Lt General (Dr.) Rajesh Pant is an internationally recognized Cyber Security expert, presently tenanting the prestigious appointment of National Cyber Security Coordinator at the Prime Minister’s Office, India. General Pant brings to the table an interesting mix of military operations, academic excellence, corporate governance, and cybersecurity wisdom. Prior to this, he was the Head of the Army’s Cyber Training establishment for three years. He served in the Army Signals Corps for 41 years wherein he was awarded three times by the President of India for distinguished service of the highest order. He also served as the Chairman of Precision Electronics Ltd as a Governing Council Member of IETE (India). Sachin Gaur interviewed him on his viewpoint on India’s vision for cybersecurity.

Q. On behalf of InnoHEALTH Magazine, we congratulate you on your new assignment. For our readers, we would like you to share your short-term and long-term vision for Cybersecurity from national security perspective.
Short-term vision is to issue National Cyber Security Strategy 2020-25 early next year. Task force is working overtime on this by consulting all stakeholders. Long-term vision is to create an all-encompassing cyber vertical at the national level, to handle incident response, cybercrimes, legal issues and capacity building.

---

Q. We know that there are some fundamental technological shifts waiting to happen like 5G, and along-with it massive (Internet of Things) IoT deployments and especially use cases of connected healthcare. Can you share your views on the cybersecurity implications of the connected devices?
IoT security is a priority topic world over and this is because the limited security capabilities of these devices are also an afterthought. We need to work on a framework, to bring baselinesecurity through the manufacturers and developers of these devices. These devices are omnipresent in our lives, we find them in our home environment to industrial environments including hospitals. We have seen attacks in the past, where such devices are compromised to launch massive denial of service attacks to manipulate the workings of critical infrastructure.
Also, the issue of IoT security is multidimensional, from data security, privacy to device security. As we discuss this, there are multiple acts and bills pending in the Parliament on these topics. While the bills and acts will provide a framework, we need to also create awareness on both sides, supplier and consumer on the possible risks and mitigation strategies.

---

Q. What steps can be taken to improve the security in such connected devices?
When I say baseline security framework, it can be achieved in multiple ways.
As of today, most devices that we use including mobile phones, do not have a security testing certification. So, we can agree with the industry and look at important test cases and if they can do self-certification on such test cases.
For example: the device should not have weak default login credentials, it is sending data to a remote server and can be operated remotely. So, we can come up like a 5-star rating framework like that of the energy consumption but for the security of IoT devices basis what kind of tests they clear.
Industry bodies can agree on various levels of security and what it takes to achieve that level. Such a framework, when implemented, can provide confidence to consumers and users on the kind of device they are using vis-a-visthe use case they have at hand. So, they might use a higher security rating device in a use case where the stakes are high.
The other approach is to get the security testing done with notified agencies. Department of Telecom for example has announced mandatory security testing of network elements for telecom given telecom is a part of the critical infrastructure and security issuescannot be taken lightly.
Also, some of the emerging concepts in connected devices are missing in the various governing acts of the industrial connected devices. So, we also need to update our legal frameworks to cover software-based tempering of such devices and make the manufacturers and service providers accountable and proactive towards the security of the systems they provide.

---

Q. What are the threats that you foresee for the health sector?
There are three areas we see where health sector can be impacted:
First is the data breaches and ransomware attacks on healthcare data. As we know, among all the data, healthcare is the most sensitive and sought after by malicious actors. Outside of India, we have seen umpteen cases where ransomware has crippled the health system and it is only after paying the ransom the hospitals can start operation again. Timely backups and encryption of healthcare data during storage is a preventive measure that clinical establishments can take to mitigate the breach and ransomware attacks.
Second is the manipulation of connected devices. The topic of IoT and connected devices security, as discussed in the above sections, directly apply to the medical devices. Healthcare is a domain where attacks on such devices can be life threatening, especially when there are implantable devices. As we have the new Medical Device Regulation Act in India since 2018, we should also consider cyber security aspect in the devices which have a communication interface. For example, a pacemaker which has a communication interface can be manipulated remotely and the patient’s life is at risk.
Third is the manipulation of health system including the building management. We are probably not very far from the days when sophisticated attacks, as we see in the movies, on high security establishments by manipulating the building controls. The building management systems are very weak when it comes to security. Every hospital is a building and imagine what a false fire alarm would mean to patients in Intensive Care Unit. Or even loss of air conditioning or sudden spikes in electrical power.
There is a proposed act DISHA, Digital Information Security Healthcare Act, which might address some of the legal aspects of security in the healthcare setting. A lot needs to be done in this area, and we are on our way.

