Lt General (Dr.) Rajesh Pant is an internationally recognized Cyber Security expert, presently tenanting the prestigious appointment of National Cyber Security Coordinator at the Prime Minister’s Office, India. General Pant brings to the table an interesting mix of military operations, academic excellence, corporate governance, and cybersecurity wisdom. Prior to this, he was the Head of the Army’s Cyber Training establishment for three years. He served in the Army Signals Corps for 41 years wherein he was awarded three times by the President of India for distinguished service of the highest order. He also served as the Chairman of Precision Electronics Ltd as a Governing Council Member of IETE (India). Sachin Gaur interviewed him on his viewpoint on India’s vision for cybersecurity.

Q. On behalf of InnoHEALTH Magazine, we congratulate you on your new assignment. For our readers, we would like you to share your short-term and long-term vision for Cybersecurity from national security perspective.
Short-term vision is to issue National Cyber Security Strategy 2020-25 early next year. Task force is working overtime on this by consulting all stakeholders. Long-term vision is to create an all-encompassing cyber vertical at the national level, to handle incident response, cybercrimes, legal issues and capacity building.

---

Q. We know that there are some fundamental technological shifts waiting to happen like 5G, and along-with it massive (Internet of Things) IoT deployments and especially use cases of connected healthcare. Can you share your views on the cybersecurity implications of the connected devices?
IoT security is a priority topic world over and this is because the limited security capabilities of these devices are also an afterthought. We need to work on a framework, to bring baselinesecurity through the manufacturers and developers of these devices. These devices are omnipresent in our lives, we find them in our home environment to industrial environments including hospitals. We have seen attacks in the past, where such devices are compromised to launch massive denial of service attacks to manipulate the workings of critical infrastructure.
Also, the issue of IoT security is multidimensional, from data security, privacy to device security. As we discuss this, there are multiple acts and bills pending in the Parliament on these topics. While the bills and acts will provide a framework, we need to also create awareness on both sides, supplier and consumer on the possible risks and mitigation strategies.

---

Q. What steps can be taken to improve the security in such connected devices?
When I say baseline security framework, it can be achieved in multiple ways.
As of today, most devices that we use including mobile phones, do not have a security testing certification. So, we can agree with the industry and look at important test cases and if they can do self-certification on such test cases.
For example: the device should not have weak default login credentials, it is sending data to a remote server and can be operated remotely. So, we can come up like a 5-star rating framework like that of the energy consumption but for the security of IoT devices basis what kind of tests they clear.
Industry bodies can agree on various levels of security and what it takes to achieve that level. Such a framework, when implemented, can provide confidence to consumers and users on the kind of device they are using vis-a-visthe use case they have at hand. So, they might use a higher security rating device in a use case where the stakes are high.
The other approach is to get the security testing done with notified agencies. Department of Telecom for example has announced mandatory security testing of network elements for telecom given telecom is a part of the critical infrastructure and security issuescannot be taken lightly.
Also, some of the emerging concepts in connected devices are missing in the various governing acts of the industrial connected devices. So, we also need to update our legal frameworks to cover software-based tempering of such devices and make the manufacturers and service providers accountable and proactive towards the security of the systems they provide.

---

Q. What are the threats that you foresee for the health sector?
There are three areas we see where health sector can be impacted:
First is the data breaches and ransomware attacks on healthcare data. As we know, among all the data, healthcare is the most sensitive and sought after by malicious actors. Outside of India, we have seen umpteen cases where ransomware has crippled the health system and it is only after paying the ransom the hospitals can start operation again. Timely backups and encryption of healthcare data during storage is a preventive measure that clinical establishments can take to mitigate the breach and ransomware attacks.
Second is the manipulation of connected devices. The topic of IoT and connected devices security, as discussed in the above sections, directly apply to the medical devices. Healthcare is a domain where attacks on such devices can be life threatening, especially when there are implantable devices. As we have the new Medical Device Regulation Act in India since 2018, we should also consider cyber security aspect in the devices which have a communication interface. For example, a pacemaker which has a communication interface can be manipulated remotely and the patient’s life is at risk.
Third is the manipulation of health system including the building management. We are probably not very far from the days when sophisticated attacks, as we see in the movies, on high security establishments by manipulating the building controls. The building management systems are very weak when it comes to security. Every hospital is a building and imagine what a false fire alarm would mean to patients in Intensive Care Unit. Or even loss of air conditioning or sudden spikes in electrical power.
There is a proposed act DISHA, Digital Information Security Healthcare Act, which might address some of the legal aspects of security in the healthcare setting. A lot needs to be done in this area, and we are on our way.

