Q. Given your important assignments for the Government of India in the past, share with us the big picture. What are the trends you see in terms of cybercrime and threats for 2019?

The world is getting more connected and technology has seeped into every aspect of our lives. On one hand, these advancements make our lives easier and on the other bring a lot of vulnerabilities with them if security isn’t strong enough to tackle cyber criminals. Hackers today are well-educated and have the capabilities to develop new methods and tools to exploit the vulnerabilities on the computer systems and networks. Few do it for their academic interest and thrill and inform the person concerned about the vulnerabilities so that the same can be plugged. They are known as white hat hackers. While the others do it with malice and self-gain and are known as Black hat hackers.

To gain access to the computer systems, the cybercriminals and hackers will continue to deploy already existing tools (called as exploits) with enhanced capabilities. More advanced tools will be also be developed in the coming years. Some of the important ones are enumerated below:

1. Chatbots: There will be extensive use of machine learning techniques (Artificial intelligence) in the near future. A Chatbot can be injected into the important website (for example, a banking site). Chatbot in the form of a man or woman would pop up on the screen and will start interacting with the user (like what we see the google assistant doing). Then it may misdirect the customer to a nefarious link similar to an actual banking site, thereby fetching important information from the customer and compromising his banking information.

2. Bot and botnet: The hackers have been successful in remotely taking control of the hacked computer systems. Such a system is known as a bot. The hacker can remotely misuse a machine (using computing time or other resources) without the actual user being aware of it. If there is more than one compromised device, then it is called a botnet. Botnets can be put to perform some distributed function viz, crypto jacking (mining bitcoins) or distributed denial of service attack.

3. Discover and target organizations outside the firewall: Most of the commercial organizations deploy firewalls, intrusion detection systems, and intrusion protection systems; thereby making hacking difficult. But they use the third-party software, which may be having vulnerabilities. Hackers can attack the third-party systems used by commercial websites.

4. Injection Attack: Protective systems installed on computers look for malicious files to detect cyber-attack. The injection attack is filed less; the hacker directly inserts the malicious code in the memory, thereby compromising the machine, without ever dropping a file onto the infected system. One such example is British Airways site hack in 2018, resulting in identity theft of around 3,80,000 users.

5. Biometric Hacking: Cybercriminals use brute force attack, dictionary attack or social engineering, etc., to crack the passwords. Many people have shifted to biometrics. The academic research suggests that a number of officers print authentication systems could be spoofed, even highly sophisticated facial recognition system has been proven vulnerable to more advanced hacking efforts.

6. Application of artificial intelligence: Artificial intelligence techniques will be used more and more to avoid detection by intrusion detection tools. For example, Waterminer, a cryptocurrency mining tool injected as malware, stops mining when task manager or antimalware scan is run.

Also Read:
Social Isolation in a Digitally Connected World
Sweden-India Collaboration in Health Sector

7. Rouge AP(access point) and Evil Twin: Rouge AP is an access point installed on the network without the knowledge of the administrator, while the evil twin is identical network.

The above-mentioned techniques will be sharpened to attack numerous utility services (some of which are listed below) by the black hat hackers for malicious purposes:

A. Internet of things(IoT): the Considerable number of smart gadgets (such as TV, plugs, IP cameras, smartphones, tablets, network video recorders, heaters, refrigerators) are used at homes and industries. When these gadgets are connected to the Internet, they are termed as the Internet of Things. The hackers will increase their attacks on IoT using a vulnerability in cloud infrastructure and hardware to threaten the users physically or mentally.

B. Attack on identity platforms: Identity platforms offer centralized secure authentication of users, devices, and services across the IT environment. It could be a database of banks, hospitals, social media sites, etc. Identities of a large number of persons would be attempted to be stolen for extortion, impersonation or proving the inadequacy of the commercial organization in securing the important data (so as to blackmail).

C. Real world damages: There will be more and more attacks on services providing community services viz, municipality, health sector, electricity supply, water supply, and sewer systems. Besides the cybercriminals, who would use such hacking for ransom, terrorists and even nations can use it against public or adversaries.

D. Social media content compromise: There will be increased use of Botnets to compromise social media to influence public opinion.

