Peg the blame on EmailThief—low-end anti-virus, missing firewalls, or loose IT controls for the All India Institute of Medical Science cyberattack if we must—but crippling of India’s premier government hospital’s systems is a flashpoint. This is a massive healthcare breach and repeat incident in the Indian healthcare sector. In another cyberattack across the bay, on 30 November 2022, ironically on International Computer Security Day, hackers—demanding Australian health-insurer Medibank pay US$ 9.7 million to keep Australian health records of the company’s impacted customers (including Prime Minister Anthony Albanese) off the internet—dumped everything on the dark web and declared “Case closed.” These are just two instances of the horrifying future tsunami of Personal Health Information (PHI) cyberattacks.
Unlike credit card numbers that can be changed and unique government issued identifiers that can be reset, PHI is non-perishable and hence, particularly valuable. Therefore, stolen healthcare records sell for as much as US$ 1,000 each. Credit card numbers, in comparison, sell for US$ 5 each on the dark web, while unique government issued identifiers are as little as US$ 1 each. This high return on investment in time and tools motivates hackers.
PHI loss unleashes chaos
With PHI loss, the encompassing symbiotic healthcare triquetra of Ps—Providers, Payers, and Pharma, with the central P-patient—suffer immediate, long-lasting, and sometimes, irreversible agony. Data Security Council of India, in Sectoral Privacy Guide-Healthcare, categorises PHI into demographic (name, age/date of birth), gender, race and ethnic origin, marital status, address residence, and details of immediate family members (in case of emergency), administrative (health insurance coverage and settlements), medical practitioner (specialty, nature of institution), health risks (behaviour and lifestyle, family genetic history), and health status (physical/ mental/ emotional state, cognitive functioning). The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, The Clinical Establishments (Registration and Regulation) Draft Rules, 2010, and similar have specifically defined types of PHI and retention periods. If digitised, PHI fuses into Digital Personal Identifiable Information but, its diligent protection does not have clear integrated legal guardrails.
If exfiltrated, hackers can stream this treasure trove of long-living unalterable data points to criminal network of drug traffickers, money launderers, sex offenders, dacoits, murderers, identity thieves, terrorists, and rogue countries. Its misuses include illegally obtaining medical treatment, prescription medications and devices, filing and submitting fraudulent claims for health insurance compensation, using patient’s identity to purchase burner phones and SIM cards or secure open credit cards or fraudulent loans, loss of reputation or employment, discrimination, blackmail, or extortion that can cause citizens immense mental and physical pain.
Root causes of extensive open cyberattack surfaces
Protracted experimentation on Patient, Providers, Payers, and Pharma digital integration entangled with absent or ill-formed regulations are the root-causes.
In sharp contrast to Union Health Ministry’s free eSanjeevani telemedicine service crossing eight crore tele-consultations with one crore consultations in last five weeks, India does not have an interoperable unified Health Information Interchange yet. Weak physical infrastructure and capacity, quality of current data, and unenthusiastic technology adoption (owing to apathetic, non-interoperable, and non-intuitive technologies) exacerbate the complexity.
Interweaving citizens, practitioners (allopathic/AYUSH), allied health professionals, helpers, ambulance and blood-bank services, laboratories, governing bodies and regulators, health information fiduciaries, payers, pharmaceuticals, and technology and research bodies demand a consistent integrated legal framework to protect the delicate PHI. Information Technology (IT) (Amendment) Act 2008 penalties and strict health data controls in National Centre for Disease Informatics and Research policy are limited, insufficient, and isolated. A robust grievance redressal system, effective compliance, and administration of applicable law are missing too.
Prior to Digital Personal Data Protection Bill, 2022, National Health Authority (NHA) had released 2019 National Digital Health Blueprint, 2021 consultation Paper on Unified Health Interface, and 2022 Draft Revised Health Data Management Policy. These stemmed from 2017 National Health Policy under Ayushman Bharat Digital Mission. Dire need is to digitise the Indian healthcare ecosystem by creating, maintaining, and protecting digital health records and registries for healthcare professionals and health facilities, and, while providing a federated architecture and techno-operational flexibility, ensuring an interoperable framework for the multiple partners associated with healthcare delivery.
Protracted experimentation on Patient, Providers, Payers, and Pharma digital integration entangled with absent or ill-formed regulations are the root-causes.
Techno-operational and functional standardisation of hardware and software and cost of data storage duration and subsequent destruction across categories will immensely challenge smaller clinics or centres, NPO/NGOs, rural/remote health on cost of building technology, capability, and scale. These will push small entities to cut corners in cybersecurity. Blockchain recommendations will need to consider two primary current problems: Absence of secure desk-side and mobile endpoints; and periodic destruction, right to erasure, de-identification, and re-identification, and anonymisation complexities.