---

Q. Our readership consists of health experts all over the world. Any message for them?
We are at the cusp of a new age where we look to take advantage of Artificial Intelligence to Internet of Things. For such a knowledge economy to take off, health sector is at the center of it and health experts need to pay attention on what they are buying and how such systems are managed and operated. Through intervention of Ministry of Health & Family Welfare and responsible bodies such as National Accreditation Board of Hospitals & Healthcare Providers (NABH) of Quality Council of India, we plan to recommend a cyber audit and increased awareness of information security.
We would not want our hospitals and clinical establishments to be a prey for malicious actors. Rather we would want our experts to leverage technology to take the country to the next level in providing care to a wider population at a lower cost and of the highest quality.

The number of ransomware and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk.One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.

A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cyber criminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it fora longer period of time.

Data breaches cost the healthcare industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.

The continued under investment in cybersecurity has left many so exposed that they are unable to even detect cyber attacks when they occur. While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.

As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in healthcare is on the rise.

“So, What is Wrong With the Picture?”

The base question to ask is “Who would be interested in hacking patient data?” It is precisely this attitude together with the rat eat which healthcare refreshes its technology that exposes healthcare organizations to a high risk of cyber-attack. The fact that makes the industry appealing to hackers: ransom for money;denial of service for malice and money; stealing confidential data;compromising data; identity theft and compromising devices. The scale of disruption and impact to busy healthcare settings already operating at capacity caused by a cyber-attack needs no explanation. The reality covers the four main domains:

• Leadership: Ownership of the issue
• Culture/Staff responsibility/awareness: Training and awareness of cybersecurity and its related implications
• Policies and procedures: Understanding of business continuity processes and incident response procedures
• General cybersecurity knowledge: Use of fundamental security processes that are currently followed within the organization to mitigate security breaches, e.g., use of USB, on- and off-boarding processes, password policies,organizational asset register,and so on.

The Challenges
The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Consequently, many common threats continue to be problematic in healthcare, including:

• Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
• Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of healthcare organizations.
• Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
• Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from the users.
• Encryption blind spots: While encryption is critical for protecting the health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
• Employee error: Employees can leave healthcare organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.

Another growing threat in healthcare security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems.

How are Hackers Achieving this, You Would Ask?

Hackers usually access information in one of two ways. They can try‘social hacking’, which means tricking a human being into giving oversensitive information or security credentials which in turn allows access to sensitive information. This could happen by tricking either someone who works directly for the provider, or an outside contractor. An unsophisticated example could be, ‘Hi, I am an IT provider for your company, and I need to carry out some maintenance, could you please provide these sensitive details for me?’. The second way is brute force:directly attacking a security system.

Once Hackers Get Access to The Data, What Do They Do with It?

In some cases, hackers access sensitive data, extract it, and lock it off. They can then sell it back to the company. If the company does not have backups, buying it back is probably the only viable option. The alternative is for them to lose all records of their patients which they will never be able to replace.Another possibility, is hackers stealing data and selling it to the public. The information may be sold to criminal groups on the dark web who wish to use sensitive information for blackmail or fraud purposes.

What Can the Healthcare Industry Do to Mitigate Cyber Threats?

The industry must realize that cybersecurity is human-centric. Gaining insight into the users’ behavior, for example, or the flow of data in and out of the organization improves risk response.

Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all people on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated regularly.

Furthermore, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.

In Simple Terms: How Do We Improve Cybersecurity?

Due to the significant financial impact of data breaches in healthcare, health informatics and other professionals need to play an important role in ensuring that medical organizations remain secure. Individual healthcare organizations can improve their cybersecurity by implementing the following practices:

• Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
• Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
• Maintain good computer habits: New employee on boarding should include training on best practices for computer use, including software and operating system maintenance.
• Use a firewall: Anything connected to the internet should have a firewall.
• Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
• Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations must consider storing this backed-up information away from the main system if possible.
• Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
• Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Healthcare employees should not only use strong passwords, but ensure they are changed regularly.
• Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
• Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

How to Defend Against the Growing Threat?
Deterrence, prevention, detection and response all have their place.

Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything.

Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly detection methods are particularly good for these purposes, as are rule-based detection mechanisms.

Security information and event management or log management tools can augment data collection efforts.

In addition to deploying technology tools to help defend against and detect intrusions, it’s important to formally define roles and responsibilities for incident response. Organizations need to document procedures that specify what the response team should do if there’s an incident and test those procedures periodically.

It’s not just one technology, it is multiple technologies in order to repel these highly sophisticated and organized attacks. That includes deploying SIEM, as well as multi factor authentication to enter critical systems.

