Cyber Attacks – Safeguarding the Future of Healthcare
There is an urgent need to safeguard personal health information (PHI) and other non-public data with each passing day. While recent developments shine an unsettling public spotlight on healthcare crime, to security experts in the industry, the concern goes far deeper than the mainstream news. A vast number of breaches aren't even reported. In fact, 80% of medical record thefts remain unnoticed for months, and sometimes years says a report
By: Neelam Jhangiani
Few industries across the globe need strong cyber security as much as the healthcare industry. The sector is one of the biggest targets for cybercriminals. While some organisations are committed to patient privacy no matter what it takes, most healthcare organisations are behind in terms of cyber security adoption and advancement. As compared to most other major sectors, Indian healthcare sector is lagging behind in cybersecurity investment. However, with the growing spate of cybersecurity incidents globally in the healthcare sector, there is a heightened realisation amongst Indian healthcare service providers to secure their critical data especially against increased number of ransomware attacks. Healthcare security breaches are making headlines with escalating frequency. Consequently, there is an urgent need to safeguard personal health information (PHI) and other non-public data with each passing day. While recent developments shine an unsettling public spotlight on healthcare crime, to security experts in the industry, the concern goes far deeper than the mainstream news. A vast number of breaches aren't even reported. In fact, 80% of medical record thefts remain unnoticed for months, and sometimes years says a report.
Data theft or leakage is the most common cyber attack wherein patient data and other critical information is compromised. "In the past one to two years, ransomware attacks have escalated drastically, for example the Britain NHS faced a ransomware attack and all systems were locked out," says Prashant Akhawat, Chief Operations Officer, Telerad Tech Pvt Ltd.
Furthermore, he adds that multiple instances of patient data theft or pilferage are seen over years, specifically because of BYOD (Bring your own Device) policies, improper privileges to employees, non-compliance to security practices, inadequate trainings on information security are creating gaps which, in turn leads to cyber security risks. Cyber risk in healthcare is driven by three main factors, says Dr. Vidur Mahajan, Associate Director, Mahajan Imaging.
Rapid Digitisation – The fact that most healthcare data is now in digital format, saved on servers either within the premises of healthcare organisations, or on the cloud, makes it vulnerable to attacks from anywhere in the world.
Rise of patient-centric platforms – While the convenience of being able to view their healthcare records from anywhere in the world through the internet, is a great service to provide to patients, it also makes the same health record vulnerable to attacks/theft given that records now come onto the public domain. There are many start-ups that are working in the service aggregation field and/or in the field of data storage/organisation and the sheer presence of healthcare data with multiple stakeholders make it more vulnerable to attacks.
Lack of guidelines/standards – There are no cyber-security guidelines for the management of healthcare data that organisations need to comply by. Most companies either define their own guidelines or follow those in the West.
All industries dealing with digitised data are at the risk of cyber threats. With increasing digitisation of healthcare, this industry too faces similar risks. Electronic health records that contain comprehensive information about patients' medical histories are a key element of digitisation of healthcare. These records make it possible for doctors, hospitals as well as insurance companies to easily share data with each other whenever needed. Understandably, these records are confidential and contain sensitive information. With digital systems becoming vulnerable to cyber attacks, the security and privacy of these records get threatened. Individual medical devices, which are being used to store and track health data also come under threat. Despite being a rich source of important data, healthcare industry has traditionally been underprepared to face these risks. "Make no mistake, digitisation of healthcare holds a lot of potential to improve healthcare delivery and clinical outcomes," Dr. Devendra Kumar Punia, Corporate Head - Information Technology, Paras Healthcare says. However, it is very important for the industry to bolster its security against cyber attacks. It is critical to patient safety as well as trust. Another cyber security threat faced by healthcare facilities is when the hospital systems are compromised that doesn't allow proper functioning of a hospital and pose serious threat to life of patients. Cyber security issues can have heavy financial and reputational impact for hospitals and other healthcare institutions.
