Pradeep Saha, Group Chief Information Officer, Medica Hospitals Pvt. Ltd.

Cybersecurity cannot be fought alone or only with tools, it can be handled only by creating significant awareness among relevant stakeholders within the healthcare sector and this should be the starting point to achieve cybersecurity together. Digital technology adoption in healthcare brought several challenges, out of which cybersecurity is the main concern. Cyber threats are extremely costly to deal with. In healthcare, endpoint leakage, user authentication deficiencies and excessive user permissions are the main vulnerabilities. These three vulnerabilities are common and yet put healthcare organisations at the risk of being compromised. To illustrate how challenging it is for hospital CIOs to handle Cybersecurity: A typical healthcare organisation will be having Applications hosted in disparate Clouds.

 

Real World Scenario 1:

Hospitals run Applications with disparate Cloud Providers, e.g. :

• HIS (Hospital information System) – Core module which shares data to all other Applications through open API. This very often gets hosted in Private Clouds.
• CRM (Customer Relationship Management) – This get hosted with Public Cloud service providers (e.g. AWS).
• ERP (Financial Accounting System) – Get hosted with another Public Cloud service provider (e.g. AZURE).
• HRMS (Human Resource Management Services) – Get hosted in Public Cloud service provider (e.g. AZURE again but in a different data centre).
• Email system (Google Suite) – Hosted in Google.

There is continuous (24 X 7) data exchange happening between all these Applications with open APIs.

While the Cloud service providers assures safety of data in their respective data centres, it remains a challenge for the CIOs to mitigate the risk by connecting all Applications among disparate data centres for their internal users. More exchange of data means more user access, and hence more risk on vulnerabilities. Strong firewall policies are required to handle this.

 

Real World Scenario 2:

A cyber attacker gains access to a care provider’s computer network through an email phishing attack and takes command of a file server to which a heart monitor is attached. While scanning the network for devices, the attacker takes control (e.g. power off, continuously reboot, etc.) of all heart monitors in the ICU, putting multiple patients at risk.

To mitigate this risk, tools being used are:  IPS (Intrusion Prevention), IDS (Intrusion detection), Web filter, Application filter – 1st level at Firewall, Application filter – 2nd at server level.

Doubling down on data security and privacy

The integration of the “Internet of Medical Things (IoMT)” has made data management systems more vulnerable. IoMT devices pose threats in terms of compromising data security and privacy.

Meanwhile, ransomware attacks are the most common cybersecurity issue in healthcare. Reports reveal that the healthcare sector faced most ransomware attacks. Software vulnerability exploitation, phishing attacks and remote desktop protocol have emerged as the most common attack methods of ransomware in healthcare. Based on this, the gravity of the same can be understood.

Data privacy and protection are the fundamental rights of an individual. Information collected by healthcare organisations often contains patients’ personal details along with medical information and a data breach risks all that information being compromised, which certainly hampers the overall purpose of digitalisation within healthcare.

Considering this, the need for effective data protection in respect of the healthcare sector can be identified. “Electronic health records (EHRs)” is a typical digital tool which allows patients to access necessary medical information as per their needs. Service providers can also share important patient data through “health information exchanges (HIEs)”. However, this process comes with inherent data security risks. Patient records in EHRs contain details related to their medical history, social security number, treatment and insurance or payment information. Access to the system is directly beneficial for cyber criminals or hackers.

The Data Security Act is well taken care by the professional service providers, however it is often neglected by the hospitals. Non other than IT has to take the ownership to educate the potential risk and loss to their management and the internal customers.

Therefore, the starting point to fight Cybersecurity together is by gathering such information and creating significant awareness among relevant stakeholders within the healthcare sector.

About Pradeep Saha

A Technocrat with over 40 years of extensive experience in setting up and heading development of Hospital Information System, IT Infrastructures, IT Strategies & Operations, Project Management, Networking, Systems Administration and Security majorly in Healthcare Domain.