The Internet is increasingly a swamp. It’s no longer sufficient to just look at standard security logs. You need integrated security information event management that brings together network logs, users log, application logs and server logs, and looks for non obvious associations.

In Conclusion

To improve cybersecurity in health care, organizations need to hire informatics professionals who not only collect, manage and leverage data, but protect it as well. In addition, health data professionals need to on a continuous basis develop new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.We know that reaching 100% security against cyber attacks is not realistic but, with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.

About the author

Kris Seeburn is an enterprise trainer and a member of Advisory Board of The New Security Foundation, Member of The American College of Forensic Examiners & Institute of Forensics Science

Q. Given your important assignments for the Government of India in the past, share with us the big picture. What are the trends you see in terms of cybercrime and threats for 2019?

The world is getting more connected and technology has seeped into every aspect of our lives. On one hand, these advancements make our lives easier and on the other bring a lot of vulnerabilities with them if security isn’t strong enough to tackle cyber criminals. Hackers today are well-educated and have the capabilities to develop new methods and tools to exploit the vulnerabilities on the computer systems and networks. Few do it for their academic interest and thrill and inform the person concerned about the vulnerabilities so that the same can be plugged. They are known as white hat hackers. While the others do it with malice and self-gain and are known as Black hat hackers.

To gain access to the computer systems, the cybercriminals and hackers will continue to deploy already existing tools (called as exploits) with enhanced capabilities. More advanced tools will be also be developed in the coming years. Some of the important ones are enumerated below:

1. Chatbots: There will be extensive use of machine learning techniques (Artificial intelligence) in the near future. A Chatbot can be injected into the important website (for example, a banking site). Chatbot in the form of a man or woman would pop up on the screen and will start interacting with the user (like what we see the google assistant doing). Then it may misdirect the customer to a nefarious link similar to an actual banking site, thereby fetching important information from the customer and compromising his banking information.

2. Bot and botnet: The hackers have been successful in remotely taking control of the hacked computer systems. Such a system is known as a bot. The hacker can remotely misuse a machine (using computing time or other resources) without the actual user being aware of it. If there is more than one compromised device, then it is called a botnet. Botnets can be put to perform some distributed function viz, crypto jacking (mining bitcoins) or distributed denial of service attack.

3. Discover and target organizations outside the firewall: Most of the commercial organizations deploy firewalls, intrusion detection systems, and intrusion protection systems; thereby making hacking difficult. But they use the third-party software, which may be having vulnerabilities. Hackers can attack the third-party systems used by commercial websites.

4. Injection Attack: Protective systems installed on computers look for malicious files to detect cyber-attack. The injection attack is filed less; the hacker directly inserts the malicious code in the memory, thereby compromising the machine, without ever dropping a file onto the infected system. One such example is British Airways site hack in 2018, resulting in identity theft of around 3,80,000 users.

5. Biometric Hacking: Cybercriminals use brute force attack, dictionary attack or social engineering, etc., to crack the passwords. Many people have shifted to biometrics. The academic research suggests that a number of officers print authentication systems could be spoofed, even highly sophisticated facial recognition system has been proven vulnerable to more advanced hacking efforts.

6. Application of artificial intelligence: Artificial intelligence techniques will be used more and more to avoid detection by intrusion detection tools. For example, Waterminer, a cryptocurrency mining tool injected as malware, stops mining when task manager or antimalware scan is run.

Also Read:
Social Isolation in a Digitally Connected World
Sweden-India Collaboration in Health Sector

7. Rouge AP(access point) and Evil Twin: Rouge AP is an access point installed on the network without the knowledge of the administrator, while the evil twin is identical network.

The above-mentioned techniques will be sharpened to attack numerous utility services (some of which are listed below) by the black hat hackers for malicious purposes:

A. Internet of things(IoT): the Considerable number of smart gadgets (such as TV, plugs, IP cameras, smartphones, tablets, network video recorders, heaters, refrigerators) are used at homes and industries. When these gadgets are connected to the Internet, they are termed as the Internet of Things. The hackers will increase their attacks on IoT using a vulnerability in cloud infrastructure and hardware to threaten the users physically or mentally.

B. Attack on identity platforms: Identity platforms offer centralized secure authentication of users, devices, and services across the IT environment. It could be a database of banks, hospitals, social media sites, etc. Identities of a large number of persons would be attempted to be stolen for extortion, impersonation or proving the inadequacy of the commercial organization in securing the important data (so as to blackmail).

