Q. Given your important assignments for the Government of India in the past, share with us the big picture. What are the trends you see in terms of cybercrime and threats for 2019?

The world is getting more connected and technology has seeped into every aspect of our lives. On one hand, these advancements make our lives easier and on the other bring a lot of vulnerabilities with them if security isn’t strong enough to tackle cyber criminals. Hackers today are well-educated and have the capabilities to develop new methods and tools to exploit the vulnerabilities on the computer systems and networks. Few do it for their academic interest and thrill and inform the person concerned about the vulnerabilities so that the same can be plugged. They are known as white hat hackers. While the others do it with malice and self-gain and are known as Black hat hackers.

To gain access to the computer systems, the cybercriminals and hackers will continue to deploy already existing tools (called as exploits) with enhanced capabilities. More advanced tools will be also be developed in the coming years. Some of the important ones are enumerated below:

1. Chatbots: There will be extensive use of machine learning techniques (Artificial intelligence) in the near future. A Chatbot can be injected into the important website (for example, a banking site). Chatbot in the form of a man or woman would pop up on the screen and will start interacting with the user (like what we see the google assistant doing). Then it may misdirect the customer to a nefarious link similar to an actual banking site, thereby fetching important information from the customer and compromising his banking information.

2. Bot and botnet: The hackers have been successful in remotely taking control of the hacked computer systems. Such a system is known as a bot. The hacker can remotely misuse a machine (using computing time or other resources) without the actual user being aware of it. If there is more than one compromised device, then it is called a botnet. Botnets can be put to perform some distributed function viz, crypto jacking (mining bitcoins) or distributed denial of service attack.

3. Discover and target organizations outside the firewall: Most of the commercial organizations deploy firewalls, intrusion detection systems, and intrusion protection systems; thereby making hacking difficult. But they use the third-party software, which may be having vulnerabilities. Hackers can attack the third-party systems used by commercial websites.

4. Injection Attack: Protective systems installed on computers look for malicious files to detect cyber-attack. The injection attack is filed less; the hacker directly inserts the malicious code in the memory, thereby compromising the machine, without ever dropping a file onto the infected system. One such example is British Airways site hack in 2018, resulting in identity theft of around 3,80,000 users.

5. Biometric Hacking: Cybercriminals use brute force attack, dictionary attack or social engineering, etc., to crack the passwords. Many people have shifted to biometrics. The academic research suggests that a number of officers print authentication systems could be spoofed, even highly sophisticated facial recognition system has been proven vulnerable to more advanced hacking efforts.

6. Application of artificial intelligence: Artificial intelligence techniques will be used more and more to avoid detection by intrusion detection tools. For example, Waterminer, a cryptocurrency mining tool injected as malware, stops mining when task manager or antimalware scan is run.

Also Read:
Social Isolation in a Digitally Connected World
Sweden-India Collaboration in Health Sector

7. Rouge AP(access point) and Evil Twin: Rouge AP is an access point installed on the network without the knowledge of the administrator, while the evil twin is identical network.

The above-mentioned techniques will be sharpened to attack numerous utility services (some of which are listed below) by the black hat hackers for malicious purposes:

A. Internet of things(IoT): the Considerable number of smart gadgets (such as TV, plugs, IP cameras, smartphones, tablets, network video recorders, heaters, refrigerators) are used at homes and industries. When these gadgets are connected to the Internet, they are termed as the Internet of Things. The hackers will increase their attacks on IoT using a vulnerability in cloud infrastructure and hardware to threaten the users physically or mentally.

B. Attack on identity platforms: Identity platforms offer centralized secure authentication of users, devices, and services across the IT environment. It could be a database of banks, hospitals, social media sites, etc. Identities of a large number of persons would be attempted to be stolen for extortion, impersonation or proving the inadequacy of the commercial organization in securing the important data (so as to blackmail).