---

Q. Our readership consists of health experts all over the world. Any message for them?
We are at the cusp of a new age where we look to take advantage of Artificial Intelligence to Internet of Things. For such a knowledge economy to take off, health sector is at the center of it and health experts need to pay attention on what they are buying and how such systems are managed and operated. Through intervention of Ministry of Health & Family Welfare and responsible bodies such as National Accreditation Board of Hospitals & Healthcare Providers (NABH) of Quality Council of India, we plan to recommend a cyber audit and increased awareness of information security.
We would not want our hospitals and clinical establishments to be a prey for malicious actors. Rather we would want our experts to leverage technology to take the country to the next level in providing care to a wider population at a lower cost and of the highest quality.

There is no doubt AI and IoT are big help in radiology and early diagnosis of cancer etc. but can never replace human intervention. India is also fast changing to adopt new technologies. As per a recent estimate, AI has potential of bringing $957 billion to the Indian economy by 2035. This may be the cause for luring young professionals to this new domain.

AI, as described by the domain experts – application of AI in healthcare, can be classified into Descriptive, Predictive, and Prescriptive. Our effort here is to learn and share newer knowledge by various initiatives taken by us through our annual conference, magazines, training programs, club meetings, webinars and the most recent delegation to Sweden under InnoBRIDGE 2019 to learn the best practices and explore synergies. On the request of our stakeholders, the next planned initiative is InnoBRIDGE USA 2020.

This issue is based on the theme of AI & IoT in Healthcare. The next one would be on Unmet Needs in Healthcare: Leading to Innovation. Do share your views and research for the benefit of all who believe in change through innovation. Let us think more on the basic issues of healthcare and how we can use technology to improve healthcare for common man at an optimum cost.

Ideate, Innovate and Incubate for the Bottom of Pyramid. Let us strive together to make India a developed economy from an emerging economy. The population of1.3 billion should be an asset and not a liability for the nation. A healthy India only can make wealthy India.

The number of ransomware and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk.One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.

A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cyber criminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it fora longer period of time.

Data breaches cost the healthcare industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.

The continued under investment in cybersecurity has left many so exposed that they are unable to even detect cyber attacks when they occur. While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.

As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in healthcare is on the rise.

“So, What is Wrong With the Picture?”

The base question to ask is “Who would be interested in hacking patient data?” It is precisely this attitude together with the rat eat which healthcare refreshes its technology that exposes healthcare organizations to a high risk of cyber-attack. The fact that makes the industry appealing to hackers: ransom for money;denial of service for malice and money; stealing confidential data;compromising data; identity theft and compromising devices. The scale of disruption and impact to busy healthcare settings already operating at capacity caused by a cyber-attack needs no explanation. The reality covers the four main domains:

• Leadership: Ownership of the issue
• Culture/Staff responsibility/awareness: Training and awareness of cybersecurity and its related implications
• Policies and procedures: Understanding of business continuity processes and incident response procedures
• General cybersecurity knowledge: Use of fundamental security processes that are currently followed within the organization to mitigate security breaches, e.g., use of USB, on- and off-boarding processes, password policies,organizational asset register,and so on.

The Challenges
The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Consequently, many common threats continue to be problematic in healthcare, including:

• Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
• Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of healthcare organizations.
• Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
• Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from the users.
• Encryption blind spots: While encryption is critical for protecting the health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
• Employee error: Employees can leave healthcare organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.

Another growing threat in healthcare security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems.

How are Hackers Achieving this, You Would Ask?

Hackers usually access information in one of two ways. They can try‘social hacking’, which means tricking a human being into giving oversensitive information or security credentials which in turn allows access to sensitive information. This could happen by tricking either someone who works directly for the provider, or an outside contractor. An unsophisticated example could be, ‘Hi, I am an IT provider for your company, and I need to carry out some maintenance, could you please provide these sensitive details for me?’. The second way is brute force:directly attacking a security system.

Once Hackers Get Access to The Data, What Do They Do with It?

In some cases, hackers access sensitive data, extract it, and lock it off. They can then sell it back to the company. If the company does not have backups, buying it back is probably the only viable option. The alternative is for them to lose all records of their patients which they will never be able to replace.Another possibility, is hackers stealing data and selling it to the public. The information may be sold to criminal groups on the dark web who wish to use sensitive information for blackmail or fraud purposes.

