The first session was about the ‘Challenges in the implementation of DISHA’. The panelists were happy that InnovatioCuris has taken an initiative to critically discuss the challenges a hospital will face once the act becomes the law. All the panelists agreed that the act lacks various aspects. Few concerns that bother the clinicians are, that who will give the consent if the patient is unconscious.

The ambulances have the capability that it sends the health records from the ambulance to hospital before the patient reaches the hospital for doctors to study the emergency cases. In this scenario, what should be done if a patient denies the consent for sharing the data at a later stage? Should the clinical establishments discard the already shared health record or should they handover the same to the owner (in this case, patient) or what should be done. There are no set protocols defined in the act for such cases.

A question was put forward, does the patient has the authority to edit their health record, or can they view, who have seen their health record. A healthy discussion took place where we got to know that citizens of Estonia have chip cards, where one can see their health record and can also see the logs of who has accessed their health record. This made us realize, that India as a nation state can use Aadhar card as a mechanism, where we can log in into a portal and get to see health records.

The third challenge that came forward was interoperability of health records. As the record lies with the custodian, not the patient, editing and viewing of it can be done by the clinical establishments. The health record can be shared by the clinical establishments to another, but there is no standard on how to transfer it. Data integrity is a point of concern, which is not mentioned in the act.

One of the challenges that came into light was according to ‘Clinical Establishment Act Standards for Hospital[2]’ the hospital has to keep health information and statistics in respect of national programmes, notifiable diseases, and emergencies/disasters/epidemics and furnish the same to the district authorities in the prescribed formats and frequency. The question is what if the patient does not give consent. The proposed act should have a provision where the clinical establishments are liable to take the health data.

As we have unstructured healthcare facilities in India, the act should also empower the clinical establishments by various means to keep the data safe. As of now the DISHA is a proposed act, not a law and has lots of loopholes. It also lacks in many aspects discussed earlier. This is just a start and the government should take necessary steps to improve it.

The second panel discussed on ‘Opportunities for making health sector DISHA and data protection ready’. The panelist consisted of CIO of path labs, owners of healthcare IT firms, who shared relevant thoughts and comments. The panel started the discussion on why do we need the act and what are the benefits of the act. Panelist were grateful to the government to bring the act. They told that the clinical establishments will take steps to increase the safety of the health record.

The gaps in the technology for generation, storage and transmission will be lowered down. Sectors such as banking, financing and insurance have structured their data, but this lacks in healthcare. Detailed scope of security features are missing from the act, this would help the companies to design the software from the ground up by using security as an important consideration.

The imminent threat is in the software which are already in place and have not been patched or the system has not been upgraded. The good news is that many have an audit trail in built in their system, which track any CRUD(creation, read, update, delete) of the records. The discussion contributed a fruitful thought: Data at rest is not encrypted. The question that arises is what is preventing the healthcare IT companies to encrypt the data at rest.

One of the challenge in the DISHA is that, the owner of the data must be informed of any breach of the privacy or confidentiality of their digital health record within three days. But according to IBM report it takes on an average of 197 days to detect a breach[1]. How can the Healthcare IT companies safeguard the health record and let the owner know about the breach. The solution is to encrypt the tables in the database, but that might hamper the performance.

It is a huge opportunity for the stakeholder to bring standards in the act. DISHA might have only completed its first round of comments from the public and stakeholders, it can be expected that the revisions made based on the feedback will churn out a more refined version of the act. In any case, it is evident from the draft that the government has really pushed to provide additional security, privacy and confidentiality for individuals, with respect to their digital health record.

Introduction

The famous Silicon Valley investor Marc Andreessen says, “software is eating the world”. By, which he means that increasingly we are bringing software into systems to increase efficiency, lower down the cost or time involved in the process. Interestingly, humans also do software writing and humans are prone to make mistakes. It is estimated by various experts that 1000 lines of code (KLoC) has approximately 15-50 bugs present. Bugs here mean mistakes made by the software programmer while writing the software code. Bugs often result in some kind of malfunction or wrong output. Some of these bugs can lead to exploit by a third party making the larger system vulnerable or as we call hackable. As long as humans will write software, bugs will be there.

In a typical software company as bugs are discovered, new code is written to fix these bugs. The new code might further result into new bugs hence the cycle continues. At the consumer end, we keep receiving software updates over the air, as we use our phone / laptops or other devices, which are many times an attempt of the software company to overcome the past mistakes.

