WannaCry Archives - InnoHEALTH magazine

Hackers Target Patients' Sensitive Health Data

InnoHEALTH Magazine — Mon, 29 Jul 2019 10:53:06 +0000

With more and more hospitals and health care facilities moving their infrastructure to Cloud-enabled Internet of Things (IoT) environment including India, hackers find patients’ sensitive health data their next big bet to make quick money. Is there a way out?

In May 2017 when WannaCry ransomware cyber attack took down hospitals across the United Kingdom, causing them to lose access to patient sensitive health data, the world took notice. Hospitals and clinics were forced to turn away patients in large numbers, including those suffering from serious ailments during the cyber attack.

In the last two years, the growing breed of hackers has brought to the fore a seemingly worrisome possibility: What if critical patient data is hacked and healthcare providers are asked to “pay to get a life back” because ransomware can attack life-supporting medical devices?

The threat is real, especially at a time when health care facilities the world over, including in India, are installing Cloud-based Internet of Things (IoT) devices to make sense of critical health data. Billed as the Internet of Medical Things, this network is made up of smart, connected devices that automatically collect, process, and digitally relay information from the physical world through a shared network infrastructure.

When it comes to India, technological advancements are redefining products and enabling customization of services in the healthcare industry across the spectrum. Not just private hospitals but government health care facilities in India are now exploring how to leverage New- Age technologies like Robotics, Blockchain, 3D printing and artificial intelligence.

In such a scenario, Indian hospital needs more attention and preparedness for handling cyber threats like ransomware and malware attacks that may compromise sensitive patients’ data as is happening all over the world. According to global cyber security firm Check Point’s 2019 Security Report, networked medical devices give healthcare professionals the ability to be much more accurate with their treatment regimens, far more efficient in administering care, and way quicker collecting and responding to biomedical information.

With hospitals adopting New-Age technologies to make sense of patients’ data for quick analysis and charting out the future course of treatment, it becomes critical to safeguard the patients’ data.

Ransomware today accounts for 85 per cent of the malware in the healthcare industry. As the IoT ecosystem expands, so does the attack surface for cyber criminals.

In other words, the more hospitals rely on connected technology in our day-to-day lives, the more vulnerable these become to the cyber threats that are increasingly tailored to exploit vulnerabilities and security design flaws in IoT devices at healthcare facilities.

In a recent blog post, Salwa Rafee, IBM Security Industry Leader (Public Sector) says that new cybersecurity threats are emerging in healthcare almost daily.

“Today, hackers target medical and IoT devices that provide, transmit, and access confidential data because they can exploit the fact that most manufacturers did not consider cybersecurity when designing those devices,” she writes.

All of this increases vulnerability to ransomware. Many healthcare providers are forced into paying to get their data back.

Attackers are getting more sophisticated, organized and less obvious as they attempt to snare staff and administrators with rapidly changing tools.

Therefore, security training and guidance is critical to minimize staff exposure to phishing attacks and malware intrusion, as is reasserting policy and penalties for staff with bad intentions.

Tech giant Microsoft which aims to transform the healthcare sector through effective use of analytics- driven insights decoding the complex data available, is very seriously looking at securing the data.

For David Houlding, Principal Healthcare Programme Manager, Industry Experiences at Microsoft, healthcare is drowning in data. “Every patient brings a record that could span decades, with x-rays, MRIs, and other data that can affect every decision. Providers and payers bring their own collateral to the table. Skills, policies, and certifications are just the start,” he said in a blog post recently.

Global cyber security leader Sophos has also found that the healthcare industry in India is the most vulnerable and weak while implementing cyber security solutions for protecting IT infrastructure.

“The ‘State of Endpoint Security’ in Indian hospital needs more attention and preparedness for handling cyber threats like ransomware and malware attacks,” emphasizes Sunil Sharma, Managing Director Sales at Sophos India and SAARC, adding that more and more advanced cyber threat actors are turning their attention to attacks against the healthcare sector.

The attacks are growing exponentially across the world. In July last year, the personal health data of 1.5 million people, almost a quarter of the Singapore’s population, including the details of the city-state’s Prime Minister Lee Hsien Loong, was hacked. The hackers broke into the government health database in a deliberate, targeted and well-planned attack. The hack compromised patients’ names, identity card (NRIC) number, address, gender, race and dates of birth.

Following the hack, SingHealth temporarily banned staff from accessing the Internet on all 28,000 of its work computers. According to IBM’s Rafee, finding the right security staff also poses many challenges to a healthcare organization. “Security is a competitive field and attracting the right talent with limited resources has proven to be difficult. Expanding your applicant pool to people with more diverse backgrounds is effective,” she advises.

Not just Singapore, Hong Kong’s Department of Health became the next big victim of a cyber attack after its computers were hit by ransomware which left data inaccessible. In the meantime, the fifth annual Healthcare Breach Report published by Bitglass has found that total number of records exposed in the healthcare sector globally rose to 11.5 million in 2018. On average, nearly 40,000 people were affected per breach, which is more than double the average number affected in 2017.

Is there any full-proof remedy against such malicious activities?

Sophos says that healthcare business needs to move from traditional security software like antivirus and deploy sophisticated security solutions. “Given the speed at which IT threats are evolving and becoming more persistent and coordinated, it is a deep concern to see the adoption of the next- generation predictive technologies. While we all do our best to assure the integrity and confidentiality of sensitive data, the methods we use leave us with a staggering number of false positives and logs to manage.

“It is important for organizations to keep up in this dynamic world of IT threats. Organizations need effective anti-ransomware, anti-exploit, and deep learning technology to stay secure,” Sharma emphasizes. Transparency is key. Reporting details of a breach to the public quickly and efficiently is now a requirement. “No organization wants the perception that they don’t disclose information that should be reported timely. I believe the public, and your patients, understand the risk that any organization is likely to be hacked or attacked at some level,” says Rafee.

Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years. “However, the growth in hacking and IT incidents does deserve special attention. As such, healthcare organizations must employ the appropriate technologies and cybersecurity best practices if they want to secure the patient data within their IT systems,” said Rich Campagna, CMO of Bitglass. As you read this, an unauthorized user accessed a “limited number” of employee email accounts at UConn Health (branch of the University of Connecticut), compromising personal data of more than 326,000 patients.