What Can the Healthcare Industry Do to Mitigate Cyber Threats?

The industry must realize that cybersecurity is human-centric. Gaining insight into the users’ behavior, for example, or the flow of data in and out of the organization improves risk response.

Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all people on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated regularly.

Furthermore, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.

In Simple Terms: How Do We Improve Cybersecurity?

Due to the significant financial impact of data breaches in healthcare, health informatics and other professionals need to play an important role in ensuring that medical organizations remain secure. Individual healthcare organizations can improve their cybersecurity by implementing the following practices:

• Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
• Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
• Maintain good computer habits: New employee on boarding should include training on best practices for computer use, including software and operating system maintenance.
• Use a firewall: Anything connected to the internet should have a firewall.
• Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
• Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations must consider storing this backed-up information away from the main system if possible.
• Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
• Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Healthcare employees should not only use strong passwords, but ensure they are changed regularly.
• Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
• Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

How to Defend Against the Growing Threat?
Deterrence, prevention, detection and response all have their place.

Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything.

Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly detection methods are particularly good for these purposes, as are rule-based detection mechanisms.

Security information and event management or log management tools can augment data collection efforts.

In addition to deploying technology tools to help defend against and detect intrusions, it’s important to formally define roles and responsibilities for incident response. Organizations need to document procedures that specify what the response team should do if there’s an incident and test those procedures periodically.

It’s not just one technology, it is multiple technologies in order to repel these highly sophisticated and organized attacks. That includes deploying SIEM, as well as multi factor authentication to enter critical systems.

The Internet is increasingly a swamp. It’s no longer sufficient to just look at standard security logs. You need integrated security information event management that brings together network logs, users log, application logs and server logs, and looks for non obvious associations.

In Conclusion

To improve cybersecurity in health care, organizations need to hire informatics professionals who not only collect, manage and leverage data, but protect it as well. In addition, health data professionals need to on a continuous basis develop new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.We know that reaching 100% security against cyber attacks is not realistic but, with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.

About the author

Kris Seeburn is an enterprise trainer and a member of Advisory Board of The New Security Foundation, Member of The American College of Forensic Examiners & Institute of Forensics Science

Where India stands today?

According to the International Telecommunication Union (ITU), a UN telecommunications agency, India ranked 23rd amongst 165 nations on the Global Cybersecurity Index (GCI) in 2017. GCI ranks nations for their commitment towards cybersecurity using various measures – legal, technical, organizational, capacity building, and cooperation. With the rapid rise in cyber threats, India’s growing investment in protecting its data is absolutely a positive development. Nevertheless, a quick look at the current status on cybersecurity and data protection laws in India highlights the gap we must fill in as we move towards complete digitizing of various infrastructures in the 21st century.

For instance, it was last in 2000 when the legal provisions related to cybersecurity were formulated in the Information Technology Act (ITA) when the nature of threats revolved only around viral or malware attacks. The ITA was later amended in 2008 and now deals with cyber crimes such as hacking, tampering, data or identity theft, cheating, phishing, etc. Sections 43 and 63–74 provide provisions for civil and criminal prosecution in case of different cyber offenses. The ITA requires entities holding private data of users to maintain specified security standards and provides provisions to users for airing grievances in case of the data breach.

India established its first cybersecurity policy – the National Cyber Security Policy (NCSP), in 2013, after much mayhem caused by Edward Snowden’s allegations of NSA snooping on India. The policy designated CERT-In (Indian Computer Emergency Response Team), a national nodal agency to respond to and analyze incidents of cybersecurity breaches. CERT-In provides alerts of cybersecurity incidents, conducts emergency measures for handling such incidents, coordinates necessary response activities and issues guidelines, etc., regarding cybersecurity measures. In the case of a data breach, an organization holding confidential user data must report to CERT-In promptly.

Also Read:
Cyber4Healthcare: An Issue of Today & Tomorrow
DISHA – Need of the hour

Healthcare specific provisions

While the above-mentioned regulations provide a general legal cybersecurity framework for all the organizations, no separate provisions are in place viz a viz the healthcare sector. India decided to fill in this gap last year when the Ministry of Health and Family Affair, the Government of India proposed the Digital Information Security in Healthcare Act (DISHA) and placed it in public domain on 21 March 2018 for comments by various stakeholders. DISHA aims to ensure reliability, data privacy, confidentiality, and security of digital health data. The act, applicable to entire India except for Jammu and Kashmir, establishes eHealth Authorities and Health Information Exchanges at the state and national levels while also outlining the guidelines on standardizing/ regulating the processes related to the collection, storing, transmission and use of digital health data (DHD) in India.