C. Real world damages: There will be more and more attacks on services providing community services viz, municipality, health sector, electricity supply, water supply, and sewer systems. Besides the cybercriminals, who would use such hacking for ransom, terrorists and even nations can use it against public or adversaries.

D. Social media content compromise: There will be increased use of Botnets to compromise social media to influence public opinion.

Q. Being a healthcare publication, our readers would be interested in healthcare-specific cyber threats. What is your opinion on the health sector threats?
The health sector offers life critical services. It maintains the identity and clinical records of a large number of patients. The following factors make the health sector more vulnerable as compared to the other sectors.

• IoT (Internet of Things) devices are used extensively for the treatment of the patients viz. smart continuous glucose monitoring, connected inhalers for asthma, apple watch Identity platforms offer centralized secure authentication of users, devices and services across IT environment. It could be a database of banks, hospitals, social media sites, etc. PERSONA THEME TRENDS WELL-BEING ISSUES RESEARCH NEWSCOPE app that monitors depression, etc.
• The doctors and patients can connect external storage devices and even mobile phones to the hospital database system.
• Third-party software and hardware are deployed which makes it vulnerable to supply chain poisoning.
• Most of the services provided by the hospital are connected through the Internet or the cloud services.

Clinical data is of immense use for cybercriminals and cyber terrorists. They can use vulnerabilities in cybersecurity in the following ways:

1. Identity theft: Medical identity record is very useful for the cybercriminals as it can be used to impersonate people in the digital world and gain access to financial systems as well as to commit fraud by claiming treatment or insurance at the cost of insurance agencies and the patients. Therefore, this data is sold at a higher rate in the darknet as compared to identity records of other sectors.
2. The clinical records of the patients may sometimes contain their psychological disorders or conditions, or a person may be suffering from concealed diseases (sexually transmitted disease, etc). The hacker may make use of such information by blackmailing or harassing the patients. It would cause hardship to the patients and would put the reputation of the healthcare service provider/hospital at stake which failed to protect the patients’ identity and clinical records.
3. Ransomware attacks on hospitals will be on rising. The information of the patients is mostly time critical. If the cybercriminal denies the access of data to the hospital even for a short span of time, it may lead to lack of timely treatment to critical patients and therefore, hospital administration is not in a position to delay the ransom payment.
4. Prescription change: In India, the majority of renowned hospitals in metro cities are computerized. Doctors give online prescriptions which immediately become available to the concerned medical staff, such as a nurse who administers the drug to the patient. Cybercriminal scan tampers the prescription which may harm or even cause the death of the patient. They can cause an obstruction in the oxygen supply line or failure of electricity. They would be able to change the medical records of the patients, which will lead to wrong diagnosis and treatment. Not only cybercriminals but the terrorists can adopt the above techniques and threaten the nations or can even cause large scale fatalities.

Therefore, it becomes extremely important to adequately secure the health sector databases.

Q. The health sector has seen major attacks of ransomware; part of the equation is ‘money aka cryptocurrency’ in organized crime. How do we handle this?

Being proactive about cybersecurity is perhaps the best approach to tackle cyber-attacks. The health sector should form cybersecurity forum for cybersecurity policy formulations and mutually evaluate hospitals’ preparedness against the cyberattacks ensuring adherence to the cybersecurity policies. Additionally, each hospital network should have a dedicated team of IT security professionals to guide the management and proactively check for any cyber invasion. The IT team should ensure that the latest patches for all the devices and software are installed and there is protection from supply chain poisoning. The system should be equipped with features firewalls, Intrusion Detection System, Intrusion Protection system and processes analytical tools among others.

The blockchain techniques can also be explored for data management and the patient databases should be encrypted so that they are of no use to the hacker. Further, the hospitals must take data backup with a fast recovery plan. Regular penetration testing of the system should be done to eliminate potential vulnerabilities.