The US Department of Health and Human Services (HHS) reported that organisations paid out more than $28 million in settlement fees in 2018 – an all-time high in healthcare breach enforcement activity. “In October, the US health insurance provider agreed to pay a whopping $16 million and introduce “substantial corrective action” following a series of cyber-attacks that led to the largest US health data breach in history,” said HHS. The Cloud environment has changed the way companies manage, store and share their data, applications and workloads. Along with a wide range of benefits, though, the Cloud infrastructure also introduces a new, fertile and attractive environment for attackers who crave the enormous amount of available computing resources and sensitive data it holds.“

While we consider the cloud to be an organization’s weakest link, threats posed to them via their employee’s mobile and IoT devices are also to be taken seriously as one of many attack vectors from which sensitive data can be stolen or leveraged to launch an attack,” informs Check Point. As cyber attacks grow and hackers aim patients’ data to make quick money, what patients are carefully watching is how well the healthcare providers are prepared to respond, mitigate future threats and move forward.

About the author

Meenakshi Iyer is a New Delhi-based freelance journalist covering health, technology and latest innovations. With more than 15 years of experience, she has worked with top media publications in the country.

The post Hackers Target Patients' Sensitive Health Data appeared first on InnoHEALTH magazine.

Cybersecurity Business Evangelist

InnoHEALTH Magazine — Thu, 27 Jun 2019 07:27:18 +0000

Healthcare data breaches have risen nearly every year from 2010 through 2019 and the cybersecurity risks jeopardize hundreds of millions of patients records. Although physical theft used to be the data breach method of choice, now hacking has become the most prevalent method. This partly stems from more information being stored electronically and network servers becoming a more attractive hacking target.

However, much like the rest of the world, healthcare organizations are shifting work to cloud services in order to improve accessibility and patient care. The migration of these workloads and moving valuable information such as PHI (personal health information) and PII (personally identifiable information) to the cloud has also led to cyber criminals taking a particular interest in the industry. Having shifted workloads to the cloud, healthcare organizations have highly connected systems that run the risk of being deeply affected even if the attack takes place on smaller,partial systems. In other words, a cyber attack in one place could bring down the entire system. In May2017, the WannaCry ransomware attack forced multiple hospitals across the United Kingdom to turn away ambulances transporting patients and cancel surgeries that were within minutes of starting. Even basic processes like admitting patients and printing wrist bands were compromised.

The number of ransomware and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk.One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.

A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cyber criminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it fora longer period of time.

Data breaches cost the healthcare industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.

The continued under investment in cybersecurity has left many so exposed that they are unable to even detect cyber attacks when they occur. While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.

As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in healthcare is on the rise.

“So, What is Wrong With the Picture?”

The base question to ask is “Who would be interested in hacking patient data?” It is precisely this attitude together with the rat eat which healthcare refreshes its technology that exposes healthcare organizations to a high risk of cyber-attack. The fact that makes the industry appealing to hackers: ransom for money;denial of service for malice and money; stealing confidential data;compromising data; identity theft and compromising devices. The scale of disruption and impact to busy healthcare settings already operating at capacity caused by a cyber-attack needs no explanation. The reality covers the four main domains:

Leadership: Ownership of the issue
Culture/Staff responsibility/awareness: Training and awareness of cybersecurity and its related implications
Policies and procedures: Understanding of business continuity processes and incident response procedures
General cybersecurity knowledge: Use of fundamental security processes that are currently followed within the organization to mitigate security breaches, e.g., use of USB, on- and off-boarding processes, password policies,organizational asset register,and so on.

The Challenges
The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Consequently, many common threats continue to be problematic in healthcare, including:

Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of healthcare organizations.
Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from the users.
Encryption blind spots: While encryption is critical for protecting the health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
Employee error: Employees can leave healthcare organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.

Another growing threat in healthcare security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems.

How are Hackers Achieving this, You Would Ask?

Hackers usually access information in one of two ways. They can try‘social hacking’, which means tricking a human being into giving oversensitive information or security credentials which in turn allows access to sensitive information. This could happen by tricking either someone who works directly for the provider, or an outside contractor. An unsophisticated example could be, ‘Hi, I am an IT provider for your company, and I need to carry out some maintenance, could you please provide these sensitive details for me?’. The second way is brute force:directly attacking a security system.

Once Hackers Get Access to The Data, What Do They Do with It?

In some cases, hackers access sensitive data, extract it, and lock it off. They can then sell it back to the company. If the company does not have backups, buying it back is probably the only viable option. The alternative is for them to lose all records of their patients which they will never be able to replace.Another possibility, is hackers stealing data and selling it to the public. The information may be sold to criminal groups on the dark web who wish to use sensitive information for blackmail or fraud purposes.

What Can the Healthcare Industry Do to Mitigate Cyber Threats?

The industry must realize that cybersecurity is human-centric. Gaining insight into the users’ behavior, for example, or the flow of data in and out of the organization improves risk response.

Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all people on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated regularly.

Furthermore, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.

In Simple Terms: How Do We Improve Cybersecurity?

Due to the significant financial impact of data breaches in healthcare, health informatics and other professionals need to play an important role in ensuring that medical organizations remain secure. Individual healthcare organizations can improve their cybersecurity by implementing the following practices:

Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
Maintain good computer habits: New employee on boarding should include training on best practices for computer use, including software and operating system maintenance.
Use a firewall: Anything connected to the internet should have a firewall.
Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations must consider storing this backed-up information away from the main system if possible.
Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Healthcare employees should not only use strong passwords, but ensure they are changed regularly.
Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

How to Defend Against the Growing Threat?
Deterrence, prevention, detection and response all have their place.

Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything.

Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly detection methods are particularly good for these purposes, as are rule-based detection mechanisms.

Security information and event management or log management tools can augment data collection efforts.

In addition to deploying technology tools to help defend against and detect intrusions, it’s important to formally define roles and responsibilities for incident response. Organizations need to document procedures that specify what the response team should do if there’s an incident and test those procedures periodically.

It’s not just one technology, it is multiple technologies in order to repel these highly sophisticated and organized attacks. That includes deploying SIEM, as well as multi factor authentication to enter critical systems.

The Internet is increasingly a swamp. It’s no longer sufficient to just look at standard security logs. You need integrated security information event management that brings together network logs, users log, application logs and server logs, and looks for non obvious associations.

In Conclusion

To improve cybersecurity in health care, organizations need to hire informatics professionals who not only collect, manage and leverage data, but protect it as well. In addition, health data professionals need to on a continuous basis develop new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.We know that reaching 100% security against cyber attacks is not realistic but, with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.

About the author

Kris Seeburn is an enterprise trainer and a member of Advisory Board of The New Security Foundation, Member of The American College of Forensic Examiners & Institute of Forensics Science

The post Cybersecurity Business Evangelist appeared first on InnoHEALTH magazine.