The cost of all sorts of breaches in the healthcare sector is around $6 billion per year. Consequences of cybercrime within the pharmaceutical and healthcare industry go beyond the obvious financial damage
Healthcare transformation invites risks
Healthcare industry is going through a major transformation stage from paper to paper less since the last few years. Data which was not captured previously is now being captured either electronically or scanned. Healthcare analytics is now in high demand as clinical data is widely used for preventive and predictive analysis of a patient's health. As the healthcare industry does not have a standard hospital information system (HIS) application, a lot of other modules and equipment are either interfaced or integrated with the core application, which increases the risk of data leakage.
With the advancements in embedded technology and Internet of Things (IoT), multiple medical devices are getting connected to mainstream network in an unsecured way. Cyber attackers are trying to exploit medical devices and modalities like MRI machines, ventilators, X-Rays or be it implanted heart defibrillator, pacemaker or any other IoT device. The risk will eventually grow because the tendency of an innovator is to first come up with breakthrough technology and security is seen as last step to implement.
Handling internal and external threats
The healthcare industry is plagued by a myriad of cyber security-related issues from malware that compromises the integrity of systems and privacy of patients to distributed denial of service (DDoS) attacks that disrupt facilities' ability to provide patient care. While other critical infrastructure sectors experience these attacks as well, the nature of the healthcare industry's mission poses unique challenges. For healthcare, cyber attacks can have ramifications beyond financial loss and breach of privacy.
"With a high demand for real-time data, lot of bio-medical equipment are connected using Wi-Fi technology, which is also seen as a potential threat," says Gunjan Jain, Co-founder & CEO, Vytal Healthtech Pvt. Ltd., which runs the Vytal app. Imagine a scenario where ICUs are running completely on digital systems and a malware attack disables the entire network of the hospital. Even a few minutes of such a disruption can be life threatening for critically ill patients – these are very scary, but completely possible situations. Threat to privacy of patients is another clear risk. All patient health data can potentially be hacked and sold to players that can benefit from it. This may include individuals or organisations looking at benefiting from confidential information regarding the health of senior corporate or political leaders or even those looking at stealing information for the purposes of marketing their products (for example – a company making a cancer medicine can potentially get a list of all patients having cancer by hacking a hospital IT system). There is a high demand for medical records and personal data in the black market. Critical data access needs to be given to vendors of 3rd party applications like mobile apps and insurance companies, thereby exposing sensitive hospital data outside the hospital premises. Then there is also possibility of fraud scams being conducted if data of insurance companies is hacked and patient information stolen.
Healthcare is pretty vulnerable
Digitalisation in the medical sector has necessitated the distribution of patient information to not only doctors but also authorised employees, agents and contractors. This has made this sector one of the most vulnerable. According to a study, about 90% of healthcare organisations have suffered at least one data breach in the past two years. The main cause identified in all these cases was criminal intent; unlike with most credit card data breaches, these cases were not immediately identified. The cost of all sorts of breaches in the healthcare sector is around $6 billion per year. Consequences of cybercrime within the pharmaceutical and healthcare industry go beyond the obvious financial damage. "While digitisation is must for an economy to be efficient, lack of thought-process and investment in security modelling is posing a major security risk," says Ms. Jain. It is therefore imperative for an organisation to invest in security threat modelling of digitisation projects in the initiation phase rather than in the conclusive phase.
Digitisation has led to a lot more accounts being available on the online platform as a lot more people now save their prescriptions, MRI, X-rays and many other healthcare records on cloud as a result of which the hackers try with more sophisticated means to break in and steal this information. "Irrespective of the dangers associated with it, there's no way digitisation can be stopped in today's scenario," says Mr. Deen Sulbigar, Technology Director, Columbia Asia Hospitals. Obviously the more you connect to external systems, the more digitisation happens resulting in greater chances of cyber threat. Digitisation doesn't just mean turning medical records electronic, it also heralds an entire new way of providing medical care. In India though, we are only beginning to tread on this path. Internet-based consulting with remote patients, multi-cloud IaaS and SaaS environments, and connected medical devices make for a major source of information for data thieves. "However, lack of preparedness on the part of the healthcare industry is the reason why we are witnessing more cyber attacks as against other sectors," Dr. Punia says.