Hospitals should invest in training IT staff in cybersecurity policies and cybersecurity technologies. Regular analysis should be done of employees’ computer usage pattern so that any compromised user is effectively detected and timely removed from using the system. There should also be a secure access control preferably using biometric features.

Q. Today security has become a hot topic and world over we see that regulation is leading change and innovation! What is your vision for India in regard? What regulations will make the health sector more secure? Or we don’t need regulation?

The cybercriminals attempt to hack the computer resources of the hospitals by exploiting the vulnerabilities in the computer systems. They manipulate the stored information, steal the same or hold it for ransom. The hospital databases work on the trust reposed by patients in the hospital administration that their data will be guarded with privacy.

Cybercriminals can be prosecuted under various provisions of the Indian Information Technology Act, 2000(ITA). The IT Act creates civil liabilities for the offenses under the Act vide Sections 43 to 45, wherein an amount of compensation can be given to victims; it also creates criminal liabilities vide Sections 65 to 74 of the Act. Cybercriminals are liable to both civil and criminal liabilities.

Hospital administration is responsible for protecting the data and failure to protect can result in civil liability under Section 43A of the IT Act. However, this section can be invoked if the breached data results into wrongful loss to the victim or wrongful gain to a cybercriminal. The victim has to prove that there was a wrongful loss to him/her. The offenses by the intermediaries are criminalized under Section 67C of the IT Act. However, the same gets diluted by the provisions contained in Section 79 of the IT Act. Hence, the IT act doesn’t provide absolute data security laws.

The Government of India appointed Justice BN Srikrishna Committee for effective data protection laws in India. The committee submitted the Draft Data Protection Bill, 2018 to the government in July 2018. It will be introduced in parliament after the forthcoming elections in India. The Government of India is also planning to introduce “The Digital Information Security in Healthcare Bill” in the parliament to secure the healthcare data of patients in India.

Q. As the cyber incidents keep rising and legal regime catches up, what is your opinion on our abilities in investigating cybercrime? As you know attribution and audit trail are not the easiest in the cyber world, any advice for stakeholders so that they are not wrongly prosecuted or get justice on time?

According to Section 78 of the IT Act, 2000, a police officer of the rank of Inspector and above is authorized to investigate the offenses under the IT Act. This is to ensure the quality of the investigation. However, all Inspectors in police are not trained in cybercrime investigation. Further, complexities of computer technology, tools, and methodology used by cybercriminals make it difficult even for a trained person to keep pace with the development in this field. Police organizations don’t employ external cyber experts to aid in the investigation. Each police officer investigating the case seeks help from other expert police officers or cyber experts of his/her choice. Therefore, institutional help is lagging.

There is also the dearth of cyber experts in forensic science laboratories, resulting in delays of months and years in getting reports from them which can compromise the further evidence leading from forensic analysis of seized electronic material. During my tenure in the Enforcement Directorate, I found this delay to be of 1 to 3 years, therefore, I initiated six in-house cyber forensic labs. This led to the cyber forensic analysis done at a quicker pace also improving the quality of investigation.

The next hurdle is the global spread of evidence into other jurisdictions. A letter rogatory (letter of request) is sent to each foreign jurisdiction for getting the evidence located in that jurisdiction. The process is slow and it may take 3 to 4 years in getting a reply. If that reply further requires evidence from another foreign jurisdiction then another 3-4 years are gone. Therefore, the entire investigation is time-consuming.

The investigation becomes further complicated if Tor or onion routing is employed by cybercriminals. Finding the cybercriminal in this scenario becomes more difficult.

The IP address (internet protocol) and the time of its use, identify uniquely the source of the attack. However, the cybercriminal may commit cyberattack through Bot or botnet. In that case, the IP address will lead the investigation officer to the slave machine, even though the user of this machine would have no knowledge of the misuse of his computer resources. If the investigating officer doesn’t go into the depth of log analysis of such a system, then the innocent people might have to face false prosecution. The stakeholders should ensure all logs are maintained and stored by his computer system so that the audit trail can lead to actual perpetrator of cyber-attack.