The Vulnerability of Medical Institutions to Cyber Attacks

InnoHEALTH Magazine — Mon, 24 Jun 2019 10:39:58 +0000

McAfee’s researchers were able to modify the vital sign data in real-time providing false information to medical personnel by switching the heartbeat records from 80 beats a second to zero within five seconds. You would have woken up to news that Medstar patient records’ database was subject to ransom ware cyber attack and was asked to pay bitcoins. Unfortunately, the hospital did not have backup of medical records and in some cases, they had to turn away the patients. These incidents, unfortunately, are not stray incidents.

There are various technologies converging and a rapid increase in machine-to-machine communications. It is predicted that by 2025, most hospitals will have the ability to network connect more than 90% of their devices. However, many hospitals are yet to make their data security systems extremely robust. Data privacy and data security are the two important pillars that need urgent consideration. Just as financial data is loved by the cyber criminals, so is health data becoming a gold-mine with the cyber offenders. Specially so when the hospitals are run on legacy systems and there is no dedicated framework or surveillance on their own data.

Personally, identifiable data is an indicator of an individual, such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Several cyberattacks on medical institutions are initiated to extract the electronic health records (EHRs) of patients. These EHRs may contain their personal health information, medical history, diagnosis codes, billing information, etc., which can be exploited by the cyber offenders in various manners, for instance to get ransom from the medical institutions or to create fake IDs to buy medical equipment(s) or medication which can be resold or exclusively sold on prescription.

Take this example. On 12 May 2017, a global ransomware attack, known as WannaCry affected more than 200,000 computers in at least 100 countries. The ransomware attack also affected 80 out of 236 trusts (medical institutions under NHS) and further 603 primary care and other National Health Service (“NHS”) organisations were infected with the ransomware virus including 595 general practitioners. The trusts which were affected with WannaCry ransomware faced issues like patient appointments being cancelled, computers being locked out, diversion of patients from accidents and emergency departments, etc.

As reported in the investigation report on the WannaCry ransomware attack on NHS, published by the National Audit Office (“NAO”, an independent parliamentary body in the United Kingdom), all NHS organisations infected with the WannaCry virus had unpatched or unsupported Windows operating systems. NHS Digital (a national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England) informed the NAO that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), though there were no instances of the ransomware spreading via NHSmail (the NHS email system).

In India, as reported by multiple news agencies, last year in the month of June, the Mahatma Gandhi Memorial (a trust-run hospital) hospital, Mumbai (MGM Hospital) was affected by a similar cyber-attack where the hospital administrators found their systems locked and noticed an encrypted message by the attackers demanding ransom in Bitcoins to unlock it. It was reported that the MGM Hospital had lost 15 days’ data related to billing and patients’ history, though the hospital didn’t face any financial loss.

Once these cyber offenders have access to the EHRs, they hold the systems of the medical institutions hostage for ransom, by encrypting all the systems completely inaccessible and unusable for the victimised medical institutions. The vulnerability to such cyberattacks may account to various reasons, such as outdated digital infrastructure, medical personnel unaware or untrained about cyberattacks. Cyber offenders may gain access to medical institutions’ systems through various ways and sometimes as simple as (a) using a USB drive; (b) exploiting vulnerable or expired software, (c) stealing medical personnel’s mobile devices, (d) hacking email or (e) phishing, etc. It is time that our healthcare providers upgrade their technologies, networks, and understanding on this subject.

Regulatory bodies across the world have suggested / adopted guidelines and cybersecurity processes and controls which help the medical institutions to mitigate cyber risks and vulnerabilities. In this article, we will be primarily focusing on various safeguards and standards put in place by the European Union and India to deal with such cyberattacks.

SCENARIO IN EUROPE

As a part of the EU cybersecurity strategy, the European Commission standards to ensure necessary adopted the EU Network and Information Security Directive (“NIS Directive”) on 6 July 2016 and it came into force in August 2016. As the NIS Directive is an EU directive, every member state had to adopt a national legislation which would transpose the NIS Directive by 9 May 2018 and identify operators of essential services under the transposed law by 9 November 2018.

The NIS Directive has three major parts to it (a) national capabilities, (b) crossborder collaborations and (c) national supervision of the critical sectors including health.

(a) National Capabilities: The NIS Directive mandates every member state of the EU to have certain cybersecurity capabilities, e.g., it is a mandate for every member state to have a national Computer Security Incident Response Team (“CSIRT”).

(b) Cross Border Collaborations: The NIS Directive encourages collaborations between EU member states like the EU CSIRT network, the NIS cooperation group, ENISA etc.

(c) National Supervision of Critical Sectors: As per the NIS Directive, every member state shall supervise the cybersecurity of critical market sectors in their respective country including health sector.

Further, as a part of the NIS Directive the NIS cooperation group through ENISA has developed guidelines regarding (a) identification criteria of cyberattacks, (b) incident notification, (c) security requirements for Digital Signal Processors (DSPs), (d) mapping of operators of essential services (OES) security requirements for specific sectors including health and (e) audit and self-assessment frameworks for OESs and DSPs.

With a view to prescribe certain standards of safety and quality, three recognised EU standards organisations namely (a) the European Committee for Standardisation (CEN), (b) the European Committee for Electro-technical Standardization (CENELEC) and, (c) the European Telecommunications Standards Institute (ETSI) were set up. By setting common standards across EU, CEN, ETSI and CENELEC ensure protection of consumers, facilitate cross-border trade, ensure interoperability of goods/ products, encourage innovation and technological development, and include environmental protection and enable businesses to grow.

The General Data Protection Regulations (“GDPR”) specifically define ‘data concerning health’, ‘genetic data’ and ‘biometric data’ and regards them as ‘special category of data’. This means that parties who are processing special category of data shall comply with additional higher safeguards and process it legitimately. Recital 53 of the GDPR states that special categories of personal data which merit higher protection should be processed for health-related purposes only.

THE INDIAN SCENARIO

Personal medical/health information in India is regarded as sensitive personal information as per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (“Rules”).

The Indian legislature took an important step for addressing issues relating to cybersecurity when it amended the Information Technology Act, 2000 in 2008, through which they established an Indian Computer Emergency Response Team (CERT), a national agency for incident response. CERT is primarily responsible for handling cybersecurity incidents occurring in India and analysing information related to cybercrimes, but among other things CERT is also indulged in issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incident.

CERT-India has been entrusted with performing the following main functions (a) collecting, analysing and disseminating of information on cyber incidents, (b) forecasting and giving alerts on cybersecurity incidents, (c) laying down emergency measures for handling cyber security incidents, (d) coordinating cyber incident response activities, (e) issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents, and (f) performing any other functions relating to cybersecurity as may be prescribed.