Q. Being a healthcare publication, our readers would be interested in healthcare-specific cyber threats. What is your opinion on the health sector threats?
The health sector offers life critical services. It maintains the identity and clinical records of a large number of patients. The following factors make the health sector more vulnerable as compared to the other sectors.

• IoT (Internet of Things) devices are used extensively for the treatment of the patients viz. smart continuous glucose monitoring, connected inhalers for asthma, apple watch Identity platforms offer centralized secure authentication of users, devices and services across IT environment. It could be a database of banks, hospitals, social media sites, etc. PERSONA THEME TRENDS WELL-BEING ISSUES RESEARCH NEWSCOPE app that monitors depression, etc.
• The doctors and patients can connect external storage devices and even mobile phones to the hospital database system.
• Third-party software and hardware are deployed which makes it vulnerable to supply chain poisoning.
• Most of the services provided by the hospital are connected through the Internet or the cloud services.

Clinical data is of immense use for cybercriminals and cyber terrorists. They can use vulnerabilities in cybersecurity in the following ways:

1. Identity theft: Medical identity record is very useful for the cybercriminals as it can be used to impersonate people in the digital world and gain access to financial systems as well as to commit fraud by claiming treatment or insurance at the cost of insurance agencies and the patients. Therefore, this data is sold at a higher rate in the darknet as compared to identity records of other sectors.
2. The clinical records of the patients may sometimes contain their psychological disorders or conditions, or a person may be suffering from concealed diseases (sexually transmitted disease, etc). The hacker may make use of such information by blackmailing or harassing the patients. It would cause hardship to the patients and would put the reputation of the healthcare service provider/hospital at stake which failed to protect the patients’ identity and clinical records.
3. Ransomware attacks on hospitals will be on rising. The information of the patients is mostly time critical. If the cybercriminal denies the access of data to the hospital even for a short span of time, it may lead to lack of timely treatment to critical patients and therefore, hospital administration is not in a position to delay the ransom payment.
4. Prescription change: In India, the majority of renowned hospitals in metro cities are computerized. Doctors give online prescriptions which immediately become available to the concerned medical staff, such as a nurse who administers the drug to the patient. Cybercriminal scan tampers the prescription which may harm or even cause the death of the patient. They can cause an obstruction in the oxygen supply line or failure of electricity. They would be able to change the medical records of the patients, which will lead to wrong diagnosis and treatment. Not only cybercriminals but the terrorists can adopt the above techniques and threaten the nations or can even cause large scale fatalities.

Therefore, it becomes extremely important to adequately secure the health sector databases.

Q. The health sector has seen major attacks of ransomware; part of the equation is ‘money aka cryptocurrency’ in organized crime. How do we handle this?

Being proactive about cybersecurity is perhaps the best approach to tackle cyber-attacks. The health sector should form cybersecurity forum for cybersecurity policy formulations and mutually evaluate hospitals’ preparedness against the cyberattacks ensuring adherence to the cybersecurity policies. Additionally, each hospital network should have a dedicated team of IT security professionals to guide the management and proactively check for any cyber invasion. The IT team should ensure that the latest patches for all the devices and software are installed and there is protection from supply chain poisoning. The system should be equipped with features firewalls, Intrusion Detection System, Intrusion Protection system and processes analytical tools among others.

The blockchain techniques can also be explored for data management and the patient databases should be encrypted so that they are of no use to the hacker. Further, the hospitals must take data backup with a fast recovery plan. Regular penetration testing of the system should be done to eliminate potential vulnerabilities.

Hospitals should invest in training IT staff in cybersecurity policies and cybersecurity technologies. Regular analysis should be done of employees’ computer usage pattern so that any compromised user is effectively detected and timely removed from using the system. There should also be a secure access control preferably using biometric features.

Q. Today security has become a hot topic and world over we see that regulation is leading change and innovation! What is your vision for India in regard? What regulations will make the health sector more secure? Or we don’t need regulation?

The cybercriminals attempt to hack the computer resources of the hospitals by exploiting the vulnerabilities in the computer systems. They manipulate the stored information, steal the same or hold it for ransom. The hospital databases work on the trust reposed by patients in the hospital administration that their data will be guarded with privacy.

Cybercriminals can be prosecuted under various provisions of the Indian Information Technology Act, 2000(ITA). The IT Act creates civil liabilities for the offenses under the Act vide Sections 43 to 45, wherein an amount of compensation can be given to victims; it also creates criminal liabilities vide Sections 65 to 74 of the Act. Cybercriminals are liable to both civil and criminal liabilities.