Accordingly, DHD means any electronic record of health-related information

• concerning the physical or mental health of a person
• on any health service provided to an individual
• on a donation of any body part of any bodily substance
• derived from testing or examination of a body part or bodily substance
• collected during providing health services
• relating to details of the clinical establishment accessed by a person

DISHA also specifies the rights of the owner of digital health data, outlines the purposes for which DHD can be collected and explicitly mentions all clinical establishments holding DHD to be duty-bound in maintaining privacy and confidentiality of the patient’s data. Importantly, DISHA touches upon what constitutes a breach of digital health data, compensation in the event of one happening and what punishments an individual or a company might face if convicted of a cybercrime.

Marching ahead

The breach of data far more often in the healthcare sector compared to other sectors highlights the value of information stored in digital health records. It is, therefore, important that cybersecurity takes precedence for all the healthcare providers. Proactive measures include identifying likely targets, securing and updating systems in a timely manner, constant monitoring for malware or security breaches and reinforcing good user behavior among the employees. Similarly, the response to data breach incidents needs to be swift to minimize the extent of damage when a cybercrime occurs. Like the adage, ‘prevention is better than cure’, the healthcare providers also have a necessary task ahead of themselves to up their security measures in accordance with the current legal framework, before a patient’s data or the trust gets compromised.

About the author

Dr. Urvashi (Raheja) Bhattacharyya is a Senior Research Analyst at StudyMode. She indulges in machine-learning methods during office hours and enjoys writing about healthcare and education in her free time.

Q. Given your important assignments for the Government of India in the past, share with us the big picture. What are the trends you see in terms of cybercrime and threats for 2019?

The world is getting more connected and technology has seeped into every aspect of our lives. On one hand, these advancements make our lives easier and on the other bring a lot of vulnerabilities with them if security isn’t strong enough to tackle cyber criminals. Hackers today are well-educated and have the capabilities to develop new methods and tools to exploit the vulnerabilities on the computer systems and networks. Few do it for their academic interest and thrill and inform the person concerned about the vulnerabilities so that the same can be plugged. They are known as white hat hackers. While the others do it with malice and self-gain and are known as Black hat hackers.

To gain access to the computer systems, the cybercriminals and hackers will continue to deploy already existing tools (called as exploits) with enhanced capabilities. More advanced tools will be also be developed in the coming years. Some of the important ones are enumerated below:

1. Chatbots: There will be extensive use of machine learning techniques (Artificial intelligence) in the near future. A Chatbot can be injected into the important website (for example, a banking site). Chatbot in the form of a man or woman would pop up on the screen and will start interacting with the user (like what we see the google assistant doing). Then it may misdirect the customer to a nefarious link similar to an actual banking site, thereby fetching important information from the customer and compromising his banking information.

2. Bot and botnet: The hackers have been successful in remotely taking control of the hacked computer systems. Such a system is known as a bot. The hacker can remotely misuse a machine (using computing time or other resources) without the actual user being aware of it. If there is more than one compromised device, then it is called a botnet. Botnets can be put to perform some distributed function viz, crypto jacking (mining bitcoins) or distributed denial of service attack.

3. Discover and target organizations outside the firewall: Most of the commercial organizations deploy firewalls, intrusion detection systems, and intrusion protection systems; thereby making hacking difficult. But they use the third-party software, which may be having vulnerabilities. Hackers can attack the third-party systems used by commercial websites.

4. Injection Attack: Protective systems installed on computers look for malicious files to detect cyber-attack. The injection attack is filed less; the hacker directly inserts the malicious code in the memory, thereby compromising the machine, without ever dropping a file onto the infected system. One such example is British Airways site hack in 2018, resulting in identity theft of around 3,80,000 users.

5. Biometric Hacking: Cybercriminals use brute force attack, dictionary attack or social engineering, etc., to crack the passwords. Many people have shifted to biometrics. The academic research suggests that a number of officers print authentication systems could be spoofed, even highly sophisticated facial recognition system has been proven vulnerable to more advanced hacking efforts.

