Saket Verma, Cybersecurity Practice leader, Kyndryl India emphasises that valuable and sensitive data such as patient health records, payment and other personal records are making the healthcare industry more vulnerable to cyberattacks
Path-breaking innovations in Information and Communication Technologies (ICT) have led the modern world to ride the wave of rapid digitization and digitalization. At the same time, rising cyberattacks have become an equal reality across economies, more so for India.
A DSCI-Cisco white paper noted that India experienced 1.39 million cyber incidents in 2022 and reported a 6.6 per cent increase in the cost of a data breach. In 2023, cyberattacks and data breaches have led to organisations in India losing $2.18 million worth of revenue, according to Ponemon study.
India continues to be among the countries that are most vulnerable countries to cyberattacks since the pandemic. A CyberRisk Alliance-Infoblox report estimated that nearly 7 in 10 organisations in India experience some type of data breach. Arguably no sector has been immune to such threats and attacks with healthcare being one of the most crucial yet vulnerable ones in the country.
COVID-19: A tipping point for the healthcare sector
Apropos of BC and AD, the healthcare industry in India can be divided into two timelines, namely before and after COVID-19. With an unprecedented situation coupled with geographical restrictions during the COVID-19 pandemic, we saw the emergence of a redefined landscape for the delivery of various healthcare services.
Hospitals, pharma companies and ancillary services were charged with meeting the needs of the masses in a short span over extended geographies. This has led to an almost overnight shift in focus towards streamlining of processes and deployment of technology. Technology implementations that were envisioned for the future were quickly embraced and adopted in a matter of weeks and months.
The demand for remote patient monitoring, telehealth and telemedicine, electronic health records (EHRs), and advanced diagnostics resulted in surge in the popularity of Internet of Things (IoT) devices. These were used for remote sensing, measurement, and several such applications. Frost & Sullivan has estimated the global medical device connectivity (MDC) market will grow by nearly 29.4 per cent from $2.47 billion in 2022 to $8.96 billion by 2027, a trend that is catching on in India too.
More devices, greater data volume, rising cybersecurity attacks
As the use of IoT devices and advanced healthcare equipment recording patient and other medical information gain traction, this has also led to corresponding rise in the volume of data flowing into the healthcare system.
Valuable and sensitive data such as patient health records, payment and other personal records are making the healthcare industry more vulnerable to cyberattacks. Such data is now not only accessible through servers but also through the growing number of IoT devices and equipment that store such data or are connected to the server.
Today, vulnerable IoT databases or data stores and unsecured networks between IoT endpoints and central networks are perceived as major security threats. Data from a study by cybersecurity think tank CyberPeace Foundation and Autobot Infosec Private Limited found that the healthcare industry in India faced 1.9 million cyberattacks in 2022.
Ease of network intrusion and sensitivity of information has also made the healthcare sector vulnerable to attacks. This has also broadened the types of cyberattacks that the healthcare sector has faced. Ransomware continues to remain one of the leading types of cyberattacks on health institution. The attacks on the All India Institute of Medical Sciences (AIIMS), India’s largest medical institution, or the on drug major Sun Pharma by the APLHV Ransomware Group are great examples.
Cyberattacks have also taken the form of data breaches through the leakage of sensitive patient information or social engineering based on manipulation of legitimate users. In addition, the healthcare sector has been especially prone to distributed denial of service (DDoS) attacks where a group of devices, equipment or services are compromised and controlled by cyber threat actors.
In the wake of such attacks, remedying cyberattacks alone may not suffice for players in the healthcare sector.
Overhauling the approach to cybersecurity risks/threats
With sensitive and private information at risk along with financial vulnerabilities, the Indian healthcare sector needs an overhaul in cybersecurity.
At a time when critical care is largely getting digitised, reverting to an manual override during cyberattacks may not be sufficient. Instead, today, the case for cybersecurity resilience has only become stronger. The Indian healthcare sector must adopt an organisation-wide cybersecurity culture.
Similarly, there is a need to cybersecurity resilience, where the onus lies not just on the IT department alone but with the entire organisation. Mitigating cybersecurity risks and threats has to have a top-down approach wherein personnel at all levels are apprised of the potential risks.
A case of cybersecurity resilience in healthcare
Learnings from the previous attacks in the healthcare industry in India prove that medical institutions like hospitals must adopt a foolproof and robust cybersecurity mitigation plan.
Organisations must prioritise resilience by investing in cybersecurity training for all personnel and updating legacy medical devices, including IoT that are running on dated software. They must adopt policies that promote cyber-hygiene practices across departments.
A zero-trust approach that prioritises end to end security is essential for futureproofing. Essentially this means adopting technologies such as AI/ML that allow for faster detection of malware and the ability to respond faster in a targeted manner – threat hunting and simulation. The cybersecurity health of an organisation can be evaluated based on metrics such as a reduction in number of incidents, lower number of false positive, and shorter mean time to detect and isolate malicious code.
Healthcare providers and organisations must also take proactive steps to identify and mitigate potential vulnerabilities, regularly update their security protocols, and emphasise the financial importance of cybersecurity. They must also collaborate with government agencies and industry experts to stay ahead of evolving threats. It is time for the Indian healthcare sector to adopt cyber resilience as a non-negotiable aspect of its services for the safety of its patients and the economy.