A lone computer hacker or an organized crime group looks at these software updates (sometimes called patches) very curiously as for them this could be a chance of hitting the jackpot! They reverse engineer it and try to understand the bug, that the patch is trying to cover. Very often systems are not updated with latest updates. Leading to most system having a known vulnerability, which the hacker can take advantage after understanding it well. Hackers further can create a simple script (programming code snippet) to some sophisticated software, which can then take advantage of the vulnerable system. We often call such a program as malware, as it is built with bad intention.

Today, as we talk it has become from a hobby crime to organized crime! Software companies regularly receive communication from bounty hunters about exposing their critical software bugs and in exchange not to do so, hackers want to charge them bounty money. Some software companies have gone further and engaged these bounty hunters to reduce security risks in their software.

In some cases the hacker is not interested in the bounty money (hence they do not inform the software maker) but rather interested in exploiting the bug. Sometimes, the bug is not known to the software maker or anyone else in the world and can be converted into a lethal attack. Such attacks are known as a zero day attack! As prior knowledge of such a vulnerability does not exist. Hence, most software security solutions, like anti virus software do not work on them. Further selling the knowledge of exploit as lethal software is now called as a cyber weapon. Nation states are now engaged in buying or building such software to infect systems of enemy states. Hence, we have come very far in the business of software bugs, where the enemy could be a lone developer, an organized crime group or a Nation state.

How is software eating the health sector and the threats linked to it?

In the above section we discussed in general, how the exploitation of software is increasingly becoming a serious business. While, we have seen many examples in last 30 years from a hobby software programmer to Nation states taking advantage of the software driven vulnerabilities. We would like to share some examples closer to the health sector.

1. Malware affecting data systems

Hospital information systems and similar information systems as part of the healthcare delivery have become very commonplace and one of the core component of the system. As pointed out in the introductory section, organized crime groups are now looking to exploit software bugs for commercial purposes. One of the ingenious way that they have developed is a malware known as ransomware . Ransomware is a malicious computer program which when executed on a system encrypts the data with very strong encryption making it unusable for hospitals or any other care provider to access patient records or other vital information. It then demands a ransom inform of bitcoins (a crypto currency) in order for the victim to have the key to decrypt the vital information. In recent incidents of ransomware infection, some hospitals in USA have even demanded millions of dollars as ransom and some have even paid.

The mitigation strategy for countering ransomware for any organization would be a strong backup of data. Also, creating awareness among the employees on sources of malware and reducing the chances of accidental infection of the workplace systems.

The long-term solution of tackling such organized crime is a better international legal framework, which allows international prosecution and cooperation among law enforcement agencies.

2. Denial of service attacks on ehealth services

In 2007 there was a distributed denial of service attack that took place in Estonia. A statue of the Russian soldier was removed from the Tallinn Square, capital of the country. Which sparked a response from sympathizers from Russia and it brought down the Estonian economy for three days. Estonia being one of the most advance countries when it comes to take up of e governance services, ehealth being one of them. The entire attack costed less than 50,000 US dollars. That was the first Denial of service attack the world saw at the level of a nation state.

The basic premise behind such an attack is that you have a service (e-service) to be provided to citizens over Internet like their own health records for example. The provider would have some finite amount of bandwidth and computing power at the backend of the service correlating to the average load on the service. In a distributed denial of service attack, the attacker uses compromised computing devices (commonly known as a bot) to access the Internet service. The botnet, which is a collection of such bots could be having thousands or millions of such devices that simultaneously access the service. The service provider is not able to distinguish the normal traffic from the bot traffic and often the server crashes under the heavy load. For a normal user trying to access the service, the service is unavailable because of the finite resources of the server being exhausted by the bot traffic. Hence, it is called a denial of service attack.

Hence, when a city, state or a nation is considering providing an eservice to citizens it could witness such attacks. One strategy to mitigate such attacks is to have tracking of the server traffic for any anomalies and having redundancy available in the system. This is achieved many times by putting the service on a cloud, which can tolerate such traffic fluctuations.

3. Data leak and breaches

Many health systems or systems require some kind of authentication mechanism to log in to the system in order to access the service. Many a times these are text password based systems behind which, important patient profile or health records information is stored. The largest of the companies like that of Google, Microsoft etc have seen attacks where the attacker is able to leak the passwords of millions of their customers. Such scenarios result in massive breach of data privacy and compromise for customers.