CERT-India in the last five years or so has focused on making various institutions who are highly dependent on cyber/digital networks, i.e. are ‘cyber resilient’. Being cyber resilient allows these institutions to effectively anticipate the various threats and figure out the mechanisms of dealing with the cyberattacks. Anticipate, withstand, contain and recover are the 4 main contours of being cyber resilient.

Anticipate: Maintain a state of informed preparedness to forestall compromises of mission/ business functions from adversary attacks
Withstand: Continue essential mission/business functions despite successful execution of an attack by an adversary
Contain: Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyberattacks
Recover: Restore mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary
Evolve: To change missions/business functions and/or the supporting cyber capabilities, to minimize adverse impacts from actual or predicted adversary attacks

To strengthen the framework and ensure that reasonable security practices and procedures are followed, the Department of Information Technology introduced certain rules. The rules require each and every corporate body including medical institutions who collect sensitive personal information to have security measures as documented in their security policy/programme which is considered to be a reasonable security practice, keeping in mind the nature of their business and considering the fact that they are collecting sensitive personal information. One such international standard as recommended under the Rules is the IS/ISO/IEC 27001.

Taking a step further, the Ministry of Health and Welfare has introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA”). One of the key purposes of DISHA is to ensure reliability, data privacy, confidentiality and security of digital health data. DISHA prescribes that the storage of digital health data so collected would be held in trust for the owner and the holder of such data would be considered as the custodian of data, thereby making such holder responsible to protect privacy, confidentiality and security of data.

To bring it all together:

Majority of the cyberattacks reported worldwide are caused due to reasons which sometimes are trivial and perhaps ignored more often, such as outdated Windows operating system patch, lack of proper antivirus or reasons such as phishing, lack of awareness among the people about cybersecurity, etc.

The EU, through GDPR has made data security an integral part of law and India is taking strong steps to set up a robust data protection and data security law. Various regulations, programmes, codes, standards, etc., discussed in this article are some key indicate steps that can be implemented.

Law is just one part to solve the issue. The real question is who is responsible for safety of our personal data, commercial data, data assets, etc.? We secure our houses with a lock, burglar alarms, video cams because the house owner wants to protect it. Similarly, individuals, organizations, healthcare personnel, hospitals and other institutions who collect health data for multiple reasons should be aware of various cyber-threats and must take steps to safeguard their networks and systems from such threats.

About the author:

Sharda Balaji is the founding partner of NovoJuris Legal, and along with being a qualified lawyer is also a company secretary and has been at the core of evolution of technology and IT laws in India.

Manas Ingle is a legal associate at NovoJuris Legal and works as a technology lawyer, where he deals with various legal projects relating

The post The Vulnerability of Medical Institutions to Cyber Attacks appeared first on InnoHEALTH magazine.

Cybersecurity Trends, Challenges, and Threats in Healthcare

InnoHEALTH Magazine — Tue, 28 May 2019 06:57:20 +0000

Likewise, the global trends, the growth of the Internet in India is incredibly fast-paced, with an estimated addition of 10 million active users each month. Along with the increase in the number of users, the adoption rate of going digital by various stakeholders in our society is also growing exponentially. Unfortunately, this also increases our vulnerability to potential hacks or security breaches that come from individual hackers to organized groups to even attacks from nation states. Cybersecurity, thus, entails protection of our cyberspace, and all the critical infrastructures like banking and finance, defense, healthcare, manufacturing, nuclear reactors, and commercial facilities from being the target to any sort of attack, damage, misuse or act of espionage.

The healthcare industry is particularly vulnerable to cyber threats not least because of the minimal amount of investment they put in cybersecurity measures. Hospitals, insurance companies, pharmacies, developers/ owners of healthcare websites, manufacturers of medical devices, or handsets, or third-party vendors to which sensitive patient data gets shared; all represent a leaky pipeline through which hackers can enter a system and cause extensive damage. The types of attacks can include access to patient’s medical history, prescriptions, financial and personal details or using the Internet of Medical Things to disrupt implanted medical devices or devices like drug infusion pumps. Healthy cybersecurity practices have, therefore, never been more important than today when a ransomware attack like WannaCry has the potential to literally shut down a country’s (UK) National Health Service.

Where India stands today?

According to the International Telecommunication Union (ITU), a UN telecommunications agency, India ranked 23rd amongst 165 nations on the Global Cybersecurity Index (GCI) in 2017. GCI ranks nations for their commitment towards cybersecurity using various measures – legal, technical, organizational, capacity building, and cooperation. With the rapid rise in cyber threats, India’s growing investment in protecting its data is absolutely a positive development. Nevertheless, a quick look at the current status on cybersecurity and data protection laws in India highlights the gap we must fill in as we move towards complete digitizing of various infrastructures in the 21st century.

For instance, it was last in 2000 when the legal provisions related to cybersecurity were formulated in the Information Technology Act (ITA) when the nature of threats revolved only around viral or malware attacks. The ITA was later amended in 2008 and now deals with cyber crimes such as hacking, tampering, data or identity theft, cheating, phishing, etc. Sections 43 and 63–74 provide provisions for civil and criminal prosecution in case of different cyber offenses. The ITA requires entities holding private data of users to maintain specified security standards and provides provisions to users for airing grievances in case of the data breach.

India established its first cybersecurity policy – the National Cyber Security Policy (NCSP), in 2013, after much mayhem caused by Edward Snowden’s allegations of NSA snooping on India. The policy designated CERT-In (Indian Computer Emergency Response Team), a national nodal agency to respond to and analyze incidents of cybersecurity breaches. CERT-In provides alerts of cybersecurity incidents, conducts emergency measures for handling such incidents, coordinates necessary response activities and issues guidelines, etc., regarding cybersecurity measures. In the case of a data breach, an organization holding confidential user data must report to CERT-In promptly.

Also Read:
Cyber4Healthcare: An Issue of Today & Tomorrow
DISHA – Need of the hour

Healthcare specific provisions

While the above-mentioned regulations provide a general legal cybersecurity framework for all the organizations, no separate provisions are in place viz a viz the healthcare sector. India decided to fill in this gap last year when the Ministry of Health and Family Affair, the Government of India proposed the Digital Information Security in Healthcare Act (DISHA) and placed it in public domain on 21 March 2018 for comments by various stakeholders. DISHA aims to ensure reliability, data privacy, confidentiality, and security of digital health data. The act, applicable to entire India except for Jammu and Kashmir, establishes eHealth Authorities and Health Information Exchanges at the state and national levels while also outlining the guidelines on standardizing/ regulating the processes related to the collection, storing, transmission and use of digital health data (DHD) in India.