In a recent healthcare conference, the people were unaware when I spoke about how on October 21, 2013, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities to thwart possible assassination attempts. To this, everyone had an issue on accountability. It remains unanswered that who would be liable, the doctor, hospital, company which provided pacemaker or the insurance company. Amidst all this, nobody was concerned about the patient as none present there questioned it. Maybe we are awaiting a major catastrophe to happen to put our minds to work. It is our endeavor to equip the healthcare community to this aspect of digital health.

Cybersecurity is a major concern for patient safety and healthcare infrastructure. The health records, data, hospital information system and individual medical devices are all targets. The vulnerability is in technology and lack of awareness of staff. There are many examples to quote wherein hospitals have become the victim of attacks. A recent audit of a corporate hospital in Delhi by our team revealed that 80% of equipment is vulnerable to cyber attack, thus, risking the patients. Healthcare providers are not sensitized to issue as required hence this magazine is dedicated to Cybersecurity. We have named it Cyber4Healthcare and even launched a training program in the healthcare domain to update knowledge of this extremely important topic. There is an immediate necessity that we invest in staff and equipment to make our systems robust enough to protect them from cyber-attacks.

We at InnovatioCuris always strive to sensitize the healthcare providers with new technologies and our next issue would focus on IoMT or connected healthcare which is overtaking the segment rapidly. However, we should always keep in mind that we are master of technologies and not the other way around. Can humane touch be replaced by technology? The trend nowadays is that we are leaving human ingenuity behind and are being heavily dependent on technology. There is a need to understand the benefits and challenges of newer devices, technology, and thinking. Let us consider how we can balance traditional to modern approach in today’s world and get the best of both worlds. Let our readers share their experiences by writing for the magazine to benefit all.

Introduction

The famous Silicon Valley investor Marc Andreessen says, “software is eating the world”. By, which he means that increasingly we are bringing software into systems to increase efficiency, lower down the cost or time involved in the process. Interestingly, humans also do software writing and humans are prone to make mistakes. It is estimated by various experts that 1000 lines of code (KLoC) has approximately 15-50 bugs present. Bugs here mean mistakes made by the software programmer while writing the software code. Bugs often result in some kind of malfunction or wrong output. Some of these bugs can lead to exploit by a third party making the larger system vulnerable or as we call hackable. As long as humans will write software, bugs will be there.

In a typical software company as bugs are discovered, new code is written to fix these bugs. The new code might further result into new bugs hence the cycle continues. At the consumer end, we keep receiving software updates over the air, as we use our phone / laptops or other devices, which are many times an attempt of the software company to overcome the past mistakes.

A lone computer hacker or an organized crime group looks at these software updates (sometimes called patches) very curiously as for them this could be a chance of hitting the jackpot! They reverse engineer it and try to understand the bug, that the patch is trying to cover. Very often systems are not updated with latest updates. Leading to most system having a known vulnerability, which the hacker can take advantage after understanding it well. Hackers further can create a simple script (programming code snippet) to some sophisticated software, which can then take advantage of the vulnerable system. We often call such a program as malware, as it is built with bad intention.

Today, as we talk it has become from a hobby crime to organized crime! Software companies regularly receive communication from bounty hunters about exposing their critical software bugs and in exchange not to do so, hackers want to charge them bounty money. Some software companies have gone further and engaged these bounty hunters to reduce security risks in their software.

In some cases the hacker is not interested in the bounty money (hence they do not inform the software maker) but rather interested in exploiting the bug. Sometimes, the bug is not known to the software maker or anyone else in the world and can be converted into a lethal attack. Such attacks are known as a zero day attack! As prior knowledge of such a vulnerability does not exist. Hence, most software security solutions, like anti virus software do not work on them. Further selling the knowledge of exploit as lethal software is now called as a cyber weapon. Nation states are now engaged in buying or building such software to infect systems of enemy states. Hence, we have come very far in the business of software bugs, where the enemy could be a lone developer, an organized crime group or a Nation state.