C. Real world damages: There will be more and more attacks on services providing community services viz, municipality, health sector, electricity supply, water supply, and sewer systems. Besides the cybercriminals, who would use such hacking for ransom, terrorists and even nations can use it against public or adversaries.

D. Social media content compromise: There will be increased use of Botnets to compromise social media to influence public opinion.

Q. Being a healthcare publication, our readers would be interested in healthcare-specific cyber threats. What is your opinion on the health sector threats?
The health sector offers life critical services. It maintains the identity and clinical records of a large number of patients. The following factors make the health sector more vulnerable as compared to the other sectors.

• IoT (Internet of Things) devices are used extensively for the treatment of the patients viz. smart continuous glucose monitoring, connected inhalers for asthma, apple watch Identity platforms offer centralized secure authentication of users, devices and services across IT environment. It could be a database of banks, hospitals, social media sites, etc. PERSONA THEME TRENDS WELL-BEING ISSUES RESEARCH NEWSCOPE app that monitors depression, etc.
• The doctors and patients can connect external storage devices and even mobile phones to the hospital database system.
• Third-party software and hardware are deployed which makes it vulnerable to supply chain poisoning.
• Most of the services provided by the hospital are connected through the Internet or the cloud services.

Clinical data is of immense use for cybercriminals and cyber terrorists. They can use vulnerabilities in cybersecurity in the following ways:

1. Identity theft: Medical identity record is very useful for the cybercriminals as it can be used to impersonate people in the digital world and gain access to financial systems as well as to commit fraud by claiming treatment or insurance at the cost of insurance agencies and the patients. Therefore, this data is sold at a higher rate in the darknet as compared to identity records of other sectors.
2. The clinical records of the patients may sometimes contain their psychological disorders or conditions, or a person may be suffering from concealed diseases (sexually transmitted disease, etc). The hacker may make use of such information by blackmailing or harassing the patients. It would cause hardship to the patients and would put the reputation of the healthcare service provider/hospital at stake which failed to protect the patients’ identity and clinical records.
3. Ransomware attacks on hospitals will be on rising. The information of the patients is mostly time critical. If the cybercriminal denies the access of data to the hospital even for a short span of time, it may lead to lack of timely treatment to critical patients and therefore, hospital administration is not in a position to delay the ransom payment.
4. Prescription change: In India, the majority of renowned hospitals in metro cities are computerized. Doctors give online prescriptions which immediately become available to the concerned medical staff, such as a nurse who administers the drug to the patient. Cybercriminal scan tampers the prescription which may harm or even cause the death of the patient. They can cause an obstruction in the oxygen supply line or failure of electricity. They would be able to change the medical records of the patients, which will lead to wrong diagnosis and treatment. Not only cybercriminals but the terrorists can adopt the above techniques and threaten the nations or can even cause large scale fatalities.

Therefore, it becomes extremely important to adequately secure the health sector databases.

Q. The health sector has seen major attacks of ransomware; part of the equation is ‘money aka cryptocurrency’ in organized crime. How do we handle this?

Being proactive about cybersecurity is perhaps the best approach to tackle cyber-attacks. The health sector should form cybersecurity forum for cybersecurity policy formulations and mutually evaluate hospitals’ preparedness against the cyberattacks ensuring adherence to the cybersecurity policies. Additionally, each hospital network should have a dedicated team of IT security professionals to guide the management and proactively check for any cyber invasion. The IT team should ensure that the latest patches for all the devices and software are installed and there is protection from supply chain poisoning. The system should be equipped with features firewalls, Intrusion Detection System, Intrusion Protection system and processes analytical tools among others.

The blockchain techniques can also be explored for data management and the patient databases should be encrypted so that they are of no use to the hacker. Further, the hospitals must take data backup with a fast recovery plan. Regular penetration testing of the system should be done to eliminate potential vulnerabilities.

Hospitals should invest in training IT staff in cybersecurity policies and cybersecurity technologies. Regular analysis should be done of employees’ computer usage pattern so that any compromised user is effectively detected and timely removed from using the system. There should also be a secure access control preferably using biometric features.

Q. Today security has become a hot topic and world over we see that regulation is leading change and innovation! What is your vision for India in regard? What regulations will make the health sector more secure? Or we don’t need regulation?

The cybercriminals attempt to hack the computer resources of the hospitals by exploiting the vulnerabilities in the computer systems. They manipulate the stored information, steal the same or hold it for ransom. The hospital databases work on the trust reposed by patients in the hospital administration that their data will be guarded with privacy.