Hospital administration is responsible for protecting the data and failure to protect can result in civil liability under Section 43A of the IT Act. However, this section can be invoked if the breached data results into wrongful loss to the victim or wrongful gain to a cybercriminal. The victim has to prove that there was a wrongful loss to him/her. The offenses by the intermediaries are criminalized under Section 67C of the IT Act. However, the same gets diluted by the provisions contained in Section 79 of the IT Act. Hence, the IT act doesn’t provide absolute data security laws.

The Government of India appointed Justice BN Srikrishna Committee for effective data protection laws in India. The committee submitted the Draft Data Protection Bill, 2018 to the government in July 2018. It will be introduced in parliament after the forthcoming elections in India. The Government of India is also planning to introduce “The Digital Information Security in Healthcare Bill” in the parliament to secure the healthcare data of patients in India.

Q. As the cyber incidents keep rising and legal regime catches up, what is your opinion on our abilities in investigating cybercrime? As you know attribution and audit trail are not the easiest in the cyber world, any advice for stakeholders so that they are not wrongly prosecuted or get justice on time?

According to Section 78 of the IT Act, 2000, a police officer of the rank of Inspector and above is authorized to investigate the offenses under the IT Act. This is to ensure the quality of the investigation. However, all Inspectors in police are not trained in cybercrime investigation. Further, complexities of computer technology, tools, and methodology used by cybercriminals make it difficult even for a trained person to keep pace with the development in this field. Police organizations don’t employ external cyber experts to aid in the investigation. Each police officer investigating the case seeks help from other expert police officers or cyber experts of his/her choice. Therefore, institutional help is lagging.

There is also the dearth of cyber experts in forensic science laboratories, resulting in delays of months and years in getting reports from them which can compromise the further evidence leading from forensic analysis of seized electronic material. During my tenure in the Enforcement Directorate, I found this delay to be of 1 to 3 years, therefore, I initiated six in-house cyber forensic labs. This led to the cyber forensic analysis done at a quicker pace also improving the quality of investigation.

The next hurdle is the global spread of evidence into other jurisdictions. A letter rogatory (letter of request) is sent to each foreign jurisdiction for getting the evidence located in that jurisdiction. The process is slow and it may take 3 to 4 years in getting a reply. If that reply further requires evidence from another foreign jurisdiction then another 3-4 years are gone. Therefore, the entire investigation is time-consuming.

The investigation becomes further complicated if Tor or onion routing is employed by cybercriminals. Finding the cybercriminal in this scenario becomes more difficult.

The IP address (internet protocol) and the time of its use, identify uniquely the source of the attack. However, the cybercriminal may commit cyberattack through Bot or botnet. In that case, the IP address will lead the investigation officer to the slave machine, even though the user of this machine would have no knowledge of the misuse of his computer resources. If the investigating officer doesn’t go into the depth of log analysis of such a system, then the innocent people might have to face false prosecution. The stakeholders should ensure all logs are maintained and stored by his computer system so that the audit trail can lead to actual perpetrator of cyber-attack.

Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers.

The healthcare industry has been a victim of various cyber attacks in the last few years. According to recent studies, healthcare has outnumbered financial services and become the most cyber attacked industry. The latest in cyber-attack is ransomware wherein the hacker encrypts the data and threatens to publish it until the ransom is paid in form of bitcoins. In US alone, healthcare industry was the victim of 88 per cent of all ransomware attacks across industries last year.

The recent case of WannaCry ransomware crippled the IT systems of NHS, UK. And after hitting NHS, it spread globally targeting more than 99 nations. The hackers demanded payment of £300 – £600 to unlock systems and have earned about £55,000 in ransom.

Ransomware has indeed become a lucrative revenue source for hackers due to which the number of attacks is predicted to quadruple by 2020. Medical records have 10-20 times more value than the credit card data in the internet black market. Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers. Also, the vulnerability of the health data tends the organizations to pay the ransom to get the data back to maintain privacy and confidentiality of patient data.