The 2022 Ponemon research pegs insecure biomedical and mobile devices, employee negligence or error, and cloud and business email compromise as the top healthcare cybersecurity threats. Built with erstwhile mainstream and latest operating systems at purchase, biomedical devices now have outdated and unsupported manufacturer operating systems. So, for the operating devices—that are within their useful lifecycle and still viable—to address vulnerabilities, patches are not available. Unwieldy US-FDA510k norms and 2016 revised guidelines made it expensive for biomedical device manufacturers to patch all their older devices. Fearing inherent risk of systems’ failure, these companies restrict untrained healthcare IT team to upgrade software or patch. Due to biomedical devices’ dynamic nature of connection to IT network, healthcare IT teams struggle to get visibility, vulnerabilities’ status or device forensics, and utilisation. Healthcare CFOs ignore security vulnerabilities and do not want to replace millions worth, useful, and money-making biomedical devices. Moreover, devices in oncology, pharmacology, and laboratory departments run older versions of Windows operating system. Besides, almost 3/4 of IV infusion pumps have vulnerabilities that could threaten patient safety if exploited, and not to mention the risk posed by insecure passwords.
Timely risk and threat assessments with their mitigation and harmonious interoperability of healthcare technologies in all healthcare entities will increase anomaly visibility, improve decision-making, and engage user involvement.
Five-point solution recommendation
- Integrated Indian Digital Personal and Health Data Protection Framework should have an integrated privacy by design core, strong overarching rules to preserve interoperability architecture, phased implementation and communications (in English and any eighth schedule language) plan for seamless on-boarding, healthcare inclusion and e-governance integration timelines while balancing capability and cost, citizen service levels definitions for controllability and observability, and continuous improvement through amendment operations methodology (like RBI Regulatory Sandbox).
- Although “Critical Information Infrastructure”, by definition, includes “incapacitation” leading to “debilitating impact” on “national security”, “public health” in IT (Amendment) Act, 2008 (Section 70), healthcare does not figure prominently under National Critical Information Infrastructure Protection Centre. Therefore, Information Sharing and Analysis Centre does not figure under Computer Emergency Response Team-India. Moving “Public Health” from State into Union List and integrating Healthcare as National Critical Infrastructure will instantly incorporate Chief Information Security Officer’s function into organisations’ fabric to scale relevant technologies’ adoption and cybersecurity posture, inculcate cybersecurity best practices across the healthcare triquetra, and integrate into strong overarching regulations and Digital Personal Data Protection guidelines.
- To build a national protected database of longitudinal PHI Records, efforts are underway via Unified Health Interface linked to Electronic Health Record Standards-2016 and the Telemedicine Guidelines-2020. An all-round acceleration programme can catalyse integration of these fragmented efforts. Adequate technology and regulatory guardrails can minimise illegitimate processing of mammoth patient and entity behaviour data. This can regulate PHI Records discoverability in critical junctures.
- Urgent IT/Internet of Things (IoT)/ biomedical devices’ vulnerability assessments across the entire healthcare ecosystem need to be conducted, and by legislative process, patching of outdated operating systems and open IoT vulnerabilities by the biomedical equipment manufacturers within fixed timeframes need to be enforced. Smartphones or tablets for capturing real-time data or desk-side devices for data processing and analytics must have end-point protection solutions like anti-virus, Endpoint Detection and Response, Mobile Threat Defence, and Enterprise mobile device management solutions. Cloud adoption with data encryption with salt and pepper, adaptive access controls, and cloud identity management need to be bolstered with Zero Trust framework.
- To improve cybersecurity response preparedness, monitor negligent or malicious insider behaviour, and boost stakeholders’ awareness. NHA can cross-pollinate Ministry of Home Affairs Cyber and Information Security division and private sector resources.
Conclusion
To make India a Global Medical Value Hub with 'Heal in India, Heal by India’, we must create sustainable and equitable health for the present and future generations, and maintain preparedness for health emergencies. Indian healthcare needs urgent ‘Heal for India’. Timely risk and threat assessments with their mitigation and harmonious interoperability of healthcare technologies in all healthcare entities will increase anomaly visibility, improve decision-making, and engage user involvement. An inclusive and engaged whole-of-society approach will strengthen Indian healthcare’s cyber-resiliency. Encouraging energetic stakeholders’ participation from related public and private sector organisations and civil society in cyber threats’ information sharing, evaluating laws and regulations can bolster business continuity in crucial healthcare services’ availability. Creating a network of sponsor organisations can accelerate grassroots integration with all its complex layers and cross-pollinate cyber-hygiene into them, thus boosting healthcare inclusion and e-governance. Indian healthcare will then be able to withstand cyber-shocks and recover quickly after adverse cyber disruptions.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.