Cybercriminals can be prosecuted under various provisions of the Indian Information Technology Act, 2000(ITA). The IT Act creates civil liabilities for the offenses under the Act vide Sections 43 to 45, wherein an amount of compensation can be given to victims; it also creates criminal liabilities vide Sections 65 to 74 of the Act. Cybercriminals are liable to both civil and criminal liabilities.

Hospital administration is responsible for protecting the data and failure to protect can result in civil liability under Section 43A of the IT Act. However, this section can be invoked if the breached data results into wrongful loss to the victim or wrongful gain to a cybercriminal. The victim has to prove that there was a wrongful loss to him/her. The offenses by the intermediaries are criminalized under Section 67C of the IT Act. However, the same gets diluted by the provisions contained in Section 79 of the IT Act. Hence, the IT act doesn’t provide absolute data security laws.

The Government of India appointed Justice BN Srikrishna Committee for effective data protection laws in India. The committee submitted the Draft Data Protection Bill, 2018 to the government in July 2018. It will be introduced in parliament after the forthcoming elections in India. The Government of India is also planning to introduce “The Digital Information Security in Healthcare Bill” in the parliament to secure the healthcare data of patients in India.

Q. As the cyber incidents keep rising and legal regime catches up, what is your opinion on our abilities in investigating cybercrime? As you know attribution and audit trail are not the easiest in the cyber world, any advice for stakeholders so that they are not wrongly prosecuted or get justice on time?

According to Section 78 of the IT Act, 2000, a police officer of the rank of Inspector and above is authorized to investigate the offenses under the IT Act. This is to ensure the quality of the investigation. However, all Inspectors in police are not trained in cybercrime investigation. Further, complexities of computer technology, tools, and methodology used by cybercriminals make it difficult even for a trained person to keep pace with the development in this field. Police organizations don’t employ external cyber experts to aid in the investigation. Each police officer investigating the case seeks help from other expert police officers or cyber experts of his/her choice. Therefore, institutional help is lagging.

There is also the dearth of cyber experts in forensic science laboratories, resulting in delays of months and years in getting reports from them which can compromise the further evidence leading from forensic analysis of seized electronic material. During my tenure in the Enforcement Directorate, I found this delay to be of 1 to 3 years, therefore, I initiated six in-house cyber forensic labs. This led to the cyber forensic analysis done at a quicker pace also improving the quality of investigation.

The next hurdle is the global spread of evidence into other jurisdictions. A letter rogatory (letter of request) is sent to each foreign jurisdiction for getting the evidence located in that jurisdiction. The process is slow and it may take 3 to 4 years in getting a reply. If that reply further requires evidence from another foreign jurisdiction then another 3-4 years are gone. Therefore, the entire investigation is time-consuming.

The investigation becomes further complicated if Tor or onion routing is employed by cybercriminals. Finding the cybercriminal in this scenario becomes more difficult.

The IP address (internet protocol) and the time of its use, identify uniquely the source of the attack. However, the cybercriminal may commit cyberattack through Bot or botnet. In that case, the IP address will lead the investigation officer to the slave machine, even though the user of this machine would have no knowledge of the misuse of his computer resources. If the investigating officer doesn’t go into the depth of log analysis of such a system, then the innocent people might have to face false prosecution. The stakeholders should ensure all logs are maintained and stored by his computer system so that the audit trail can lead to actual perpetrator of cyber-attack.

In a recent healthcare conference, the people were unaware when I spoke about how on October 21, 2013, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities to thwart possible assassination attempts. To this, everyone had an issue on accountability. It remains unanswered that who would be liable, the doctor, hospital, company which provided pacemaker or the insurance company. Amidst all this, nobody was concerned about the patient as none present there questioned it. Maybe we are awaiting a major catastrophe to happen to put our minds to work. It is our endeavor to equip the healthcare community to this aspect of digital health.

Cybersecurity is a major concern for patient safety and healthcare infrastructure. The health records, data, hospital information system and individual medical devices are all targets. The vulnerability is in technology and lack of awareness of staff. There are many examples to quote wherein hospitals have become the victim of attacks. A recent audit of a corporate hospital in Delhi by our team revealed that 80% of equipment is vulnerable to cyber attack, thus, risking the patients. Healthcare providers are not sensitized to issue as required hence this magazine is dedicated to Cybersecurity. We have named it Cyber4Healthcare and even launched a training program in the healthcare domain to update knowledge of this extremely important topic. There is an immediate necessity that we invest in staff and equipment to make our systems robust enough to protect them from cyber-attacks.