Good security practices, proper encryption of data and regular updates of the system are some of the key considerations for avoiding such instances. Nowadays, two-factor authentication has become a standard practice for making the authentication systems more robust. However, still some user awareness is needed to opt for better security practices whenever possible.

4. Hacking medical devices and health system

If we look at the building blocks of the health systems, where information technology is deeply integrated. We have already covered the health information systems, eservices and patient interface of authentication into the services. However, increasingly we hear about Internet of Things (IoT) devices in the health sector domain. Which means the integration of Internet services into traditional medical devices or new age devices, which have also connectivity. For example, a thermometer which can send the temperature data to your phone or a stethoscope which can record the patient breathing sound and upload in a server for finding patterns of lung diseases. These are powerful use cases and provide great opportunity to clinicians and care providers, where they have greater computation power available to them and they are able to do more with less. However, these IoT devices are prone to the same kind of attacks as any other communication device or a software program. They can be compromised to show wrong values and totally messing up the diagnosis. There are already such instances. One such instance not related to health sector but important is of the Stuxnet. Stuxnet was designed for the SCADA systems of Iranian nuclear program by USA and Israel in order to delay their nuclear program.

5. Stealing identity information

As mentioned in the point 3, about data leaks and breaches at the system level. One problem, which can arise from such an attack, is a further more damaging attack that is stealing of identity information. In India, mobile phones to receive an sms message containing one time password is increasingly becoming a standard practise because of being cost effective, simple and secure. Any such application, which you may install on your phone, can also get access to the sms and other features of your phone. Meaning the incoming sms or calls can also be stolen by this application to complete the transaction on your behalf. As increasingly we have to prove ourselves using biometrics or passwords to online systems. It is possible for the attackers to steal these credentials and access our records without our knowledge. Hence, any third party applications that we install on our devices (especially phone) , we need to be very careful about the type of access control they have on our devices.

6. Implantable medical devices with communication interfaces:

In 2007, the former US Vice President, Dick Cheney’s implanted pacemaker’s wireless communication was disabled fearing a terrorist attack. This sounds like science fiction to many but incident has already happened ten years back! Many of the medical devices are built with a communication interface and it is quite normal for a typical pacemaker or other such devices to have a Bluetooth or a similar communication technology based interface for remote diagnosis and other purposes. While, the communication ability of such a device was planned for looking at the state of the pacemaker it was not designed with keeping security in mind. Hence, it is possible that someone can connect to a critical device like pacemaker and shuts it down remotely.

One more reason that such exploits are possible increasingly as computing is becoming cheaper. What seems strong security today might not be strong tomorrow. However, an implantable device might stay in the patient’s body for tens of years. Hence, we need to have a long-term view on the communication interfaces and their capabilities on such devices. We need to make considerations on control and information capabilities of these interfaces. Misuse of control capabilities can lead to even death and misuse of information capabilities can lead to breach of patient privacy.

Way forward: why Internet is the new breeding ground for crime?

The law of the land governs the Internet in every country and hence the legal regime globally is very fragmented. However, a user of Internet does not see any borders or walls and so is the criminal. They build their criminal businesses where they do not fear strict government action and often for paltry sums the user or the national law enforcement agencies do not pursue the criminal cases cross border.

On top of it newer crypto currencies like Bitcoins, makes it easy to make such transaction in an anonymous manner. Dark net marketplaces provide a breeding ground for criminals to conduct illegal transactions of billions of dollars without getting caught. So, the three important components, weak legal enforcement, anonymous currency and secret marketplaces are enabling the cyber crime to flourish. If we want to slow it down, we will need greater international collaboration among lawmakers and user awareness at all levels.

Reference:
(i) https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
(ii) http://labs.sogeti.com/how-many-defects-are-too-many/
(iii) https://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net/transcript?language=en
(iv) https://hackerone.com
(v) https://en.wikipedia.org/wiki/Zero-day_(computing)
(vi) https://en.wikipedia.org/wiki/Cyberweapon
(vii) https://en.wikipedia.org/wiki/Ransomware
(viii) https://en.wikipedia.org/wiki/Bitcoin
(ix) http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html
(x) https://www.theguardian.com/technology/2016/feb/17/los-angeles-hospital-hacked-ransom-bitcoin-hollywood-presbyterian-medical-center
(xi) http://innovatiocuris.com/looming-danger-of-ransomware/
(xii) http://www.bbc.com/news/technology-24608435

Want to write for InnoHEALTH? send us your article at  magazine@innovatiocuris.com