Even after so many cases of cyber attacks compromising millions of electronic health records each year, the healthcare industry is inadequately prepared to prevent and resolve these attacks. Whether it is India or US, cyber security is always discussed in forums and budget is allocated for the same but is not put to proper use. Cyber attacks happen due to outdated security infrastructure or employee negligence.

Hospitals and insurance companies have been the main targets of hackers. But, a new vulnerability is catching everyone’s attention i.e. medical devices. The next nightmare in ransomware attacks could be hacking of medical devices such as insulin pumps, pacemakers, defibrillators, implants etc.

Disfunctioning of medical devices can be catastrophic. Just imagine, hackers take control of one’s pacemaker and ask for ransom or else they would manipulate the device which could be fatal. This kind of attack has been showcased in the very famous TV show Homeland wherein the Vice President dies due to hackers remotely disable his pacemaker.

Just like the serial, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless functionality due to fear of possible assassination attempts as revealed by him during an interview in 2013. This clearly showcases that medical devices can be the next target for hackers.

Regulators such as FDA are increasingly getting concerned about medical device security and have issued warning. In 2015, for the first time FDA issued safety notice to hospitals which strongly discouraged hospitals to use an infusion pump which was found to be vulnerable to cyber attacks. But it has been observed that FDA did not force the company to fix the devices being used in the hospitals and didn’t investigate other insulin pump models. This shows that FDA needs to be more stringent towards medical device security. The vulnerability of infusion pump was pointed out by a white hat hacker Billy Rios during his hospital stay.

Few of the medical device companies/providers have been proactive in strengthening their device security such as Johnson & Johnson in Oct 2016 warned 114,000 diabetic patients about a security lax that a hacker could exploit in one of its insulin pumps (J&J Animas OneTouch Ping). The hackers can disable or alter the dosage which could be fatal. J&J suggested ways to the patients for mitigating risk.

There have been no documented cases of medical device hacking till date but demonstrations have been conducted in research environment. One such example is of Barnaby Jack who succeeded in hacking an insulin pump and demonstrated giving off lethal dose of insulin without the pump alerting the user. Another example is that of St Jude Medical’s implantable devices such as pacemakers, defibrillators, and resynchronization devices. The radio frequency (RF) enabled St. Jude medical implantable cardiac device and corresponding Merlin@home Transmitter enables transmitting and receiving patient data stored on the device to the physician to monitor his health. But FDA reviewed the device and confirmed about cybersecurity vulnerabilities, if exploited, could be fatal.

Also, researchers at TrapX Security analysed three hospitals for medical device hacking. The deception technology was installed which utilized emulated medical devices in the hospitals. These emulated devices attract and trap hackers so that TrapX could trace the hackers activity. These fake medical devices such as Radiation Oncology system, LINAC , Fluoroscopy, PACS and Xray system appeared real to the hackers and TrapX could monitor hacker’s activity.

According to TrapX, these hospitals utilized older version of Windows that made it vulnerable and most medical devices did not have additional endpoint security software which made the attack undetectable. It was also noticed that the main goal of hackers was to steal medical records not to manipulate the device.

Another research at University of South Alabama showcased how they hacked pacemaker and killed a medical simulator called iStan. The $100,000 medical dummy comes equipped with robotics that mimic the human cardiovascular, respiratory, and neurological systems. The researchers could speed the heart rate up or could slow it down. Not only pacemaker, researchers could manipulate an insulin pump or a number of things that would cause life-threatening injuries or death. This clearly illustrates why medical device security is important.

With the advent of IoT, where devices are connected via internet should focus on cyber security. Industrial experts are realizing that cyber security is prime priority for all the devices connected to the internet.

Devices such as wearables, smart bed, smart emergency system, etc. are all lagging behind in cyber security. Apart from medical devices, surgical robots are not being scrutinized for cyber security. Just imagine, surgical robots been hacked which could lead to life threatening situation of the patient. One such demonstration has been showcased by researchers at University of Washington in 2015. They hacked a tele-operated surgical robot, Raven II. The experiment demonstrated three types of attacks that made telesurgery vulnerable with this robot. The researchers demonstrated how they took complete control over the robot and disrupted the operation.

All of this sounds scary but it can be prevented if we are well prepared. It is important to understand that not only regulators like FDA need not address the challenge of cyber security but also the medical device vendors and providers should take shared responsibility. It has been observed that providers point the device manufacturers to be accountable for cyber security for responding to vulnerabilities and providing fixes for the same.