Accordingly, DHD means any electronic record of health-related information

concerning the physical or mental health of a person
on any health service provided to an individual
on a donation of any body part of any bodily substance
derived from testing or examination of a body part or bodily substance
collected during providing health services
relating to details of the clinical establishment accessed by a person

DISHA also specifies the rights of the owner of digital health data, outlines the purposes for which DHD can be collected and explicitly mentions all clinical establishments holding DHD to be duty-bound in maintaining privacy and confidentiality of the patient’s data. Importantly, DISHA touches upon what constitutes a breach of digital health data, compensation in the event of one happening and what punishments an individual or a company might face if convicted of a cybercrime.

Marching ahead

The breach of data far more often in the healthcare sector compared to other sectors highlights the value of information stored in digital health records. It is, therefore, important that cybersecurity takes precedence for all the healthcare providers. Proactive measures include identifying likely targets, securing and updating systems in a timely manner, constant monitoring for malware or security breaches and reinforcing good user behavior among the employees. Similarly, the response to data breach incidents needs to be swift to minimize the extent of damage when a cybercrime occurs. Like the adage, ‘prevention is better than cure’, the healthcare providers also have a necessary task ahead of themselves to up their security measures in accordance with the current legal framework, before a patient’s data or the trust gets compromised.

About the author

Dr. Urvashi (Raheja) Bhattacharyya is a Senior Research Analyst at StudyMode. She indulges in machine-learning methods during office hours and enjoys writing about healthcare and education in her free time.

The post Cybersecurity Trends, Challenges, and Threats in Healthcare appeared first on InnoHEALTH magazine.

Cyber-Biosecurity: Are we ready?

InnoHEALTH Magazine — Thu, 02 Aug 2018 08:42:50 +0000

Bertrand Russell once said, ‘War doesn’t determine who is right−only who is left”, thus ‘we need to update, upgrade and be prepared for our own survival’. These words sound more relevant in the contemporary phase in the wake of fast changing global scenario and emerging inevitability for updating virtually by spilled of seconds.

Amalgamation of biotechnological and information technology advancement in the 21st century has altered our world at the fundamental level which is evident in the area of health, manufacturing, and food security. Humankind has also witnessed malicious bugs like Y2K and Wanna cry in biological and cyber field respectively. We have reached new landmarks on our understanding of how biological systems work and also discovered ways to meaningfully manipulate these systems as per our advantage/ requirement. Biotech tools, such as gene drives, can deliberately engineer inheritable genetic traits into wild populations, offering a powerful new way to escape from certain vector-borne diseases.

Gene editing tools such as CRISPR-CAS9 (Clustered Regularly Interspaced Short Palindromic Repeats associated protein-9 nuclease) are being used globally for quick and precise gene editing. Researchers like to use computers to analyze DNA, operate lab machines and store genetic information. In the health sector, the digitization of biology & metabolic engineering accelerated the development of new vaccines, drugs, and painkillers. Agriculture is becoming smarter/digitized, with farmers relying on data-driven decision acquired through sensors planted in the ground, satellites guiding tractor movements and other new practices. But these emerging capabilities come with a whole new category of vulnerabilities and risks.

Also Read: IIT Kanpur Braces Up to Prevent Cyber Attacks

Over the last five years “technological barriers to acquire and use biological weapon has been significantly eroded.” The security impact of biotech advances goes beyond bioweapon. For example, developments in metabolic pathway engineering also offer opportunities to produce illegal drugs such as heroin. Scientists have already identified how to make the active compounds in other narcotics, such as for cannabis and precursors of LSD. What if a terrorist group or a despotic regime tries to spread modified organisms aimed at striking troops, frightening civilians, or putting food production in disarray? The failed attempt of Japanese cult to obtain Ebola strains from South Africa is one such indicator.

Recently Jean and coworkers (2018) highlighted the risks of using gene sequencing technologies to corrupt the databases by altering sequences or annotations. In this article, computer scientists designed a DNA sample that when sequenced, resulted in a data file which enabled the hacker to control the sequencing computer remotely and gave access to the hacker to make changes in DNA sequences. These alterations could delay a research program causing capital, labor loss or can be used in act of terrorism for uncontrolled production of toxins or infectious agents. To mitigate these risks, the culture of the life sciences community needs to shift from trusting blindly to a highly aware and trained community. This also requires intricate relationships between the computational and experimental dimensions of product development workflows.

The diverse nature of pathogens and toxins with their potential to be used as a biowarfare agent (BW) could be attributed to multiple factors. These include infectivity (the number of organisms required to cause disease), virulence (the severity of the disease caused), transmissibility (ease of spreading from person to person), and incubation period (the time from exposure of a biological agent to the onset of illness). All these attributes are manageable by modern biotechnology and information related to such experimentation trials is key to any covert attack using these for BW.

Similarly, in the cyber world, there is a diversity of malicious codes. These include viruses (programs that replicate in target machinery); worms (self-sustaining programs) and carriers such as a trojan horse to perform a legitimate function with malicious activity. Additionally, Botnets, or networks of computers infected with malicious code, can be coordinated to perform distributed denial of service attacks. For biological weapons, delivery vehicles range from advanced aerial spray technology to contamination of food products or water, while malicious code in cyberspace can be delivered by usage portals, email, web browsers, chat clients, web-enabled applications, and updates. The cyber threat has expanded dramatically in recent years with a series of damage. Terrorists are using cyber capabilities over traditional methods to target 104 countries including India.

Also Read: Time To Take Some Intelligent Decisions

Governments and security experts have singled out the life sciences sector as being significantly vulnerable to cybercrime. In cybersecurity terms, innovation is fast 50 Volume 3 | Issue 3 | July-September 2018 becoming a double-edged sword for life sciences clients. Recently FireEye disclosed the threat posed by two Advance Persistent Threat (APT) groups which gained access to the environment of a leading pharmaceutical company for up to three years prior to detection. They stole IP and business data from the victim, information on bio cultures, products, cost reports, and other details pertaining to the company’s operations abroad. There is nothing more important to a pharmaceutical organization than the formula for one of its new drugs.

For cyber biosecurity, employee training should be given priority. It can greatly increase an organization’s general awareness of these new risks. Similar to biosafety training, cybersecurity training modules and policies should be introduced. Secondly, organizations should perform a thorough analysis of its exposure to cyber biosecurity risks not covered by existing biosafety and biosecurity policies.

Training exercises based on this type of analysis will encourage participants to review their workflows and identify their vulnerabilities. It is high time now to evolve a policy framework to detect and prevent security threats that may compromise life sciences assets. It includes guidelines on synthetic DNA targeted companies that provide DNA synthesis services to monitor research focus and relates features.