We at InnovatioCuris always strive to sensitize the healthcare providers with new technologies and our next issue would focus on IoMT or connected healthcare which is overtaking the segment rapidly. However, we should always keep in mind that we are master of technologies and not the other way around. Can humane touch be replaced by technology? The trend nowadays is that we are leaving human ingenuity behind and are being heavily dependent on technology. There is a need to understand the benefits and challenges of newer devices, technology, and thinking. Let us consider how we can balance traditional to modern approach in today’s world and get the best of both worlds. Let our readers share their experiences by writing for the magazine to benefit all.

Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers.

The healthcare industry has been a victim of various cyber attacks in the last few years. According to recent studies, healthcare has outnumbered financial services and become the most cyber attacked industry. The latest in cyber-attack is ransomware wherein the hacker encrypts the data and threatens to publish it until the ransom is paid in form of bitcoins. In US alone, healthcare industry was the victim of 88 per cent of all ransomware attacks across industries last year.

The recent case of WannaCry ransomware crippled the IT systems of NHS, UK. And after hitting NHS, it spread globally targeting more than 99 nations. The hackers demanded payment of £300 – £600 to unlock systems and have earned about £55,000 in ransom.

Ransomware has indeed become a lucrative revenue source for hackers due to which the number of attacks is predicted to quadruple by 2020. Medical records have 10-20 times more value than the credit card data in the internet black market. Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers. Also, the vulnerability of the health data tends the organizations to pay the ransom to get the data back to maintain privacy and confidentiality of patient data.

Even after so many cases of cyber attacks compromising millions of electronic health records each year, the healthcare industry is inadequately prepared to prevent and resolve these attacks. Whether it is India or US, cyber security is always discussed in forums and budget is allocated for the same but is not put to proper use. Cyber attacks happen due to outdated security infrastructure or employee negligence.

Hospitals and insurance companies have been the main targets of hackers. But, a new vulnerability is catching everyone’s attention i.e. medical devices. The next nightmare in ransomware attacks could be hacking of medical devices such as insulin pumps, pacemakers, defibrillators, implants etc.

Disfunctioning of medical devices can be catastrophic. Just imagine, hackers take control of one’s pacemaker and ask for ransom or else they would manipulate the device which could be fatal. This kind of attack has been showcased in the very famous TV show Homeland wherein the Vice President dies due to hackers remotely disable his pacemaker.

Just like the serial, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless functionality due to fear of possible assassination attempts as revealed by him during an interview in 2013. This clearly showcases that medical devices can be the next target for hackers.

Regulators such as FDA are increasingly getting concerned about medical device security and have issued warning. In 2015, for the first time FDA issued safety notice to hospitals which strongly discouraged hospitals to use an infusion pump which was found to be vulnerable to cyber attacks. But it has been observed that FDA did not force the company to fix the devices being used in the hospitals and didn’t investigate other insulin pump models. This shows that FDA needs to be more stringent towards medical device security. The vulnerability of infusion pump was pointed out by a white hat hacker Billy Rios during his hospital stay.

Few of the medical device companies/providers have been proactive in strengthening their device security such as Johnson & Johnson in Oct 2016 warned 114,000 diabetic patients about a security lax that a hacker could exploit in one of its insulin pumps (J&J Animas OneTouch Ping). The hackers can disable or alter the dosage which could be fatal. J&J suggested ways to the patients for mitigating risk.

There have been no documented cases of medical device hacking till date but demonstrations have been conducted in research environment. One such example is of Barnaby Jack who succeeded in hacking an insulin pump and demonstrated giving off lethal dose of insulin without the pump alerting the user. Another example is that of St Jude Medical’s implantable devices such as pacemakers, defibrillators, and resynchronization devices. The radio frequency (RF) enabled St. Jude medical implantable cardiac device and corresponding Merlin@home Transmitter enables transmitting and receiving patient data stored on the device to the physician to monitor his health. But FDA reviewed the device and confirmed about cybersecurity vulnerabilities, if exploited, could be fatal.

Also, researchers at TrapX Security analysed three hospitals for medical device hacking. The deception technology was installed which utilized emulated medical devices in the hospitals. These emulated devices attract and trap hackers so that TrapX could trace the hackers activity. These fake medical devices such as Radiation Oncology system, LINAC , Fluoroscopy, PACS and Xray system appeared real to the hackers and TrapX could monitor hacker’s activity.

According to TrapX, these hospitals utilized older version of Windows that made it vulnerable and most medical devices did not have additional endpoint security software which made the attack undetectable. It was also noticed that the main goal of hackers was to steal medical records not to manipulate the device.

