The Indian healthcare system today is the second most attacked system in the world. The presence of sensitive data regarding patient health and personal information makes them a lucrative target for the threat actors.
The surge in ransomware attacks, phishing, and data breaches have poised to be of greater concern. The threat actors have become more sophisticated, targeting vulnerabilities in connected medical devices, exploiting weak security practices, and capitalising on the increasing digitisation of health records. More so, the emergence of the dark web has facilitated the sale of stolen healthcare data, further intensifying the risks faced by the sector.
There have been quite a few ransomware attacks in the healthcare sector which did not encrypt the system, but solely focused on stealing sensitive data. With customer data at stake, this can result in severe data breaches. The attackers often get in through phishing email attacks where users disclose their credentials, or through known unpatched vulnerabilities, especially in some of the older equipment in hospitals.
These threats have evolved to be more automated and sophisticated, allowing attackers to target sensitive patient data and exploiting the interconnectedness of healthcare systems.
“The nature of attacks has moved from pure brute force attacks, targeting the perimeter and end points to more social engineering attacks through phishing, spear phishing as well as ransomware attacks. Key executives have been targeted through whaling attacks as well, which are targeted towards key executives like CEOs, founders, senior doctors, or board members,” says Dr. Vikram Venkateswaran, Partner – Risk Advisory, Deloitte India. He also points out that healthcare professionals, including doctors, nurses, and R&D professionals, among others, were not well-versed in the threats. This lack of awareness made it easier for threat actors to succeed, although this scenario is currently changing.
Most healthcare organisations have started responding to these attacks in various ways. Today, we see Indian healthcare systems proactively engaging in cyber defence, by deploying new technology to strengthen defence, investing in human capital to bring in talent that can help with security posture, partnering with organisations and product companies that can help them improve their cyber security maturity, and evolving and putting in place processes and procedures to improve cyber posture. In addition, investments are being made in areas like cyber awareness training with many organisations making it a mandatory part of their learning and development program and an integral part of the annual assessment cycle for employees.
“We do see many of them getting started on their journey of certifications like ISO 27001:2022. We also helped many organisations to achieve that milestone. We have seen an increased interest in ISO 22301:2019 which deals with IT business continuity,” says Venkateswaran.
Healthcare organisations have initiated partnership with others to develop security operations centres to monitor their traffic and identify threats. Proactive programs like threat hunting and brand monitoring have also been preferred. It is interesting to note that brand tampering by threat actors is usually a precursor to a cyber-attack. It’s a good example of how healthcare organisations are becoming more proactive. These initiatives are being taken keeping in mind the requirements from CERT-IN to report cyber incidents within six hours, and new requirements under Digital Personal Data protection Act, 2023, which require the organisation to take measures to identify sources of data, take consent and manage the use and eventual destruction of data as per the guidelines given by the government.
“Investments in advanced IAM technologies are becoming paramount, encompassing robust authentication methods, privileged access controls, and continuous monitoring of user activities,” says Pramod Bhaskar, CISO, Cross Identity. These measures align closely with regulatory changes and compliance requirements, as regulations like HIPAA increasingly emphasise the importance of secure user authentication, access governance, and audit trails in safeguarding patient information. Many are also leveraging AI and ML for predictive analytics to identify potential threats.
“Extensive training and education to ward-off the cybersecurity challenges effectively is essential and might be considered as a good first step to challenge the cybersecurity risks,” says Prateek Bhattacharya, CISO, Liventus Inc. “These training programs are focused on enhancing the overall awareness and understanding of the potential threats, best practices for data protection with the knowledge of the policies and procedures for responding to security incidents effectively,” he adds.
He also recommends that these training materials can be byte sized with funny gamified modules but must ensure to cover the essential topics such as recognising phishing attempts, securing medical devices, understanding the importance of strong password practices, multifactor authentication and the when, how, whom for reporting the security incidents overall. Creating and distribution of handbooks during employee onboarding for covering topics like essential security hygiene can also be thought of. Though creating a “Human Firewall” is a utopian concept but proactive steps can be taken to ensure that the eventual goal can be accomplished over a targeted timeframe.
“Increased awareness helps in early detection of potential threats and adherence to best practices in data handling, playing a key role in protecting patient data and maintaining system integrity,” says Candid Wüest, VP – Cyber Protection Research, Acronis. “Everyone is aware that privacy is important, but humans still make mistakes. Educated healthcare professionals are critical in maintaining patient trust by demonstrating commitment to safeguarding sensitive health information,” he adds.
Industry stakeholders are preparing to address potential threats and challenges by anticipating the impact of emerging technologies and trends on the future of healthcare cybersecurity. The incorporation of Generative AI in cybersecurity introduces additional complexities, particularly evident in recent applications involving the creation of social engineering content.
Traditional methods of identifying phishing attempts, such as detecting bad grammar or misaligned paragraphs in emails or texts, are becoming less reliable as Generative AI can rectify these mistakes, making phishing content appear more authentic. This technology enables malicious actors to craft content in the official font and writing style of a company’s management.
Generative AI is also employed to generate malicious code that empowers threat actors. These codes are utilised to infiltrate critical applications and infrastructure, establishing a framework for threat actors to encrypt data or extract vital information from the system. Also, the use of advanced technologies like quantum computing poses additional threats, allowing adversaries to target organisations simultaneously at various points.
So, while the threat actors continue to work with emerging technology, the healthcare organisations have also started using technology for cyber defence. Most organisations have started working with UEBA (User Entity and Behavioral Analytics) to detect anomalies in traffic to preempt cyber incidents.
“The focus of industry stakeholders is slowly shifting from reactive firefighting to proactive resilience building. Instead of scrambling to contain breaches, stakeholders are moving towards investing in proactive threat monitoring, vulnerability assessments, and robust incident response plans,” says Mahesh Gharat, Head – Cybersecurity Practice, CitiusTech.
“The current thinking is to adopt a zero-trust approach with heavy focus on digital identity. This is specifically useful in hospitals where we have a large workforce that carries out many tasks with access to key systems like the Health Information System (HIS),” says Venkateswaran. “Zero-Trust challenges traditional cybersecurity principles by questioning the assumption of trust for all individuals with internal access in an organisation, where many individuals in healthcare organisations have access to sensitive data. Using Zero-Trust reduces the risk of losing data as the users have limited privileges,” he adds.
Bhaskar suggests that advancements in technologies such as blockchain for secure health data exchange, AI-driven threat detection, and the Internet of Medical Things (IoMT) are expected to have an impact on the future of healthcare cybersecurity. Industry stakeholders are preparing by engaging in research and development, partnering with cybersecurity experts, and taking part in information-sharing initiatives. Additionally, proactive measures involve the creation of cross-industry partnerships to stay abreast of evolving cyber threats and to enhance the resilience of healthcare infrastructure in the face of emerging challenges.
While the healthcare sector is also focusing on adapting to trends like telemedicine, requiring new security protocols to protect remote interactions and data exchanges. Stakeholders are in collaborations with cybersecurity firms to stay ahead of potential threats while enabling compliance.