drives in the country was IT. This platform not only helped effective monitoring of the vaccination drive but also helped keep track of its progress. Well, that is the good side of the story, but the other and the scarier side of the digitization of the health sector is the growing number of cyberattacks in this sector. During the recent pandemic, the healthcare system in India was one of the most targeted in the world. Today the All-India Institute of Medical Sciences (AIIMS), New Delhi, was under a ransomware attack that rendered its server down.
While the digitization of the healthcare system has certainly helped, it has also exposed the sector to cyberattacks. And such attacks are happening across the globe, even in more developed economies. In 2017 ransomware was on a software supplier, resulting in the United Kingdom’s National Health Service (NHS) getting worse impacted and emergency healthcare services getting stalled across U.K. Against this backdrop, it becomes imperative to safeguard our health sector against cyber-attacks, a crucial element missing in the Digital Transformation Journey.
The flagship body in India, the National Health Authority (NHA) is the national regulatory authority responsible for implementing India’s flagship public health insurance/assurance scheme Ayushman Bharat Pradhan Mantri Jan Arogya Yojana (AB-PMJAY).
Further, the NHA, however, has not prescribed any cyber security guidelines for the sector. In the absence of a cyber incident response playbook that hospitals and public health institutions can follow to respond to any cyberattacks, institutions face a tough challenge in responding to and deterring such threats.
The irony, in India. Even though the healthcare sector put up a strong fight during the recent pandemic, the sector is still not a critical infrastructure as per the guidelines of the National Critical Information Infrastructure Protection (NCIIPC). What is worse is that the healthcare sector does not have clearly defined cybersecurity policies or guidelines.
The situation in other countries. The situation, however, is quite different in other countries across the globe. In countries like the United Kingdom, the United States of America, and in the twenty-seven countries under the European Union (EU), healthcare is a critical infrastructure. In those countries, the healthcare ecosystem undergoes continuous cyber security audits and has a mechanism for reporting cyber security threats and is responsible for reporting any cyber security breaches. Further, healthcare service providers must hold accountability for patients’ data and penalized if found guilty of lapses.
The EU Agency for Cybersecurity plays a crucial role in continuously strengthening the EU’s cybersecurity by following the NIS directive and rolling out the Cyber Resilience Act. The agency ensures that the healthcare sector has up-to-date cybersecurity policies and a regulatory framework. It regularly promotes discussions through the eHealth Security Experts Group by organizing healthcare sector-specific security conferences, thereby ensuring information sharing and exchange of good practices between stakeholders in the healthcare sector.
The United States Healthcare Sector is a critical infrastructure under the Presidential Policy Directive 21 and the National Defence Authorization Act,2021. The healthcare sector has a crucial mission to self-protect from cyber threats and carry risk assessment, mitigation, and regular remediation following the Critical Infrastructure Partnership Advisory Council (CIPAC) framework, which is an advisory council chartered by the U.S. Department of Homeland Security to support the implementation of the National Infrastructure Protection Plan.
The U.K. learned from the Wanna Cry Attacks in 2017, and its NHS published various guidance materials on protecting against cyber security attacks. Hence the guidelines include a Digital letter explaining patches to protect against cyber-attacks, technical guidance for patching against cyber-attacks, FAQs on cyber-attacks, and technical guidance on reconnecting to networks following precautionary disconnection after cyberattacks.
The situation in India is completely different from what exists in the countries mentioned above. As things stand today, in the country, there is a lack of Data Protection law, and personally identifiable information (PII) of patients gets misused by third parties for telesales, analytics, and decision-making for drug manufacturing.
The recent ransomware attack on AIIMS highlights the vulnerability across India’s healthcare sector, which is looking to digitize its functioning through innovative labs, digital reporting booking, online booking, and appointments. The National Health mission is looking to link health records and meetings across essential government hospitals.
The need of the hour. India desperately needs cybersecurity Guidelines to secure its health ecosystem, ensuring security controls to safeguard patients’ records and critical and intensive care unit functioning in case of ransomware and APT attacks. Regular Cyber Security Assessment, responsibility to report breaches, and a council of cyber experts who could proactively suggest best practices for the healthcare sector in India are much needed.
Today in India, the largest referral hospital, which caters to approximately 1.5 million outpatients and 80,000 inpatients yearly, has been operating manually, and patients requiring immediate medical treatment have their surgeries delayed because of the non-availability of lab systems.
While India’s CERT and NIC are taking reactive steps to detect and deter ransomware, however, without paying the ransom, the hacktivists will not allow to allow access to the files, so in such a scenario, regular backup, if taken by NIC, could help in system restoration or older at the AIIMS, New Delhi.
(The author is a cybersecurity expert. Views expressed are his own and not necessarily that of Financial Express.com)