On the other hand, the device vendors hold providers responsible for their negligence and having outdated network  protection. To be safe from such attacks, organisations should review their cyber defence strategies and budget. Also, employee training and awareness needs to be tackled to avoid falling for opening phishing mails and change passwords regularly.

It has also been observed that providers such as middle scale hospitals, clinics or laboratories have often overlooked cyber security as priority as they believe not much data is present with them and only the big organisations are in trouble. Which is not true, as hackers are aware of the precious financial and patient data these clinics hold and are aiming at clinics or small hospitals also to get the data. So, they should also focus on medical device security.

The next big thing in helping fight against cybersecurity is artificial intelligence (AI). According to some analysts, the advantage of using AI is it can help predict cyber attack before it happens with the use of behaviour analysis. It alerts security team on any behaviour deviation or authentication failures while accessing records. AI not only helps in detecting threats quickly but it is also cost efficient compared to the money paid by companies in ransom. It does not replace security tools but acts as an additional layer of security. AI can also help in analysing employee behaviour for avoiding any internal security breach. AI can help in bridging the shortage of skilled cyber security professionals also. According to Centre for Cyber Safety and Education, there is a shortfall of 1.8 million cyber security professionals by 2022 worldwide. Companies such as IBM are already investing in AI system Watson for cyber security.

Also start-ups such as Cognetyx are providing cognitive cyber surveillance solution to healthcare organizations. Use of AI for cyber security in other areas has been showcased, for example, the Las Vegas city officials and UK government to monitor their Public Services Network and protect their records from security threats. Whereas, the successful implementation of AI in healthcare cyber security is yet to happen.

The next wave of medical device cyber attacks can be prevented by collaborative approach and commitment from all the stakeholders. Not only the healthcare organizations should make sure their security practices and strategies are updated but the government should also help in skill development of cyber security professionals and encourage more research on medical device security by providing medical device at low cost. Since medical devices are expensive and require license, it makes it difficult for researchers to explore this area. At the end, we should not forget that we have to stay a step ahead of hackers to be a hard target for them.

Want to write for InnoHEALTH? send us your article at  magazine@innovatiocuris.com

Read all the issues of InnoHEALTH magazine:
InnoHEALTH Volume 1 Issue 1 (July to September 2016) – https://goo.gl/iWAwN2 
InnoHEALTH Volume 1 Issue 2 (October to December 2016) – https://goo.gl/4GGMJz 
InnoHEALTH Volume 2 Issue 1 (January to March 2017) – https://goo.gl/DEyKnw 
InnoHEALTH Volume 2 Issue 2 (April to June 2017) – https://goo.gl/Nv3eev
InnoHEALTH Volume 2 Issue 3 (July to September 2017) – https://goo.gl/MCVjd6

Connect with InnovatioCuris on:
Facebook: https://www.facebook.com/innovatiocuris
Twitter: https://twitter.com/innovatiocuris
Linkedin: https://www.linkedin.com/groups/7043791
Stay update about IC by visiting: www.innovatiocuris.com

Introduction

The famous Silicon Valley investor Marc Andreessen says, “software is eating the world”. By, which he means that increasingly we are bringing software into systems to increase efficiency, lower down the cost or time involved in the process. Interestingly, humans also do software writing and humans are prone to make mistakes. It is estimated by various experts that 1000 lines of code (KLoC) has approximately 15-50 bugs present. Bugs here mean mistakes made by the software programmer while writing the software code. Bugs often result in some kind of malfunction or wrong output. Some of these bugs can lead to exploit by a third party making the larger system vulnerable or as we call hackable. As long as humans will write software, bugs will be there.

In a typical software company as bugs are discovered, new code is written to fix these bugs. The new code might further result into new bugs hence the cycle continues. At the consumer end, we keep receiving software updates over the air, as we use our phone / laptops or other devices, which are many times an attempt of the software company to overcome the past mistakes.

A lone computer hacker or an organized crime group looks at these software updates (sometimes called patches) very curiously as for them this could be a chance of hitting the jackpot! They reverse engineer it and try to understand the bug, that the patch is trying to cover. Very often systems are not updated with latest updates. Leading to most system having a known vulnerability, which the hacker can take advantage after understanding it well. Hackers further can create a simple script (programming code snippet) to some sophisticated software, which can then take advantage of the vulnerable system. We often call such a program as malware, as it is built with bad intention.