6. Application of artificial intelligence: Artificial intelligence techniques will be used more and more to avoid detection by intrusion detection tools. For example, Waterminer, a cryptocurrency mining tool injected as malware, stops mining when task manager or antimalware scan is run.

Also Read:
Social Isolation in a Digitally Connected World
Sweden-India Collaboration in Health Sector

7. Rouge AP(access point) and Evil Twin: Rouge AP is an access point installed on the network without the knowledge of the administrator, while the evil twin is identical network.

The above-mentioned techniques will be sharpened to attack numerous utility services (some of which are listed below) by the black hat hackers for malicious purposes:

A. Internet of things(IoT): the Considerable number of smart gadgets (such as TV, plugs, IP cameras, smartphones, tablets, network video recorders, heaters, refrigerators) are used at homes and industries. When these gadgets are connected to the Internet, they are termed as the Internet of Things. The hackers will increase their attacks on IoT using a vulnerability in cloud infrastructure and hardware to threaten the users physically or mentally.

B. Attack on identity platforms: Identity platforms offer centralized secure authentication of users, devices, and services across the IT environment. It could be a database of banks, hospitals, social media sites, etc. Identities of a large number of persons would be attempted to be stolen for extortion, impersonation or proving the inadequacy of the commercial organization in securing the important data (so as to blackmail).

C. Real world damages: There will be more and more attacks on services providing community services viz, municipality, health sector, electricity supply, water supply, and sewer systems. Besides the cybercriminals, who would use such hacking for ransom, terrorists and even nations can use it against public or adversaries.

D. Social media content compromise: There will be increased use of Botnets to compromise social media to influence public opinion.

Q. Being a healthcare publication, our readers would be interested in healthcare-specific cyber threats. What is your opinion on the health sector threats?
The health sector offers life critical services. It maintains the identity and clinical records of a large number of patients. The following factors make the health sector more vulnerable as compared to the other sectors.

• IoT (Internet of Things) devices are used extensively for the treatment of the patients viz. smart continuous glucose monitoring, connected inhalers for asthma, apple watch Identity platforms offer centralized secure authentication of users, devices and services across IT environment. It could be a database of banks, hospitals, social media sites, etc. PERSONA THEME TRENDS WELL-BEING ISSUES RESEARCH NEWSCOPE app that monitors depression, etc.
• The doctors and patients can connect external storage devices and even mobile phones to the hospital database system.
• Third-party software and hardware are deployed which makes it vulnerable to supply chain poisoning.
• Most of the services provided by the hospital are connected through the Internet or the cloud services.

Clinical data is of immense use for cybercriminals and cyber terrorists. They can use vulnerabilities in cybersecurity in the following ways:

1. Identity theft: Medical identity record is very useful for the cybercriminals as it can be used to impersonate people in the digital world and gain access to financial systems as well as to commit fraud by claiming treatment or insurance at the cost of insurance agencies and the patients. Therefore, this data is sold at a higher rate in the darknet as compared to identity records of other sectors.
2. The clinical records of the patients may sometimes contain their psychological disorders or conditions, or a person may be suffering from concealed diseases (sexually transmitted disease, etc). The hacker may make use of such information by blackmailing or harassing the patients. It would cause hardship to the patients and would put the reputation of the healthcare service provider/hospital at stake which failed to protect the patients’ identity and clinical records.
3. Ransomware attacks on hospitals will be on rising. The information of the patients is mostly time critical. If the cybercriminal denies the access of data to the hospital even for a short span of time, it may lead to lack of timely treatment to critical patients and therefore, hospital administration is not in a position to delay the ransom payment.
4. Prescription change: In India, the majority of renowned hospitals in metro cities are computerized. Doctors give online prescriptions which immediately become available to the concerned medical staff, such as a nurse who administers the drug to the patient. Cybercriminal scan tampers the prescription which may harm or even cause the death of the patient. They can cause an obstruction in the oxygen supply line or failure of electricity. They would be able to change the medical records of the patients, which will lead to wrong diagnosis and treatment. Not only cybercriminals but the terrorists can adopt the above techniques and threaten the nations or can even cause large scale fatalities.

Therefore, it becomes extremely important to adequately secure the health sector databases.

Q. The health sector has seen major attacks of ransomware; part of the equation is ‘money aka cryptocurrency’ in organized crime. How do we handle this?