Another research at University of South Alabama showcased how they hacked pacemaker and killed a medical simulator called iStan. The $100,000 medical dummy comes equipped with robotics that mimic the human cardiovascular, respiratory, and neurological systems. The researchers could speed the heart rate up or could slow it down. Not only pacemaker, researchers could manipulate an insulin pump or a number of things that would cause life-threatening injuries or death. This clearly illustrates why medical device security is important.

With the advent of IoT, where devices are connected via internet should focus on cyber security. Industrial experts are realizing that cyber security is prime priority for all the devices connected to the internet.

Devices such as wearables, smart bed, smart emergency system, etc. are all lagging behind in cyber security. Apart from medical devices, surgical robots are not being scrutinized for cyber security. Just imagine, surgical robots been hacked which could lead to life threatening situation of the patient. One such demonstration has been showcased by researchers at University of Washington in 2015. They hacked a tele-operated surgical robot, Raven II. The experiment demonstrated three types of attacks that made telesurgery vulnerable with this robot. The researchers demonstrated how they took complete control over the robot and disrupted the operation.

All of this sounds scary but it can be prevented if we are well prepared. It is important to understand that not only regulators like FDA need not address the challenge of cyber security but also the medical device vendors and providers should take shared responsibility. It has been observed that providers point the device manufacturers to be accountable for cyber security for responding to vulnerabilities and providing fixes for the same.

On the other hand, the device vendors hold providers responsible for their negligence and having outdated network  protection. To be safe from such attacks, organisations should review their cyber defence strategies and budget. Also, employee training and awareness needs to be tackled to avoid falling for opening phishing mails and change passwords regularly.

It has also been observed that providers such as middle scale hospitals, clinics or laboratories have often overlooked cyber security as priority as they believe not much data is present with them and only the big organisations are in trouble. Which is not true, as hackers are aware of the precious financial and patient data these clinics hold and are aiming at clinics or small hospitals also to get the data. So, they should also focus on medical device security.

The next big thing in helping fight against cybersecurity is artificial intelligence (AI). According to some analysts, the advantage of using AI is it can help predict cyber attack before it happens with the use of behaviour analysis. It alerts security team on any behaviour deviation or authentication failures while accessing records. AI not only helps in detecting threats quickly but it is also cost efficient compared to the money paid by companies in ransom. It does not replace security tools but acts as an additional layer of security. AI can also help in analysing employee behaviour for avoiding any internal security breach. AI can help in bridging the shortage of skilled cyber security professionals also. According to Centre for Cyber Safety and Education, there is a shortfall of 1.8 million cyber security professionals by 2022 worldwide. Companies such as IBM are already investing in AI system Watson for cyber security.

Also start-ups such as Cognetyx are providing cognitive cyber surveillance solution to healthcare organizations. Use of AI for cyber security in other areas has been showcased, for example, the Las Vegas city officials and UK government to monitor their Public Services Network and protect their records from security threats. Whereas, the successful implementation of AI in healthcare cyber security is yet to happen.

The next wave of medical device cyber attacks can be prevented by collaborative approach and commitment from all the stakeholders. Not only the healthcare organizations should make sure their security practices and strategies are updated but the government should also help in skill development of cyber security professionals and encourage more research on medical device security by providing medical device at low cost. Since medical devices are expensive and require license, it makes it difficult for researchers to explore this area. At the end, we should not forget that we have to stay a step ahead of hackers to be a hard target for them.

Want to write for InnoHEALTH? send us your article at  magazine@innovatiocuris.com

Read all the issues of InnoHEALTH magazine:
InnoHEALTH Volume 1 Issue 1 (July to September 2016) – https://goo.gl/iWAwN2 
InnoHEALTH Volume 1 Issue 2 (October to December 2016) – https://goo.gl/4GGMJz 
InnoHEALTH Volume 2 Issue 1 (January to March 2017) – https://goo.gl/DEyKnw 
InnoHEALTH Volume 2 Issue 2 (April to June 2017) – https://goo.gl/Nv3eev
InnoHEALTH Volume 2 Issue 3 (July to September 2017) – https://goo.gl/MCVjd6

Connect with InnovatioCuris on:
Facebook: https://www.facebook.com/innovatiocuris
Twitter: https://twitter.com/innovatiocuris
Linkedin: https://www.linkedin.com/groups/7043791
Stay update about IC by visiting: www.innovatiocuris.com

Ransomware is an alarming attack not just for your personal data on your mobile or PC, it is much more – it is all about your personal data, the loss of which can be pocket-pinching as well. Learn about how to recognize such attacks and how to deal with them.