How is software eating the health sector and the threats linked to it?

In the above section we discussed in general, how the exploitation of software is increasingly becoming a serious business. While, we have seen many examples in last 30 years from a hobby software programmer to Nation states taking advantage of the software driven vulnerabilities. We would like to share some examples closer to the health sector.

1. Malware affecting data systems

Hospital information systems and similar information systems as part of the healthcare delivery have become very commonplace and one of the core component of the system. As pointed out in the introductory section, organized crime groups are now looking to exploit software bugs for commercial purposes. One of the ingenious way that they have developed is a malware known as ransomware . Ransomware is a malicious computer program which when executed on a system encrypts the data with very strong encryption making it unusable for hospitals or any other care provider to access patient records or other vital information. It then demands a ransom inform of bitcoins (a crypto currency) in order for the victim to have the key to decrypt the vital information. In recent incidents of ransomware infection, some hospitals in USA have even demanded millions of dollars as ransom and some have even paid.

The mitigation strategy for countering ransomware for any organization would be a strong backup of data. Also, creating awareness among the employees on sources of malware and reducing the chances of accidental infection of the workplace systems.

The long-term solution of tackling such organized crime is a better international legal framework, which allows international prosecution and cooperation among law enforcement agencies.

2. Denial of service attacks on ehealth services

In 2007 there was a distributed denial of service attack that took place in Estonia. A statue of the Russian soldier was removed from the Tallinn Square, capital of the country. Which sparked a response from sympathizers from Russia and it brought down the Estonian economy for three days. Estonia being one of the most advance countries when it comes to take up of e governance services, ehealth being one of them. The entire attack costed less than 50,000 US dollars. That was the first Denial of service attack the world saw at the level of a nation state.

The basic premise behind such an attack is that you have a service (e-service) to be provided to citizens over Internet like their own health records for example. The provider would have some finite amount of bandwidth and computing power at the backend of the service correlating to the average load on the service. In a distributed denial of service attack, the attacker uses compromised computing devices (commonly known as a bot) to access the Internet service. The botnet, which is a collection of such bots could be having thousands or millions of such devices that simultaneously access the service. The service provider is not able to distinguish the normal traffic from the bot traffic and often the server crashes under the heavy load. For a normal user trying to access the service, the service is unavailable because of the finite resources of the server being exhausted by the bot traffic. Hence, it is called a denial of service attack.

Hence, when a city, state or a nation is considering providing an eservice to citizens it could witness such attacks. One strategy to mitigate such attacks is to have tracking of the server traffic for any anomalies and having redundancy available in the system. This is achieved many times by putting the service on a cloud, which can tolerate such traffic fluctuations.

3. Data leak and breaches

Many health systems or systems require some kind of authentication mechanism to log in to the system in order to access the service. Many a times these are text password based systems behind which, important patient profile or health records information is stored. The largest of the companies like that of Google, Microsoft etc have seen attacks where the attacker is able to leak the passwords of millions of their customers. Such scenarios result in massive breach of data privacy and compromise for customers.

Good security practices, proper encryption of data and regular updates of the system are some of the key considerations for avoiding such instances. Nowadays, two-factor authentication has become a standard practice for making the authentication systems more robust. However, still some user awareness is needed to opt for better security practices whenever possible.