Being proactive about cybersecurity is perhaps the best approach to tackle cyber-attacks. The health sector should form cybersecurity forum for cybersecurity policy formulations and mutually evaluate hospitals’ preparedness against the cyberattacks ensuring adherence to the cybersecurity policies. Additionally, each hospital network should have a dedicated team of IT security professionals to guide the management and proactively check for any cyber invasion. The IT team should ensure that the latest patches for all the devices and software are installed and there is protection from supply chain poisoning. The system should be equipped with features firewalls, Intrusion Detection System, Intrusion Protection system and processes analytical tools among others.

The blockchain techniques can also be explored for data management and the patient databases should be encrypted so that they are of no use to the hacker. Further, the hospitals must take data backup with a fast recovery plan. Regular penetration testing of the system should be done to eliminate potential vulnerabilities.

Hospitals should invest in training IT staff in cybersecurity policies and cybersecurity technologies. Regular analysis should be done of employees’ computer usage pattern so that any compromised user is effectively detected and timely removed from using the system. There should also be a secure access control preferably using biometric features.

Q. Today security has become a hot topic and world over we see that regulation is leading change and innovation! What is your vision for India in regard? What regulations will make the health sector more secure? Or we don’t need regulation?

The cybercriminals attempt to hack the computer resources of the hospitals by exploiting the vulnerabilities in the computer systems. They manipulate the stored information, steal the same or hold it for ransom. The hospital databases work on the trust reposed by patients in the hospital administration that their data will be guarded with privacy.

Cybercriminals can be prosecuted under various provisions of the Indian Information Technology Act, 2000(ITA). The IT Act creates civil liabilities for the offenses under the Act vide Sections 43 to 45, wherein an amount of compensation can be given to victims; it also creates criminal liabilities vide Sections 65 to 74 of the Act. Cybercriminals are liable to both civil and criminal liabilities.

Hospital administration is responsible for protecting the data and failure to protect can result in civil liability under Section 43A of the IT Act. However, this section can be invoked if the breached data results into wrongful loss to the victim or wrongful gain to a cybercriminal. The victim has to prove that there was a wrongful loss to him/her. The offenses by the intermediaries are criminalized under Section 67C of the IT Act. However, the same gets diluted by the provisions contained in Section 79 of the IT Act. Hence, the IT act doesn’t provide absolute data security laws.

The Government of India appointed Justice BN Srikrishna Committee for effective data protection laws in India. The committee submitted the Draft Data Protection Bill, 2018 to the government in July 2018. It will be introduced in parliament after the forthcoming elections in India. The Government of India is also planning to introduce “The Digital Information Security in Healthcare Bill” in the parliament to secure the healthcare data of patients in India.

Q. As the cyber incidents keep rising and legal regime catches up, what is your opinion on our abilities in investigating cybercrime? As you know attribution and audit trail are not the easiest in the cyber world, any advice for stakeholders so that they are not wrongly prosecuted or get justice on time?

According to Section 78 of the IT Act, 2000, a police officer of the rank of Inspector and above is authorized to investigate the offenses under the IT Act. This is to ensure the quality of the investigation. However, all Inspectors in police are not trained in cybercrime investigation. Further, complexities of computer technology, tools, and methodology used by cybercriminals make it difficult even for a trained person to keep pace with the development in this field. Police organizations don’t employ external cyber experts to aid in the investigation. Each police officer investigating the case seeks help from other expert police officers or cyber experts of his/her choice. Therefore, institutional help is lagging.

There is also the dearth of cyber experts in forensic science laboratories, resulting in delays of months and years in getting reports from them which can compromise the further evidence leading from forensic analysis of seized electronic material. During my tenure in the Enforcement Directorate, I found this delay to be of 1 to 3 years, therefore, I initiated six in-house cyber forensic labs. This led to the cyber forensic analysis done at a quicker pace also improving the quality of investigation.

The next hurdle is the global spread of evidence into other jurisdictions. A letter rogatory (letter of request) is sent to each foreign jurisdiction for getting the evidence located in that jurisdiction. The process is slow and it may take 3 to 4 years in getting a reply. If that reply further requires evidence from another foreign jurisdiction then another 3-4 years are gone. Therefore, the entire investigation is time-consuming.

The investigation becomes further complicated if Tor or onion routing is employed by cybercriminals. Finding the cybercriminal in this scenario becomes more difficult.