Today, as we talk it has become from a hobby crime to organized crime! Software companies regularly receive communication from bounty hunters about exposing their critical software bugs and in exchange not to do so, hackers want to charge them bounty money. Some software companies have gone further and engaged these bounty hunters to reduce security risks in their software.

In some cases the hacker is not interested in the bounty money (hence they do not inform the software maker) but rather interested in exploiting the bug. Sometimes, the bug is not known to the software maker or anyone else in the world and can be converted into a lethal attack. Such attacks are known as a zero day attack! As prior knowledge of such a vulnerability does not exist. Hence, most software security solutions, like anti virus software do not work on them. Further selling the knowledge of exploit as lethal software is now called as a cyber weapon. Nation states are now engaged in buying or building such software to infect systems of enemy states. Hence, we have come very far in the business of software bugs, where the enemy could be a lone developer, an organized crime group or a Nation state.

How is software eating the health sector and the threats linked to it?

In the above section we discussed in general, how the exploitation of software is increasingly becoming a serious business. While, we have seen many examples in last 30 years from a hobby software programmer to Nation states taking advantage of the software driven vulnerabilities. We would like to share some examples closer to the health sector.

1. Malware affecting data systems

Hospital information systems and similar information systems as part of the healthcare delivery have become very commonplace and one of the core component of the system. As pointed out in the introductory section, organized crime groups are now looking to exploit software bugs for commercial purposes. One of the ingenious way that they have developed is a malware known as ransomware . Ransomware is a malicious computer program which when executed on a system encrypts the data with very strong encryption making it unusable for hospitals or any other care provider to access patient records or other vital information. It then demands a ransom inform of bitcoins (a crypto currency) in order for the victim to have the key to decrypt the vital information. In recent incidents of ransomware infection, some hospitals in USA have even demanded millions of dollars as ransom and some have even paid.

The mitigation strategy for countering ransomware for any organization would be a strong backup of data. Also, creating awareness among the employees on sources of malware and reducing the chances of accidental infection of the workplace systems.

The long-term solution of tackling such organized crime is a better international legal framework, which allows international prosecution and cooperation among law enforcement agencies.

2. Denial of service attacks on ehealth services

In 2007 there was a distributed denial of service attack that took place in Estonia. A statue of the Russian soldier was removed from the Tallinn Square, capital of the country. Which sparked a response from sympathizers from Russia and it brought down the Estonian economy for three days. Estonia being one of the most advance countries when it comes to take up of e governance services, ehealth being one of them. The entire attack costed less than 50,000 US dollars. That was the first Denial of service attack the world saw at the level of a nation state.

The basic premise behind such an attack is that you have a service (e-service) to be provided to citizens over Internet like their own health records for example. The provider would have some finite amount of bandwidth and computing power at the backend of the service correlating to the average load on the service. In a distributed denial of service attack, the attacker uses compromised computing devices (commonly known as a bot) to access the Internet service. The botnet, which is a collection of such bots could be having thousands or millions of such devices that simultaneously access the service. The service provider is not able to distinguish the normal traffic from the bot traffic and often the server crashes under the heavy load. For a normal user trying to access the service, the service is unavailable because of the finite resources of the server being exhausted by the bot traffic. Hence, it is called a denial of service attack.

Hence, when a city, state or a nation is considering providing an eservice to citizens it could witness such attacks. One strategy to mitigate such attacks is to have tracking of the server traffic for any anomalies and having redundancy available in the system. This is achieved many times by putting the service on a cloud, which can tolerate such traffic fluctuations.

3. Data leak and breaches

Many health systems or systems require some kind of authentication mechanism to log in to the system in order to access the service. Many a times these are text password based systems behind which, important patient profile or health records information is stored. The largest of the companies like that of Google, Microsoft etc have seen attacks where the attacker is able to leak the passwords of millions of their customers. Such scenarios result in massive breach of data privacy and compromise for customers.

Good security practices, proper encryption of data and regular updates of the system are some of the key considerations for avoiding such instances. Nowadays, two-factor authentication has become a standard practice for making the authentication systems more robust. However, still some user awareness is needed to opt for better security practices whenever possible.