The first computer virus was Brain,[1] written by two Pakistani brothers in 1986, without any negative intentions in mind. 30 years since then, computer viruses have come a long way and one can say that it has become an industry or ‘organized crime’.[2] The first creators had their contact details and the physical address in the message shown in the infected computer. Even after 25 years of the incident, a Finnish cyber security expert could go and meet them to celebrate the anniversary of the event.[3] The virus writers no more write their physical address in the computer message but they do write payment instructions if you want to rescue your computer or mobile device.

If we ask a question to security experts on what has changed in the way computer viruses work, the most likely response you will get is that the viruses have become very complex! It is no more a lone guy writing them to have some fun, no more like a hobbyist in the garage. Writing a computer virus is, increasingly, job of an enterprise with a criminal motive in mind. From an individual to a Nation state, either could be responsible for the job of writing state-of-the-art computer virus to steal data, or make your machine a Bot,[4] or at times to even destroy a nuclear reactor.[5] The industry is getting organized and the Nation states are buying these as weapons to be used against other enemy countries. We are in the era of “cyber weapons”.

Latest in the series is a type of virus, which looks to make money for its creator by asking for ransom. It is called ransomware.[6] If you ask around in your network, about the ransomware, people might say that they don’t know about it! However, if you ask them the same question rephrased, whether they have seen any instance of the computer screen showing that their data is now encrypted and they need to pay money to recover it, the situation may sound familiar to some!

“Ransomware hits 150 PCs at Maha Mantralaya”,[7] such news item is increasingly becoming common. As for the first time, the business of computer viruses is getting organized into a moneymaking enterprise. As per the latest Symantec report,[8]

India ranks third in Asia for the number of ransomware attacks taking place. It is estimated that India is seeing 170 attacks per day, out of which majority is ransomware.

Now focusing a bit on the health sector. We are seeing an increasing number of instances where the US hospitals are being impacted with ransomware and a huge amount of ransom is being demanded.[9] The criminals are aware of the high value of the hospital data, because of its sensitivity and criticality, hence the risk. Given the early signals from the US market, Indian hospitals should also be prepared to tackle the looming challenge.

What is the solution to the Ransomware challenge?

a. Having a good and timely backup: when your data is encrypted and you are being asked for ransom, you will have to pay the money until and unless you have a backup. As a healthcare organization, you need to have a good backup plan and strategy to mitigate any such disaster.

b. Preventive strategy, training employees to not to fall in the trap: The malware to spread needs a vector. Often this vector can be an email and luring the person to click. If your employees know what not to click, than you have a better chance of surviving the looming challenge. Invest in an appropriate training for your employees.

c. Legal Aspect: If you are ever affected with ransomware, you will be asked to pay in bitcoins. A bitcoin is a non-traceable crypto currency.[10] Hence, it makes it easy for the criminals to collect the money. However, as we write this article, buying and selling of bitcoins is not considered legal in India.[11] If you can report the instance to the authorities, it is possible for them to investigate it further and hopefully they can come up with a legal action or build policies around this topic to safeguard the interest of businesses.

Stay alert, really and virtually!!

Refernces:
[1] https://en.wikipedia.org/wiki/Brain_(computer_virus)
[2] http://www.americanrhetoric.com/speeches/mikkohypponendefendinginternet.htm
[3] http://www.americanrhetoric.com/speeches/mikkohypponendefendinginternet.htm
[4] http://www.cisco.com/c/en/us/about/security-center/virus-differences.html
[5] https://en.wikipedia.org/wiki/Stuxnet
[6] https://en.wikipedia.org/wiki/Ransomware
[7] http://timesofindia.indiatimes.com/india/Ransomware-hits-150-PCs-at-Maha-Mantralaya/articleshow/52441113.cms
[8] http://gadgets.ndtv.com/internet/news/india-ranks-third-in-asia-for-ransomware-attacks-symantec-777853
[9] https://en.wikipedia.org/wiki/Bitcoin
[10] http://indiatoday.intoday.in/story/is-bitcoin-trading-illegal-in-india-probe-agencies-agree-users-disagree/1/336567.html
[11] http://fortune.com/2016/04/01/u-s-hospitals-face-growing-ransomware-threat/

Connect with InnovatioCuris on: 
Facebook: https://www.facebook.com/InnovatioCuris
Twitter: https://twitter.com/innovatiocuris
Linkedin: https://www.linkedin.com/groups/7043791
Stay update about IC by visiting: www.innovatiocuris.com

Connect with InnoHEALTH 2017 on:
Facebook: https://www.facebook.com/innohealth2017
Twitter: https://twitter.com/innhealth2017
Linkedin: https://www.linkedin.com/groups/7043791
Stay update about the conference by visiting: www.innohealth.in