Bioinformatics software is still not hardened against attack. Encouragement of widespread adoption of standard software best security practices like input sanitization, the use of memory safe languages or bounds checking at buffers, and regular security audits is necessary. Patching still remains challenging as the analysis software are often located in individually managed repositories and not regularly updated. One solution is to use a centralized repository to manage updates and deliver patches, similar to the APT package manager.

These could also be signed to ensure their authenticity. In the case of file sharing, the sequencing files themselves could be signed by verified research groups before uploading them to centralized databases. This is just the glimpse of the long list of strategies that need immediate deployment, continuous review, and improvement with time.

The post Cyber-Biosecurity: Are we ready? appeared first on InnoHEALTH magazine.

TIME TO TAKE SOME INTELLIGENT DECISIONS

InnoHEALTH Magazine — Tue, 28 Nov 2017 10:34:57 +0000

[vc_single_image image=”2799″ alignment=”center” onclick=”link_image”]

The author Mikko Kotila has 12 years of continuous research and development in machine intelligence, and is the core developer of Autonomio, the first rapid machine intelligence prototyping platform for non-programmers. Mikko is the principal of Botlab, a nonprofit foundation focused on long-term thinking on machine intelligence, and decentralization, and a co-founder of Autom8, one of the world’s first deep learning focused startup foundries.

A new paradigm for use of machine intelligence in healthcare

Many national economies are on the brink of collapse under the burden of state-supported health insurance programs. For example in the US, a country that does not provide universal healthcare, the national debt is expected to double as a result of healthcare related liabilities over the next three decades. There is an even greater price to pay for the inefficiencies found in healthcare systems. When already overburdened systems are pushed to their limits, healthcare professionals are forced to make bad decisions.

In a startling example, during Hurricane Katrina, doctors and nurses at New Orleans’ Memorial Hospital found themselves incapable of making even simple decisions. In her Pulitzer Prize-winning coverage, Sheri Fink reported how patients deemed the least likely to survive, were injected with a lethal combination of drugs — even as the evacuation was already on its way.

This chilling anecdote sheds light on a greater problem underpinning many of the biggest threats hurting human society and the eco-system of our planet.

We humans are not equipped for making good decisions under stress. Positive outcomes across a multitude of fields, including healthcare, largely depend on the ability to make good decisions under unpredictable and stress inducing conditions. We, humans, are not only bad at making decisions under pressure but are poorly equipped for making any rational decisions at all.

Daniel Kahneman, in his Nobel Prize winning work on decision making, explains how after years of deliberation leading to a single decision, the person making the decision might still completely ignore the entire process of deliberation and instead make a decision driven by emotions in a whim of the moment.

An Age of Automated Decision Making

As the information age is about the focus on automating processes related to access to information, the next age, the age of “decisioning”, will focus on automation of processes related to decision making. Whereas humans are excellent in pattern detection and pattern making, an essential requirement for creating intelligent computer systems, computers are strong in making decisions where processing of facts is of vital importance. This almost magical ability of computing systems to process information includes the capability to identify and utilize extremely subtle connections between otherwise seemingly disconnected pieces of information, a feat us humans could never do on our own with the kind of precision and scale even a simple computer system can. In no other field, rational decisions are of such vital importance as in healthcare.

Not only healthcare is the most significant economic liability for many nations, but it is also the only field of practice affecting people’s everyday lives that can be considered truly as “life and death” matter. It is, therefore, the area where the human society most desperately needs help.

[vc_single_image image=”2800″ img_size=”medium” alignment=”center” onclick=”link_image”]

Computer-aided decision systems can be categorized into three evolutionary stages, each with a corresponding quality of results, and the requirement for a level of human involvement.

Whereas up until a few years ago, most systems were still ‘descriptive’ with some examples of ‘predictive’ decision- making support systems, in the last two years the developments in the field of machine intelligence have for the first time made the dream of prescriptive expert systems realistic. Recent advancements in both open source software and commercial hardware have paved the way for rapid prototyping of ideas that promise to revolutionize the way decisions are made across a multitude of fields, including healthcare.

Examples of these advancements include deep learning platforms such as Google’s TensorFlow and Keras, unstructured data processing innovations such as word vectorization, and Nvidia’s data processing focused GPU product-line.

Regardless of the tremendous promise and the recent hype surrounding machine intelligence, some significant concerns remain without any serious attention. While machine intelligence innovators would like to focus on showcasing “what’s possible,” before introducing new ideas and processes into the healthcare apparatus, it is far more important to ask “what could go wrong”.

Morality and Healthcare Algorithms

Every machine intelligence solution can be reduced into two aspects; the data inputs available for the solution, and the means by which the solution process those inputs. These two act as the causes for the result the system provides. Algorithms underpin every decision a computer system makes, regardless of the kind of system it is. The unique feature in this regard, of modern machine intelligence systems, such as those based on neural networks and the deep learning method, is that humans cannot audit them. It is for this reason that we can get surprising results us humans could not arrive at without working with machine intelligence, and it is important to understand that surprising results may also be negative results. In many cases, adverse results in the healthcare context arise from causes that were set years or even decades before, and as of today, it is virtually impossible to establish true causality in such cases. This means that it would be almost impossible to know if a given machine intelligence solution is contributing positively in the long term or just driving shortterm efficiency. This will hold true at least for the next 100 years, or as long as it takes to understand causality in results that take decades to mature.

When in the 1980’s game theory-based principles were widely introduced in the western healthcare context, nobody predicted the consequences. For example, while nurses and doctors were incentivized to meet certain productivity quotas such as the number of days spent in the ICU, mortality rates of patients skyrocketed as a result of ICU beds being more available. In effect, a quota scheme is an example of a simple algorithm and can be used to highlight the danger that comes with introducing machine intelligence into healthcare.

This applies in particular in countries with universal healthcare and poorly performing national economy. Under such conditions, humans that make the decisions about the use of machine intelligence in the national healthcare system, are under tremendous stress. Not only their decisions affect individual patients’ lives but also have the potential for changing the destiny of an entire nation. It is very hard to see how under such conditions, non-experts, being bombarded with endless hype by self-proclaimed machine intelligence experts, would be able to make the right decisions.

In fact, government officials, healthcare professionals, nor computer and data scientists, are formally trained in morality and often lack even the most basic understanding of ontology, epistemology, and formal logic. The three legs of the stool on which rational decisions sit. As a result, as we have seen through examples in financial markets, online advertising, and other early embracers of algorithmic decision making, we end up with so-called greedy algorithms that optimize towards a given end ruthlessly without caring about anything else.

Unlike healthcare professionals, these algorithms are not afraid of losing their livelihood and reputation as a result of making the wrong decision that ends up hurting people.