Safeguard against cybercrimes
First things first – creating fool-proof security mechanism and following strict cyber hygiene is the only way to safeguard against cybercrimes. Apart from putting in place a robust cybersecurity system that covers the entire network, including cloud-based storage, regular audits must be conducted to check the effectiveness of the system. All data must be encrypted and protected by strong passwords that are changed regularly. Caution must also be taken during disposal of old hardware, which contains sensitive information. Employing threat intelligence is also important to identify possible vulnerabilities, and patch them up.
At Paras Healthcare, cyber risks are taken very seriously and they ensure their networks are regularly audited and checked for vulnerabilities. Likewise, other major facilities also keep a check on cyber threats to protect their systems and data from hackers. "Threat Modeling Exercise is the most critical activity in our design," says Mr. Akhawat, "we design, configure our network right at first step with requisite security measures, which prevents us from security threats against confidentiality, integrity or availability."
As a part of their security policy, Telerad plans security audits of servers and infrastructure on regular basis with constant watch on threat exchanges. Vulnerability assessment and penetration testing, BCP/DR Plans, mock drills, regular upgrades and security updates, secured firewall policies with IDS/IPS/WAF implementation with the Principles of Least Privileges, high availability clusters with snapshots, third party connectivity through TLS/VPN tunnels, end point protection with Data leakage protection (DLP) and hardening of servers. While DoctorInsta (a physician consultation app) uses double encryption in addition to having strong security protocols on the front end and back end. "We use AWS i.e. Amazon Web Services, which is the most protected cloud services available in the world and they have their own encryption mechanism against any such data breakage and data leak," says Amit Munjal, Founder & CEO, Doctor Insta.
Columbia Asia follows the same protocol like any other critical industry in terms of putting network security or right software for protection of data or training employees internally to handle sensitive data. Vytal has also invested in a leading secure cloud infrastructure. Their employees cannot access patient data or clinic data. Their staff is also trained for transcription services and handling confidential information, particularly patient data.
Regular audits play an important role to check for potential breach points at Mahajan Imaging. Some of the steps followed by them are Strong Password protection – as the easiest way for a targeted attack to happen is by simply guessing your password; investment in a Virtual Private Network (VPN) system – all IT companies use this; dedicated networks – do your patients, front office, billing officials and medical techs need to be on the same network? The answer is generally no; Strong Backups – no, that external drive that you are using is not a backup. Think about getting a proper backup system in place. "We have had 3 ransomware attacks and have dealt with them without a glitch simply because we had appropriate back-ups in place," Dr. Mahajan informs. There are free (K-Replicator, Robocopy) and paid (Retrospect) options that make the process very easy.
What the law says?
Technology landscape is changing the way industry works and cyber criminals are more knowledgeable and well equipped with cyber-weaponry. Ransomware attacks frequency has increased in last 2-3 years and is going to increase further. These are more sophisticated malware attacks, which do not require elevated administrative privileges to exploit and makes files inaccessible and later user is asked to pay a "ransom" to regain access to their files. Lots of confidential information is available on search engines including patient details as well as personal identification numbers, which are a major threat. There is constant need to revisit laws in changing landscape with stringent measures and controls as this is damaging businesses.
Stringent laws will definitely deter cybercrime but at the same time it is important for the government to create awareness of cyber security risks and facilitate training to organisations against latest threats cyber security. "Where a normal crime can have a singular impact, cybercrime has a mass impact affecting millions of people at the same time," Mr. Sulbigar says. For example, data theft can affect a million patients at the same time, similarly, a system if stops functioning in a hospital can have lives of many patients put to risk. Thus, law and punishment should be commensurate to the severity of the crime. "Law against cyber crime has to be much stronger and speedy justice needs to be delivered to deter potential hackers from committing similar crimes," says Mr. Munjal. Last but not the least, there is a need to develop laws that govern how data should be stored and protected – if I don't lock my house, who do I blame for theft – the thief or myself?
Cybercrime is already a major threat today and it will only increase with latest innovations embedded technologies, connected devices, IoT, medical robotics, large scale digitisation of healthcare, artificial intelligence and computer aided detections. The only way is to identify possible cyber risks at the design stage and mitigate the risks before they can become threats. Experts in the industry stress the need to come together and take appropriate steps. Hospitals (big and small), diagnostic centres and clinics should speak to IT companies (HIS, RIS, PACS) and work together to make common guidelines on how to tackle this menace. Only if all stakeholders work together, they will be able to produce any meaningful results whatsoever.
