Recently, there have been a number of cybercrimes that have targeted the healthcare industry. The Pioneer speaks to experts,
who inform us further about
the same and why a strict data protection law
is the need of
the hour.
TANISHA SAXENA
Digitalisation in healthcare remains a nuanced concept followed by complexities. An emerging phenomenon that has multifaceted dimensions driven by technology and innovation perhaps will not suffice. What we need is to build a modern healthcare infrastructure that meets the requirements and needs of clinicians and patients, resulting in a digital and modern healthcare system.
Amongst the many strands of the digitised healthcare model is cybersecurity. As per a research journal, “Cybersecurity incidents are a growing threat to the health care industry in general and hospitals in particular. The healthcare industry has lagged behind other industries in protecting its main stakeholder (i.e., patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high-end point complexity, internal politics, and regulatory pressures.”
In the early 2023, hackers from Sudan targeted corporate hospitals in Hyderabad and Chennai. In another incident, hackers were found selling 1.5 lakh patients’ data of Tamil Nadu hospital on the dark web. All these incidents came on the heels of the major cyberattack on India’s biggest medical system, AIIMS. The data screams of nearly 1.9 million cyberattacks on the Indian healthcare network this year, especially from countries like Pakistan, China, and Vietnam.
Cyberabad police commissioner Stephen Ravindra explains, “Digitisation comes with a cost. It comes with a greater threat. When we go to hospitals or clinics we are asked to give our aadhaar card details and in the rush, we don’t care about the implications of sharing our details, or we never ask how safe will be our information with them. The paper works requires us to share most of our personal details, including our bank information and mobile number. A cyberattack on healthcare infrastructure means that our data is leaked. The hackers can misuse the information for ransom.
These days everyone has a smartphone and once our details are leaked we might receive random messages which are actually ways of manipulation and with one wrong tap, our bank account can be cleaned. So, definitely, it is a major challenge as we walk on the path of becoming digital. So far, I haven’t observed any rules and regulations to prevent cyberattacks on healthcare infrastructure. We have just started noticing how dangerous it can be, but have yet to tackle it.”
But up until now, we didn’t even know the implications of cyberattacks. The public is still far from giving this a thought. On a similar note, Praveen Kumar Tangella, CISM, CRISC, President, says, “We should first acknowledge that cultural ethos should be such that the people should too understand the severity of data leakage especially in digital healthcare infrastructure. If people would take responsibility for their information, then probably the implementation of rules by the government would be more effective.”
Insider threats are a significant concern for organisations, as employees and contractors often have access to sensitive data and systems. These threats could result from intentional or unintentional actions, such as stealing or sharing sensitive information or falling prey to social engineering attacks.
Elaborating further, Anil Rachamalla, internet ethics and digital wellbeing expert and founder of End Now Foundation in Hyderabad, shares, “India does not have a comprehensive data protection law. Having a data protection law in place can help ensure that businesses are held accountable for how they handle personal data and provide individuals with greater control over their data.
If you have Privacy Law, then you can have more personal data rights including the right to access, the right to confirm, the right to correct, the right to portability, the right to forget, and the right to consent. Data theft will compromise patients’ personal health information (PHI) data like personal and medical information, leading to identity theft, medical identity theft will eventually be leading to social engineering scams.”
Strong cybersecurity measures and policies must be made i.e., include using encryption to protect data, implementing access controls to limit who can access sensitive information, and training staff members on how to recognize and prevent cyber threats.
He continues, “Most of the organizations who have experienced data breaches or data thefts, or ransomware attacks usually do not report to police or CERT or MHA with the fear of negative publicity, reputational damage, or legal consequences. Instead, they handle the situation internally or with the help of their cybersecurity experts. Reporting a ransomware attack to legal and investigative authorities can help future affected organizations in several ways, (a) Sharing threat intelligence (b) Identifying vulnerabilities (c) Mitigating the impact (d) Holding cybercriminals accountable.”
Why reporting a data breach will only make the cybersecurity community stronger? Ratan Dargan, co-founder, and CTO, ThoughtSol Infotech, answers, “Data breaches have become a common occurrence in today’s world, and they can have severe consequences for businesses, organizations, and individuals. From financial losses to reputational damage, data breaches can disrupt operations and erode trust. The problem is that many organisations choose not to report data breaches, either because they are unaware of the breach, do not want to admit to a mistake or fear the potential consequences of disclosure. This lack of transparency and accountability not only undermines the trust of stakeholders, but also hinders the ability of the cybersecurity community to learn from the breach and improve their defenses.”
The solution to this problem is straightforward, “reporting data breaches. By reporting breaches, organisations can work together with the cybersecurity community to identify vulnerabilities, develop new security measures, and prevent future breaches. Additionally, it provides an opportunity for businesses to demonstrate transparency, integrity, and commitment to protecting their stakeholders’ data.
Furthermore, reporting a data breach helps organisations comply with various legal and regulatory requirements, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By complying with these regulations, businesses can avoid significant fines and legal consequences,” concludes Dargan.