4. Hacking medical devices and health system

If we look at the building blocks of the health systems, where information technology is deeply integrated. We have already covered the health information systems, eservices and patient interface of authentication into the services. However, increasingly we hear about Internet of Things (IoT) devices in the health sector domain. Which means the integration of Internet services into traditional medical devices or new age devices, which have also connectivity. For example, a thermometer which can send the temperature data to your phone or a stethoscope which can record the patient breathing sound and upload in a server for finding patterns of lung diseases. These are powerful use cases and provide great opportunity to clinicians and care providers, where they have greater computation power available to them and they are able to do more with less. However, these IoT devices are prone to the same kind of attacks as any other communication device or a software program. They can be compromised to show wrong values and totally messing up the diagnosis. There are already such instances. One such instance not related to health sector but important is of the Stuxnet. Stuxnet was designed for the SCADA systems of Iranian nuclear program by USA and Israel in order to delay their nuclear program.

5. Stealing identity information

As mentioned in the point 3, about data leaks and breaches at the system level. One problem, which can arise from such an attack, is a further more damaging attack that is stealing of identity information. In India, mobile phones to receive an sms message containing one time password is increasingly becoming a standard practise because of being cost effective, simple and secure. Any such application, which you may install on your phone, can also get access to the sms and other features of your phone. Meaning the incoming sms or calls can also be stolen by this application to complete the transaction on your behalf. As increasingly we have to prove ourselves using biometrics or passwords to online systems. It is possible for the attackers to steal these credentials and access our records without our knowledge. Hence, any third party applications that we install on our devices (especially phone) , we need to be very careful about the type of access control they have on our devices.

6. Implantable medical devices with communication interfaces:

In 2007, the former US Vice President, Dick Cheney’s implanted pacemaker’s wireless communication was disabled fearing a terrorist attack. This sounds like science fiction to many but incident has already happened ten years back! Many of the medical devices are built with a communication interface and it is quite normal for a typical pacemaker or other such devices to have a Bluetooth or a similar communication technology based interface for remote diagnosis and other purposes. While, the communication ability of such a device was planned for looking at the state of the pacemaker it was not designed with keeping security in mind. Hence, it is possible that someone can connect to a critical device like pacemaker and shuts it down remotely.

One more reason that such exploits are possible increasingly as computing is becoming cheaper. What seems strong security today might not be strong tomorrow. However, an implantable device might stay in the patient’s body for tens of years. Hence, we need to have a long-term view on the communication interfaces and their capabilities on such devices. We need to make considerations on control and information capabilities of these interfaces. Misuse of control capabilities can lead to even death and misuse of information capabilities can lead to breach of patient privacy.

Way forward: why Internet is the new breeding ground for crime?

The law of the land governs the Internet in every country and hence the legal regime globally is very fragmented. However, a user of Internet does not see any borders or walls and so is the criminal. They build their criminal businesses where they do not fear strict government action and often for paltry sums the user or the national law enforcement agencies do not pursue the criminal cases cross border.

On top of it newer crypto currencies like Bitcoins, makes it easy to make such transaction in an anonymous manner. Dark net marketplaces provide a breeding ground for criminals to conduct illegal transactions of billions of dollars without getting caught. So, the three important components, weak legal enforcement, anonymous currency and secret marketplaces are enabling the cyber crime to flourish. If we want to slow it down, we will need greater international collaboration among lawmakers and user awareness at all levels.

Reference:
(i) https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
(ii) http://labs.sogeti.com/how-many-defects-are-too-many/
(iii) https://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net/transcript?language=en
(iv) https://hackerone.com
(v) https://en.wikipedia.org/wiki/Zero-day_(computing)
(vi) https://en.wikipedia.org/wiki/Cyberweapon
(vii) https://en.wikipedia.org/wiki/Ransomware
(viii) https://en.wikipedia.org/wiki/Bitcoin
(ix) http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html
(x) https://www.theguardian.com/technology/2016/feb/17/los-angeles-hospital-hacked-ransom-bitcoin-hollywood-presbyterian-medical-center
(xi) http://innovatiocuris.com/looming-danger-of-ransomware/
(xii) http://www.bbc.com/news/technology-24608435

Want to write for InnoHEALTH? send us your article at  magazine@innovatiocuris.com