4. Hacking medical devices and health system

If we look at the building blocks of the health systems, where information technology is deeply integrated. We have already covered the health information systems, eservices and patient interface of authentication into the services. However, increasingly we hear about Internet of Things (IoT) devices in the health sector domain. Which means the integration of Internet services into traditional medical devices or new age devices, which have also connectivity. For example, a thermometer which can send the temperature data to your phone or a stethoscope which can record the patient breathing sound and upload in a server for finding patterns of lung diseases. These are powerful use cases and provide great opportunity to clinicians and care providers, where they have greater computation power available to them and they are able to do more with less. However, these IoT devices are prone to the same kind of attacks as any other communication device or a software program. They can be compromised to show wrong values and totally messing up the diagnosis. There are already such instances. One such instance not related to health sector but important is of the Stuxnet. Stuxnet was designed for the SCADA systems of Iranian nuclear program by USA and Israel in order to delay their nuclear program.

5. Stealing identity information

As mentioned in the point 3, about data leaks and breaches at the system level. One problem, which can arise from such an attack, is a further more damaging attack that is stealing of identity information. In India, mobile phones to receive an sms message containing one time password is increasingly becoming a standard practise because of being cost effective, simple and secure. Any such application, which you may install on your phone, can also get access to the sms and other features of your phone. Meaning the incoming sms or calls can also be stolen by this application to complete the transaction on your behalf. As increasingly we have to prove ourselves using biometrics or passwords to online systems. It is possible for the attackers to steal these credentials and access our records without our knowledge. Hence, any third party applications that we install on our devices (especially phone) , we need to be very careful about the type of access control they have on our devices.

6. Implantable medical devices with communication interfaces:

In 2007, the former US Vice President, Dick Cheney’s implanted pacemaker’s wireless communication was disabled fearing a terrorist attack. This sounds like science fiction to many but incident has already happened ten years back! Many of the medical devices are built with a communication interface and it is quite normal for a typical pacemaker or other such devices to have a Bluetooth or a similar communication technology based interface for remote diagnosis and other purposes. While, the communication ability of such a device was planned for looking at the state of the pacemaker it was not designed with keeping security in mind. Hence, it is possible that someone can connect to a critical device like pacemaker and shuts it down remotely.

One more reason that such exploits are possible increasingly as computing is becoming cheaper. What seems strong security today might not be strong tomorrow. However, an implantable device might stay in the patient’s body for tens of years. Hence, we need to have a long-term view on the communication interfaces and their capabilities on such devices. We need to make considerations on control and information capabilities of these interfaces. Misuse of control capabilities can lead to even death and misuse of information capabilities can lead to breach of patient privacy.

Way forward: why Internet is the new breeding ground for crime?

The law of the land governs the Internet in every country and hence the legal regime globally is very fragmented. However, a user of Internet does not see any borders or walls and so is the criminal. They build their criminal businesses where they do not fear strict government action and often for paltry sums the user or the national law enforcement agencies do not pursue the criminal cases cross border.

On top of it newer crypto currencies like Bitcoins, makes it easy to make such transaction in an anonymous manner. Dark net marketplaces provide a breeding ground for criminals to conduct illegal transactions of billions of dollars without getting caught. So, the three important components, weak legal enforcement, anonymous currency and secret marketplaces are enabling the cyber crime to flourish. If we want to slow it down, we will need greater international collaboration among lawmakers and user awareness at all levels.

Reference:
(i) https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
(ii) http://labs.sogeti.com/how-many-defects-are-too-many/
(iii) https://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net/transcript?language=en
(iv) https://hackerone.com
(v) https://en.wikipedia.org/wiki/Zero-day_(computing)
(vi) https://en.wikipedia.org/wiki/Cyberweapon
(vii) https://en.wikipedia.org/wiki/Ransomware
(viii) https://en.wikipedia.org/wiki/Bitcoin
(ix) http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html
(x) https://www.theguardian.com/technology/2016/feb/17/los-angeles-hospital-hacked-ransom-bitcoin-hollywood-presbyterian-medical-center
(xi) http://innovatiocuris.com/looming-danger-of-ransomware/
(xii) http://www.bbc.com/news/technology-24608435

Want to write for InnoHEALTH? send us your article at  magazine@innovatiocuris.com