While a healthcare facility or a professional working in one, could be sued for damages, in the case of machine intelligence systems, liabilities in the healthcare context have so far not been defined.

Security in Healthcare Systems

In the light of the recent events regarding ransomware, and the rapid growth in its popularity as a cybercrime tool, it does not seem too far-fetched that in the near-future entire hospitals will be targeted and held for ransom. Indeed many hospitals had already become victims of ransomware as a consequence of passive global or national attacks. In the recent WannaCrypt ransomware attack individual medical devices were rendered temporarily useless after being infected.

Siemens released multiple warnings about its healthcare devices being possibly vulnerable to WannaCrypt. Beau Woods, deputy director of Cyber Statecraft Initiative at the Atlantic Council said that it was likely that many important medical devices such as MRIs and other crucial computer-aided systems were rendered temporarily useless by the attack.

These examples show how healthcare organizations and their technology partners are currently incapable of securing important systems. Whereas in the human operated healthcare apparatus, the devastation is so easy to create, in a highly automated machine intelligence based healthcare apparatus, the problem would be significantly amplified.

Here too, regarding security and healthcare systems, we have to seriously consider the implications of the machine intelligence ideas that are adopted today, regarding the threat landscape over the next few decades.

For example, current cryptographic methods are all based on so-called key exchange cryptography. Any sudden improvement in computation power, for instance in the form of quantum computing becoming practical, will lead to an immediate collapse of the key exchange based security paradigm. In a machine intelligence dominated healthcare apparatus, collapse of the key exchange based security paradigm has the potential for leading to the greatest human travesty in the history of the world. In the absence of serious discussion about such longer-term threats, it will not be possible to make the right decisions regarding decision-making automation and wider adoption of machine intelligence based expert systems in healthcare.

The Importance of Human Touch

Sometime in the distant future, we may be able to completely automate certain key aspects of healthcare, such as triage management. Even then it is of significant importance to not lose sight of the essence of healthcare; taking care of people. Taking care of people is one part taking care of their physical body, and one part taking care of their feelings.

In a completely machine intelligence and robotics based triage management approach it would be hard for patients to feel that they are being taken care of in the way they feel when an actual doctor is treating them.

On the other hand, in a very short period of time, the doctors would lose their ability to deal with the basic day-to-day taking care of patients that still today keep them overworked.

Because algorithms don’t feel anything, for example, empathy, it is also likely that as specialist doctors increasingly get their inputs from those algorithms, they become further distanced from the human aspect that some argue is necessary for healing practice. In this light, perhaps it’s more reasonable for the allopathic medicine to seek intelligence from its eastern counterparts such as TCM, TTM, and Ayurveda, as opposed to seeking it from machines. Machines that ultimate base their decisions on the combination of the information they are receiving and the algorithms that process the information. Both the information and the algorithms being a product of, and therefore limited by, the people who produce them.

Combining the instruments and other marvels of the western symptomatic healthcare approach with the more holistic but in some cases inferior Eastern practices, have the potential for driving significant change within the healthcare system as we know it today.

In terms of specific machine intelligence implementations, as the point-of-view presented in this article clearly shows, the focus should be on long-term macro effects of such implementations, as opposed to focusing on short-term and micro context.

Perhaps in a future world where the western and eastern medicinal practices are better integrated and institutionalized into a new era of taking care of patients, we will be better equipped to handle the challenges that come with machine intelligence focused healthcare.

Want to write for InnoHEALTH? send us your article at magazine@innovatiocuris.com

Read all the issues of InnoHEALTH magazine:
InnoHEALTH Volume 1 Issue 1 (July to September 2016) – https://goo.gl/iWAwN2
InnoHEALTH Volume 1 Issue 2 (October to December 2016) – https://goo.gl/4GGMJz
InnoHEALTH Volume 2 Issue 1 (January to March 2017) – https://goo.gl/DEyKnw
InnoHEALTH Volume 2 Issue 2 (April to June 2017) – https://goo.gl/Nv3eev
InnoHEALTH Volume 2 Issue 3 (July to September 2017) – https://goo.gl/MCVjd6
InnoHEALTH Volume 2 Issue 4 (October to December 2017) – http://amzn.to/2B2UMLw

Connect with InnovatioCuris on:
Facebook: https://www.facebook.com/innovatiocuris
Twitter: https://twitter.com/innovatiocuris
LinkedIn: https://www.linkedin.com/groups/7043791
Stay updated about IC, visit: www.innovatiocuris.com

The post TIME TO TAKE SOME INTELLIGENT DECISIONS appeared first on InnoHEALTH magazine.

RANSOMWARE EPIDEMIC – WHO IS NEXT?

InnoHEALTH Magazine — Fri, 17 Nov 2017 09:59:44 +0000

[vc_single_image image=”939″ alignment=”center” onclick=”link_image” qode_css_animation=””]

Nimisha Singh Verma is Healthcare IT consultant. She brings with her experience of various esteemed healthcare organizations Optum, Religare Technologies and tertiary care hospitals. Authored chapter on Indovation in Innovations in Healthcare Management: Cost Effective and Sustainable Solutions book published in US.

[vc_empty_space]

Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers.

[vc_empty_space]

The healthcare industry has been a victim of various cyber attacks in the last few years. According to recent studies, healthcare has outnumbered financial services and become the most cyber attacked industry. The latest in cyber-attack is ransomware wherein the hacker encrypts the data and threatens to publish it until the ransom is paid in form of bitcoins. In US alone, healthcare industry was the victim of 88 per cent of all ransomware attacks across industries last year.

The recent case of WannaCry ransomware crippled the IT systems of NHS, UK. And after hitting NHS, it spread globally targeting more than 99 nations. The hackers demanded payment of £300 – £600 to unlock systems and have earned about £55,000 in ransom.

Ransomware has indeed become a lucrative revenue source for hackers due to which the number of attacks is predicted to quadruple by 2020. Medical records have 10-20 times more value than the credit card data in the internet black market. Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers. Also, the vulnerability of the health data tends the organizations to pay the ransom to get the data back to maintain privacy and confidentiality of patient data.

Even after so many cases of cyber attacks compromising millions of electronic health records each year, the healthcare industry is inadequately prepared to prevent and resolve these attacks. Whether it is India or US, cyber security is always discussed in forums and budget is allocated for the same but is not put to proper use. Cyber attacks happen due to outdated security infrastructure or employee negligence.

Hospitals and insurance companies have been the main targets of hackers. But, a new vulnerability is catching everyone’s attention i.e. medical devices. The next nightmare in ransomware attacks could be hacking of medical devices such as insulin pumps, pacemakers, defibrillators, implants etc.

