Hospitals too need to be saved from viruses

A cyber breach in healthcare is literally a life-and-death question; it is time that the preventive and curative principles of public health are put in use for the cyber world too.

Large volumes of sensitive health data are generated during the interactions of individuals with healthcare providers. This information includes patient records, lab results, medical images, and other sensitive and confidential information like status and progression of serious illnesses. It is imperative to keep this data secret and protected from unauthorised access and theft, for an indefinite time.

This is accompanied by a paradoxical need of making this data available to the right people, experts and other concerned parties for fairly legitimate reasons. An exposed password can be changed and compromised credentials altered, but compromised medical data like a patient’s blood group or medical disability cannot be changed at any time. Healthcare IT systems include a large number and variety of legacy devices, which have been used on locally connected networks. They also typically lack a sophisticated security model and lend to easy exploitation when connected to the Internet.

Such cyberattacks aren’t uncommon. In Singapore’s worst cyberattack, hackers stole the personal particulars of 1.5 million patients in 2018. Out of these, 160,000 people, outpatient prescriptions of a large number of people including Prime Minister Lee Hsien Loong and a few ministers were stolen as well. Likewise, the Wannacry cyberattack crippled the UK National Health Service between 12 May and 19 May and more than 19,000 appointments were cancelled as 200,000 computers were locked out.

It cost the NHS a total of £92 million in the handling and subsequent cleanup and upgrades to its IT systems. In France, operations at all five sites of the Rouen University Hospital-Charles at Nicolle were disrupted by a ransomware attack in November 2019, affecting 6,000 of the hospital’s computers, all IT systems were shut down leading to widespread service disruption. IN October 2019, an attack against the DCH Health System in Alabama crippled three of its medical centres and patients had to be referred to other providers.

In the beginning of May this year, a new “Snake” ransomware hit Fresenius Group, Europe’s largest private hospital operator. This attack disrupted the company›s major operations except for patient care. In the latest incident on April 21, Ransomware infection at Parkview Medical Center in Pueblo County, Colorado, rendered the hospital’s ability to store patient information inoperable. Similar cyberattacks on health infrastructure have also been reported within the past two months in France, Spain and Thailand, as well as at Brno University Hospital in the Czech Republic, having the country’s largest Covid-19 testing lab.

A security incident could have a devastating impact, potentially impacting: productivity, reputation and revenue but consequences of a breach for the medical systems are much more dire as compared to any other organisation. Connected medical devices today range from Wi-Fienabled infusion pumps to smart MRI machines. This has tremendously increased the attack surface of devices sharing information.

There are huge security concerns including privacy risks and potential violation of privacy regulations, apart from the possibility of imminent harm. Possibilities are unthinkable, stolen or modified patient data can put a stop to critical procedures like dialysis or surgeries, devices locked out due to ransomware attack can even cause death. It has to be kept in mind that if you are an institution dealing with Covid-19 research any press coverage will lead to increased interest from malicious cyber adversaries.

It is time to urgently take stock of critical systems and prioritise patching of known vulnerabilities, especially in Internet-connected systems. Access credentials especially for important accounts and generally for all other accounts need to be protected by using complex passphrases and multifactor authentication. Any account showing unusual or anomalous activity should be immediately suspended and examined. Involve cyber security experts to actively scan applications, devices, systems and networks to detect any breach.

Share threat intelligence with other similar institutions in your sector and immediately report every cyberattack to CERT-IN and other authorities. Also, develop a cyber crisis response plan which includes shifting to manual systems and quick disaster recovery. It is a duty of a clinical establishment, or any other entity which has generated and collected digital health data to protect the privacy, confidentiality, and security of the digital health data of the owner. Such clinical establishment, or any other entity, should take all necessary physical, administrative and technical measures (as prescribed or specified in law) to ensure that the digital health data, collected, stored and transmitted by them, is secured and protected against access, use or disclosure not permitted under law, and against accidental or intentional destruction, loss or damage.

The Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules, 2011 (SDPI Rules) prescribe the Reasonable Security Practices and Procedures, i.e. the international Standard IS/ ISO/IEC 27001 on “Information Technology — Security Techniques — Information Security Management System — Requirements” or in case of any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ ISO/IEC codes of best practices for data protection), shall get its codes of best practices duly approved and notified by the Central government for effective implementation.

The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource. In the event of an information security breach, such entity or a person on its behalf shall be required to demonstrate that they have implemented security control measures as per their documented information security programme and information security policies.

The bare structure of data protection across industries is provided under the Information Technology Act (IT Act) and the SDPI Rules. Personal medical/ health information in India is regarded as sensitive personal information as per the IT Act and the SPDI Rules and being India’s principal legislation prescribes that all body corporate who collects, stores or handles data must ensure that prior written consent is obtained from the provider of information for collection, storage and handling of his/her data and in case of breach, only when any wrongful gain or wrongful loss that might cause due to contravention of the provision shall be liable for punishment.

It is the entity which collects the data who is responsible for ensuring the security and privacy of such data and is liable in case of any data breach. As on date, unlike other countries, the Indian law does not mandate/obligate the companies/corporates/entities to inform individuals of data breach and as a result, the individuals are not aware that their details are or may have been compromised. During this time of pandemic, e-health technology is relied upon for non-Covid-19 patients.

With introduction of telemedicine/teleconsultation, the issue of protection of patients’ personal data will arise as such data will inevitably be shared using platforms/intermediaries. The current legislation and the proposed draft bill — Data Protection Bill and Digital Information Security in Healthcare Act (“DISHA”) Bill, 2018 — grant the owners the right to privacy, confidentiality, and security of their digital health data and can also give or refuse generation and collection of such data and also provides for strict punishment in case of breach.

Consent and explicit consent are one of the features of the draft bill with the right to rectify. It also mandates the compulsory reporting in case of any breach, but at the same time does not clearly define the security measures that must be followed to prevent the data breach. Absence of such prescribed standards will create ambiguity. Prescribing adequate measures and security procedures in the draft, Personal Data Protection Bill, 2019 and passage of DISHA will regulate healthcare data. Hospitals and healthcare institutions need to run 24×7, and so do their IT systems.

Given the criticality of the data and procedures, both in terms of confidentiality and severity of consequences to human life, they are in dire need of protection from cyberattacks. The cybersecurity posture of healthcare institutions and information systems needs to be immediately hardened. While maintaining cyber hygiene can be an effective stop-gap measure like sanitisation and social distancing in a pandemic, deeper institutional, policy and design changes are imperative. Healthcare, connected devices and databases need an immediate cybersecurity overhaul.

Worldwide this sector would be spending very large sums on securing its critical life support and patient management systems in the near future. Care has to be taken that a 360-degree approach, right from device supply chain sanitisation to user awareness, capacity building and incident monitoring as well as crisis response are evolved in a comprehensive way.

A cyber breach in healthcare is literally a life and death question, it is time that the preventive and curative principles of public health are put in use for the cyber world too. Brijesh Singh is Inspector General of Police, Maharashtra, and Khushbu Jain is Advocate in the Supreme Court.