Dr Sanjay Katkar, Joint Managing Director & CTO, Quick Heal Technologies in an interaction with Kalyani Sharma talks about the recent AIIMS cyberattack and highlights that in the wake of increasing attacks, I foresee stringent compliances around cybersecurity in healthcare industry to come
Robust security architecture and infrastructure protect data flowing within and outside hospital systems. However, the recent AIIMS cyberattack underlines the gaps that still need to be filled. Your views on this?
The massive electronic health records data of patients, and the critical role they play in keeping the healthcare system afloat, make them more attractive to cybercriminals. While there is no doubt that our government is continuously making efforts to strengthen the cyberattack prevention mechanisms in the healthcare domain, Lok Sabha data still reported over three million cases of cyberattacks from 2019 till June 2022. This alarming figure makes enhanced cybersecurity the need of the hour.
In my opinion, just having a cybersecurity solution is not enough, keeping the software updated is equally important. In addition, there is a need to educate employees about how their seemingly small actions can make or break an organisation’s cybersecurity infrastructure. Plus, having regular audits and stringent policies go a long way in preventing any cyber-attacks.
Can you highlight some of the most notable cyberattacks against healthcare institutions and lessons learnt from them?
The recent attack on AIIMS threw daily operations out of gear at an extremely busy healthcare institution, causing long queues and general disarray. Not just this, personal health records of millions of people and those that hold critical positions in the country were breached.
Not to forget, the ransomware attack in the US, that delayed chemotherapy treatments and diverted ambulances. In 2021, the first ‘death by ransomware’ lawsuit was filed in the US, when a mother blamed a hacking for fatal brain damage of her newborn after heart rate monitors failed. There is another case I recall, where attackers were responsible for locking up Universal Health Services’ systems for days in September 2020, which resulted in delayed lab results and patients being diverted to other hospitals.
Like I mentioned above, often people could be the weakest link. Data security is not the responsibility of just the organisation, each and every individual plays an important role in ensuring that the security measures placed to protect the organisation’s data are not overridden. Organisations at large must show diligence by offering cybersecurity training to their employees so that they can carry out their work in a secure manner.
In event of a breach, timely intervention can reduce the damage to a great extent, thus reducing the liability and potentially saving the company a large sum in regulatory fines and any collateral damage. So, in a nutshell, through regular trainings and adopting the right security solutions that are kept up-to-date, organisation’s cybersecurity framework can be made stronger.
How do you see the future of cybersecurity in healthcare in India?
In the wake of increasing attacks, I foresee stringent compliances around cybersecurity in healthcare industry to come. With government-backed policies aimed at strengthening cybersecurity in this sector and elsewhere, India’s healthcare space is going to be more robust in the years to come.
There is a growing impetus for expanding the protection coverage to build a robust healthcare ecosystem, proactively factoring in the cybersecurity requirements and infrastructure. The organisations within this space are also gradually acknowledging the need to build a culture where employees are proactive defenders of patient data and other crucial information.
What are the crucial steps to safeguard data security in hospitals?
Firstly, that basic cybersecurity measures like firewalls and antivirus software are quite affordable for enterprises, hence should be thoughtfully and proactively adopted. It is interesting to share, that an average data breach costs Indian organisations up to Rs 17.6 crore. So, in comparison to this, cybersecurity infrastructure costs zilch.
Secondly, having a software is not enough, keeping it up to date by applying the latest patches that are sent to the systems is of utmost importance.
And, lastly, employees should be trained to be able to better spot possible security dangers and make more informed decisions while operating digitally. Cybersecurity audits should be given priority and be made a part of the regular process adherence.
As an industry stakeholder, what according to you are the major healthcare cybersecurity challenges?
Health care infrastructure in our country has lot to catch up on and we have seen lot of work in this area in last few years. However, most of the investment has been directed to the core systems and cybersecurity initiatives still have to struggle for right attention.
In some cases, the cyber security solutions exist but the importance for keeping them updated at all times is not well understood. And in few cases where you do have the cybersecurity budgets and the systems well updated, employees are not trained on best digital practices. Thus, making organisations prone to risks.
Another key challenge in my opinion, factoring to the lag in cybersecurity adoption is the lack of awareness around overall cyber safety and its importance in our country.
Can you throw some light on the promising health tech trends for 2023?
Healthcare is an ever-growing sector, and technology has certainly been a solution to some of its major challenges. The tech-based innovations in the medical space accelerated during the pandemic and will continue to grow in the coming year as well. On the cybersecurity front, we can expect an increase in the adoption of zero-trust security, which when applied holistically to an environment, will create the framework, concepts, and architecture to address data, identity, workload, network and device security.