Disfunctioning of medical devices can be catastrophic. Just imagine, hackers take control of one’s pacemaker and ask for ransom or else they would manipulate the device which could be fatal. This kind of attack has been showcased in the very famous TV show Homeland wherein the Vice President dies due to hackers remotely disable his pacemaker.

Just like the serial, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless functionality due to fear of possible assassination attempts as revealed by him during an interview in 2013. This clearly showcases that medical devices can be the next target for hackers.

Regulators such as FDA are increasingly getting concerned about medical device security and have issued warning. In 2015, for the first time FDA issued safety notice to hospitals which strongly discouraged hospitals to use an infusion pump which was found to be vulnerable to cyber attacks. But it has been observed that FDA did not force the company to fix the devices being used in the hospitals and didn’t investigate other insulin pump models. This shows that FDA needs to be more stringent towards medical device security. The vulnerability of infusion pump was pointed out by a white hat hacker Billy Rios during his hospital stay.

[vc_single_image image=”2367″ img_size=”medium” alignment=”center” onclick=”link_image” qode_css_animation=””]

[vc_empty_space]

Few of the medical device companies/providers have been proactive in strengthening their device security such as Johnson & Johnson in Oct 2016 warned 114,000 diabetic patients about a security lax that a hacker could exploit in one of its insulin pumps (J&J Animas OneTouch Ping). The hackers can disable or alter the dosage which could be fatal. J&J suggested ways to the patients for mitigating risk.

There have been no documented cases of medical device hacking till date but demonstrations have been conducted in research environment. One such example is of Barnaby Jack who succeeded in hacking an insulin pump and demonstrated giving off lethal dose of insulin without the pump alerting the user. Another example is that of St Jude Medical’s implantable devices such as pacemakers, defibrillators, and resynchronization devices. The radio frequency (RF) enabled St. Jude medical implantable cardiac device and corresponding Merlin@home Transmitter enables transmitting and receiving patient data stored on the device to the physician to monitor his health. But FDA reviewed the device and confirmed about cybersecurity vulnerabilities, if exploited, could be fatal.

Also, researchers at TrapX Security analysed three hospitals for medical device hacking. The deception technology was installed which utilized emulated medical devices in the hospitals. These emulated devices attract and trap hackers so that TrapX could trace the hackers activity. These fake medical devices such as Radiation Oncology system, LINAC , Fluoroscopy, PACS and Xray system appeared real to the hackers and TrapX could monitor hacker’s activity.

According to TrapX, these hospitals utilized older version of Windows that made it vulnerable and most medical devices did not have additional endpoint security software which made the attack undetectable. It was also noticed that the main goal of hackers was to steal medical records not to manipulate the device.

Another research at University of South Alabama showcased how they hacked pacemaker and killed a medical simulator called iStan. The $100,000 medical dummy comes equipped with robotics that mimic the human cardiovascular, respiratory, and neurological systems. The researchers could speed the heart rate up or could slow it down. Not only pacemaker, researchers could manipulate an insulin pump or a number of things that would cause life-threatening injuries or death. This clearly illustrates why medical device security is important.

With the advent of IoT, where devices are connected via internet should focus on cyber security. Industrial experts are realizing that cyber security is prime priority for all the devices connected to the internet.

Devices such as wearables, smart bed, smart emergency system, etc. are all lagging behind in cyber security. Apart from medical devices, surgical robots are not being scrutinized for cyber security. Just imagine, surgical robots been hacked which could lead to life threatening situation of the patient. One such demonstration has been showcased by researchers at University of Washington in 2015. They hacked a tele-operated surgical robot, Raven II. The experiment demonstrated three types of attacks that made telesurgery vulnerable with this robot. The researchers demonstrated how they took complete control over the robot and disrupted the operation.

[vc_empty_space]

All of this sounds scary but it can be prevented if we are well prepared. It is important to understand that not only regulators like FDA need not address the challenge of cyber security but also the medical device vendors and providers should take shared responsibility. It has been observed that providers point the device manufacturers to be accountable for cyber security for responding to vulnerabilities and providing fixes for the same.

On the other hand, the device vendors hold providers responsible for their negligence and having outdated network protection. To be safe from such attacks, organisations should review their cyber defence strategies and budget. Also, employee training and awareness needs to be tackled to avoid falling for opening phishing mails and change passwords regularly.

[vc_single_image image=”2369″ img_size=”medium” alignment=”center” onclick=”link_image” qode_css_animation=””]

[vc_empty_space]

It has also been observed that providers such as middle scale hospitals, clinics or laboratories have often overlooked cyber security as priority as they believe not much data is present with them and only the big organisations are in trouble. Which is not true, as hackers are aware of the precious financial and patient data these clinics hold and are aiming at clinics or small hospitals also to get the data. So, they should also focus on medical device security.

The next big thing in helping fight against cybersecurity is artificial intelligence (AI). According to some analysts, the advantage of using AI is it can help predict cyber attack before it happens with the use of behaviour analysis. It alerts security team on any behaviour deviation or authentication failures while accessing records. AI not only helps in detecting threats quickly but it is also cost efficient compared to the money paid by companies in ransom. It does not replace security tools but acts as an additional layer of security. AI can also help in analysing employee behaviour for avoiding any internal security breach. AI can help in bridging the shortage of skilled cyber security professionals also. According to Centre for Cyber Safety and Education, there is a shortfall of 1.8 million cyber security professionals by 2022 worldwide. Companies such as IBM are already investing in AI system Watson for cyber security.

Also start-ups such as Cognetyx are providing cognitive cyber surveillance solution to healthcare organizations. Use of AI for cyber security in other areas has been showcased, for example, the Las Vegas city officials and UK government to monitor their Public Services Network and protect their records from security threats. Whereas, the successful implementation of AI in healthcare cyber security is yet to happen.

The next wave of medical device cyber attacks can be prevented by collaborative approach and commitment from all the stakeholders. Not only the healthcare organizations should make sure their security practices and strategies are updated but the government should also help in skill development of cyber security professionals and encourage more research on medical device security by providing medical device at low cost. Since medical devices are expensive and require license, it makes it difficult for researchers to explore this area. At the end, we should not forget that we have to stay a step ahead of hackers to be a hard target for them.

[vc_empty_space]

Want to write for InnoHEALTH? send us your article at magazine@innovatiocuris.com

Connect with InnovatioCuris on:
Facebook: https://www.facebook.com/innovatiocuris
Twitter: https://twitter.com/innovatiocuris
Linkedin: https://www.linkedin.com/groups/7043791
Stay update about IC by visiting: www.innovatiocuris.com

The post RANSOMWARE EPIDEMIC – WHO IS NEXT? appeared first on InnoHEALTH magazine.