The IP address (internet protocol) and the time of its use, identify uniquely the source of the attack. However, the cybercriminal may commit cyberattack through Bot or botnet. In that case, the IP address will lead the investigation officer to the slave machine, even though the user of this machine would have no knowledge of the misuse of his computer resources. If the investigating officer doesn’t go into the depth of log analysis of such a system, then the innocent people might have to face false prosecution. The stakeholders should ensure all logs are maintained and stored by his computer system so that the audit trail can lead to actual perpetrator of cyber-attack.

In a recent healthcare conference, the people were unaware when I spoke about how on October 21, 2013, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities to thwart possible assassination attempts. To this, everyone had an issue on accountability. It remains unanswered that who would be liable, the doctor, hospital, company which provided pacemaker or the insurance company. Amidst all this, nobody was concerned about the patient as none present there questioned it. Maybe we are awaiting a major catastrophe to happen to put our minds to work. It is our endeavor to equip the healthcare community to this aspect of digital health.

Cybersecurity is a major concern for patient safety and healthcare infrastructure. The health records, data, hospital information system and individual medical devices are all targets. The vulnerability is in technology and lack of awareness of staff. There are many examples to quote wherein hospitals have become the victim of attacks. A recent audit of a corporate hospital in Delhi by our team revealed that 80% of equipment is vulnerable to cyber attack, thus, risking the patients. Healthcare providers are not sensitized to issue as required hence this magazine is dedicated to Cybersecurity. We have named it Cyber4Healthcare and even launched a training program in the healthcare domain to update knowledge of this extremely important topic. There is an immediate necessity that we invest in staff and equipment to make our systems robust enough to protect them from cyber-attacks.

We at InnovatioCuris always strive to sensitize the healthcare providers with new technologies and our next issue would focus on IoMT or connected healthcare which is overtaking the segment rapidly. However, we should always keep in mind that we are master of technologies and not the other way around. Can humane touch be replaced by technology? The trend nowadays is that we are leaving human ingenuity behind and are being heavily dependent on technology. There is a need to understand the benefits and challenges of newer devices, technology, and thinking. Let us consider how we can balance traditional to modern approach in today’s world and get the best of both worlds. Let our readers share their experiences by writing for the magazine to benefit all.

The need to change the way of delivering care/service should be our priority. A paradigm shift in the way of offering services through connected health services and emphasizing that privacy and security concerns are of utmost importance when it comes to connected health. Responsibility and accountability after acquiring data are very important. The question is how to analyze the data and get actionable insight. Analytics and IoT should be considered together for actionable insight. The challenge of interoperability has turned up with an increase in the number of devices being used.

Trends and Opportunities of Medical IoT

IoT or Internet of Things is not new, but it has been gaining traction at a very high pace. Since the inception of the word IoT, there has been an ongoing conversation about how it might change healthcare, improve patient safety, affordability and accessibility for patients.

Healthcare in India has a huge potential in terms of IoMT or medical IoT solutions. There will always be challenges and opportunities in this sector. Connected health is contributing towards the growth in space of IoT, but is lagging behind many other connected sectors.

One of the key challenges in developing the algorithm for medical devices such as CT scans and X-rays. Application of artificial intelligence and machine learning in healthcare should be cautiously done because in case of a CT scan if we miss a module it has life risk and hence should be used carefully and should be a well-validated clinical algorithm.

Since the infant mortality rate in India is twice the rest of the world, and that is certainly alarming as the bottom of the pyramid is affected; there is a company which focuses on the mortality rate of low weight birth babies. They have come up with developing a bracelet which diagnoses hypothermia in low birth weight babies. This was a very simple and innovative device, but then they analyzed the intermissions they can work on and came up with baby cradle. The main challenges to develop and design such a product is to cope with the cost factor and the startups definitely need funds to develop such a technology.

The goal of connected health is not just early identification of health issues, but also effective patient care and safety. Today IoT platforms support integration of medical devices and wearables. The need for security is as important as when it comes to IoT and accessing healthcare data and strengthening advocacy for connected health.

Things change very rapidly and in very small time, and IoT is taking shape with it. But who will fund the cost of development/ Can government help the industry in making such policies?

Business Models of Successful IOMT in India and Challenges

The IoT healthcare business strategy is not yet robust because it involves a set of elements with new requirements such as new operational processes and policies, new infrastructure systems, distributed target customers and transformed organizational structures. Therefore, there is a need for a new business model. The IoT technology opens a new dimension of business opportunities for healthcare companies and the IoT platform becomes a key artifact in this transformation. Early movers who are taking a proactive approach to establishing their IoT healthcare ecosystem will tap into new business models. In this part of the business model, the panel discussed the basis of pricing and the way of charging for a product or service. Besides this, the panel also discussed the ways of revenue generation.