Apart from strengthening cyber security, it is also important to maintain safe and unconnected back up records for all data so that if your network is compromised your data is still safe somewhere. The other important aspect is your people, says Mr. Punia, continuous sensitisation about the cyber threat and preparedness to deal and protect your infrastructure is essential for ensuring the security of your organisation. People at large have to be cognisant as at times they may make very easy to break passwords, therefore it is important to ensure that passwords are reasonably strong and not to share this private confidential information with others. The stronger the system is, the fewer the chances of the hackers to break into the platform and steal information. "The healthcare industry being way behind as compared to the other industries like BSFI, FMCG and manufacturing, a lot of awareness regards to data privacy and security should be created amongst all the users in the healthcare industry," Ms. Jain opines. Government should also focus on standardisation of data so that data can be easily exchanged and managed across the healthcare industry.
Increased levels of investment in cyber security are urgently needed across the healthcare industry in order to provide the expertise and resources required to prevent compromises to patient safety and security. Healthcare has traditionally lagged behind other industries in this area – but arguably has the most at stake – must be at the forefront of this change.
Cyber security improvement in healthcare isn't going to occur overnight and is going to take ongoing commitment, by many organisations working together, for patient protection to improve. Even basic practices, like better informing staff members about potential scams and the importance of changing passwords regularly, can go a long way toward healthcare organisations better securing their networks.
It's time we start investing in cyber security for brighter future of Healthcare services in our country as well as on the global front.
The Flying Drones
Drone delivery of medical products is the next thing in health tech
By: Neelam Jhangiani
Providing communities with essential healthcare is no easy task. Medical professionals from emergency responders and third world aid workers to time-stressed staffers in large hospitals face a host of challenges every day—challenges that unmanned aircraft systems or UAS, can help overcome.
Drones or unmanned flying robots have come as a big saviour to healthcare professionals especially in rural areas with poor infrastructure and where the nearest clinic or doctor is miles away. At times when natural disasters or unrest can cut off supply routes, drones can deliver medicines, vaccines, and disease diagnosis materials. This way people can receive the care they need without travelling to see a doctor.
Drones offer a variety of exciting possibilities to the health care industry, possibilities that help save money as well as lives as they make it possible to deliver blood, vaccines, birth control, snake bite serum and other medical supplies to rural areas. They have the ability to reach victims who require immediate medical attention within minutes, which in some cases could mean the difference between life and death. Furthermore, drones can transport medicines within hospital walls and courier blood between hospital buildings, as well as give elderly patients tools to support them as they age.
Drones are going to decrease the reliance on human beings that provide care and decrease the cost of assisting people. Being able to cross long distances at faster speeds to deliver blood products and lab samples also is a huge benefit. Now transporting blood products between hospitals, for example, involves vehicles which are prone to accidents and delays. Drones can help decrease those incidents.
The opportunities are there, and therefore researchers, manufacturers and non-profit organisations are looking at UAS to provide applications that boost efficiencies and improve medical outcomes, as in countries like Rwanda. The government of Rwanda recently changed their aviation regulations to permit drone operations as they learned of the benefits of drone technology.
Back home, researchers at the Indian Institute of Public Health, Hyderabad (IIPH-H) are working on a drone delivery system for medical products, which is expected to be time and cost effective. The Digital Drone-based Real-Time Advanced Medical Modular logistics system (2 DREAM) model envisages delivering medical products on a drone. India too has remote areas that are regularly deprived of essential services and are stranded during heavy rains or natural disasters, the very recent one being the Kerala floods. The ability to use drone technologies for medical deliveries would be invaluable. Some of these drones are changing the face of rural healthcare on global and domestic front.