While there are many benefits of the Internet of things in healthcare, it isn’t without its challenges. As with any new technology in healthcare, hospital and IT executives are concerned about data security and IoT device management. What are the potential barriers to IoT adoption and how healthcare IT can overcome those obstacles?

AI and IoT change the way healthcare is delivered and we obviously are on the cusp of a revolution. This definitely poses a fair amount of concerns but also huge possibilities. The panel also discussed how Medicare is 100th the cost per person when compared to Obama care. So clearly, there must be more innovations coming from IoT and AI; they are going to help us reduce the cost.

In the past, how people tried to use the data for the benefit of both patients and providers, starting from the patient side faced huge failures, as nobody was willing to pay. And that’s where the thinking came from that; how do we really make this work? How do we really turn this data into a business model? And that’s where they pivoted the model, working with providers and using their data sets. But then the question comes up, “Why the providers would share their data?”. Thus, the first pitching that started was to use the provider’s data for their patient care. And it didn’t work well. The whole narrative was, “What’s in it for providers?”.Therefore, the business model turned out to be, as we kept on talking to people, we realized that the data is going to be useful for provider’s revenue success, and then the same datasets will help the patients. A solution that they projected is to help retain the provider with patients’ data, grow their revenues and help in patient care.

The MedTech certainly seems more complex. Where they are trying to come out with a dermatology solution and oral health solution for serious diseases where a cell phone image taken from an off the shelf mobile phone camera is sent to an AI backend and it gives a diagnosis and possible treatment options for a variety of skin diseases, particularly oral cancer. Such cases are very prevalent. What the panelist found is a landscape extremely complex in terms of the business model because when someone comes out with something like this, then figuring out who would it be paying is difficult. And suddenly the AI and IoT thing comes up and say that it can perform this diagnosis at par the level and in certain cases better than certain trained specialists. This does not support their case.

One of the panelists shared her thoughts on important factors to concentrate and realize why health care has not moved digitally as compared to other industries like banking, insurance and how a lot of digital interventions can happen in healthcare. There are a whole lot of opportunities.

The main thing to focus on is What is the problem? What is the solution? And who’s going to pay you? Because that’s where the panelists believe that lots of startups have a scope.

The customer is one, the doctor is another and hospital, the other spectrum. So how to manage this change and address the change management. If you give a thought on what to overcome, it gives you a kind of value that you try and achieve success and how do we overcome the quality assurance issues, change issues, challenges that one sees in terms of adoption. Let’s say for the doctors, it took a hundred years to the doctor to adopt stethoscope. Today, it’s widely accepted. IoMT is something that is obviously very innovative, very useful. But then not every doctor will accept it right away. How does one plan to overcome that barrier? So, they might just want one to focus on change management issues.

There are three components of the IT embedment in a hospital. One is the business side of it, which gets adopted immediately. There’s just no resistance to it. The second side is the paramedical side of it; it has pathology, radiology, and other such things. They take a little time but they come on board. The learning curve is much shorter over there. The third one is the clinical side, which is the most difficult, as in a hospital system there are doctors who are most resistant to changes and the reason being their upbringing and learning of clinical practices in a certain way.

The question arises “How does one change their practices?” Changed management is already happening at the college level. The medical students who are coming out now are more hands-on and are accepting the new technological changes. We will have to wait a little while, but they will accept it. When we talk about a change in the management, the problem that arises is not specific to India only. In the USA, George Bush had said that he wanted EMR to be adopted by everyone within the next ten years. Surprisingly, he didn’t even get 15% conversion in those ten years.

It is important to secure the data and look over the cost implications of data security issues in connected health work moving forward. There is a need for appropriate interventions at the transition level of doctors and patients, as well as the importance of advocacy and awareness‐raising at community level about connected health. There is also a need for financial support for encouraging the tech enthusiasts of the country to address health issues in India with connected health solutions. One needs to understand customer value as well. How do we speak the right language in terms of what would appeal to that particular user or customer or doctor or hospital for that matter only then we will see more IoMT adoption happening. Yes, there is a need to understand the regulatory framework. Startups needs to adopt a lean structure in collaboration with the medical partners and come up with innovative solutions. India has a fantastic opportunity, but clearly it does need elements to come together and work together.