Research is needed to investigate the economic feasibility of drones and determine their cost-effectiveness for various medical applications. After implementation of medical drone projects, large-scale medical trials will be required
ZipLine Drones (Rwanda)
Zipline is a California-based start-up that started flying commercial drones to ship medical supplies from a distribution center in Muhanga, Rwanda, to 21 hospitals throughout the country. Zipline attempts to air drop the package within 15-30 minutes, cutting time on deliveries that take hours to complete by car. Medical staff from remote locations can use text messaging to order supplies.
According to reports, the drone flies to the clinic at up to 60 mph and when it is within a minute of the destination, the doctor receives a text. The drone then drops the package, attached to a parachute, into a special zone near the clinic before returning to base.
The work in Rwanda has shown the world what's possible when you make a national commitment to expand healthcare access with drones and help save lives.
Flying Labs (Nepal)
A global network of Flying Labs is being co-created by WeRobotics, a non-profit organisation to bring drones and other robotics to local partners in distress or developing countries. In Nepal's Himalayas, journeys to health clinics take almost five hours. Hence, their first lab was recently launched in Nepal. It's called Nepal Flying Labs. The lab has a local co-ordinator. Their local partners include Kathmandu University, NAXA and Medair. They want multiple technology companies to participate in the labs in order to build local infrastructure. Cuyo and the Philippines are also potential sites.
Researchers at the Indian Institute of Public Health (IIPH) in Hyderabad are testing drones to deliver drugs on a pilot basis. They are testing a drone at a primary health centre (PHC) in Hyderabad. The IIPH researchers want to use the drone for chronic patients who need a regulated amount of non-emergency medicine every month. The drones can transport the drugs from a central warehouse to the health center. Further transportation will take place to sub-centers and finally to patient homes. One drone can currently lift just 500 grams. Phantom is manufactured by a Chinese company, Da-Jiang Innovations (DJI).
National Programme for Micro Air (India)
A Rs. 100-crore National Programme for Micro Air is a project that will use drones to deliver hearts and other vital organs. It will cut time by more than 50 percent. It is being developed in Bengaluru. The drone will be regular sized and it will only fly as high as 500 feet so as not to violate no fly zones.
Regulating drone technology
Drone technology has overwhelming potential, however, there are still many practical challenges associated with implementing and realising medical drone deliveries. Regulatory hurdles are the most significant challenge to the use of drones. While some countries like US or Canada limit drone use to operator line of sight, our country has completely banned drone flights. More progressive countries such as the United Kingdom, Sweden and Rwanda have relaxed regulations and are issuing drone delivery permits on a case-by-case basis. The majority of regulations on drone technology are based on safety concerns. It is important to regulate drone flight to respect traditional airspace rules and avoid areas such as airports and military bases. Drone crashes especially near highly populated urban areas represent another safety concern. There have already been drone-related deaths in both the US and UK and historically, the crash rate for drones have been much higher than traditional aircraft. However, significant efforts by major corporations and appeals to more progressive international legislation are likely to make way for further drone delivery operations. At the same time, continued advancements in drone technology will help to reduce safety concerns. For example, it is believed that autonomous flight is significantly safer than human-piloted flight, due to an increase in reaction time. Further advancements in collision avoidance and self-stabilisation measures are likely to reduce the chances of a crash.
The future for drones
Other than the technological advances in drone delivery, more operational research is needed to develop mathematical models and decision support tools that can help EMS providers determine how to best implement a medical drone network. Also, research is needed to investigate the economic feasibility of drones and determine their cost-effectiveness for various medical applications. After implementation of medical drone projects, large-scale medical trials will be required to prove that drones can truly impact population-level survival for time-sensitive medical emergencies like OHCAs and road traffic accidents. Lastly, research is needed to determine how to best integrate drones within the current EMS framework. Surprisingly, there is almost no scientific literature on any of these topics. Apart from technological or scientific advancements, widespread educational and awareness campaigns should accompany drone projects to inform people that medical drones, indicated perhaps via lights, sirens, or colour, are life-saving devices and should not be tampered with. For example, in the US, there have already been multiple incidents where citizens have shot down drones flying over their property. Looking ahead, all of these challenges are within our control and provide new avenues for scientific discovery, especially in fields related to drone technology and operational implementation. Drones may hold the key to solving some of the 21st century's most pressing health challenges. The future of drone technology will be limited only by our imagination.