Amidst COVID19 – Time to declare India’s Health Sector as Critical Sector for Cyber Security

by Dr. E. Dilipraj - 4 April, 2020, 12:00 4658 Views 0 Comment

The Corona global pandemic has become a dark spot in human history. With more than 1 million people infected from every nook and corner of the world, the global community is clearly in a state of health emergency grappling to contain the spread and finding a vaccination for cure. This emergency situation has drawn attention to the preparedness of the Health sector of all countries as it has largely exposed the vulnerabilities existing within the respective countries’ healthcare system. For instance, in the United States, the Corona pandemic has exposed the level of unaffordability for healthcare for its citizens. While India is putting up a brave fight to contain this pandemic through all means, it fares far better in terms of affordability to health care, treatment and facilities. The efforts of India in this direction are commendable but at the same time, it is not efficacious as it faces challenges from the unconventional realm of cyber security in the health sector.

In the age where cyber attacks on digital infrastructures have become a daily affair, no country including India is resistant to such a global phenomenon. Since the health sector involves a huge amount of sensitive data such as patient personal details, medical staff details, patient health records, copies of scan and other test reports, etc., the number of cyber attacks to siphon off these data has seen an increase in recent years. Moreover, any cyber attack incident on the healthcare infrastructure given the current emergency situation would be devastating for the whole country further worsening the panic situation. The recent cyber attack on the Czech Republic’s second largest Hospital- University Hospital in Brno is a case in point. According to reports, the University Hospital in Brno been forced to cancel all planned operations and farm out acute patients to other hospitals owing to becoming the victim of a major cyber attack supposedly on March 12, 2020. The hospital was also treating one patient affected with COVID 19.

The possibility of a similar cyber attack scenario on the Indian healthcare sector at this testing time cannot be ruled out. In fact, in February 2020, a German security firm named “Greenbone Networks” revealed that nearly one million medical files and 107 million related medical images of Indian patients, including X-rays and scans, are freely accessible on the internet. The leaked records and images include details of patient name, date of birth and ID, name of the medical institution, ailment, physician names and other such sensitive details. It was also identified that Breach Candy Hospital and Utkarsh Scans in Mumbai are the victim organisations among many more from which these medical data have been siphoned off.

A US-based cyber security firm FireEye in August 2019, revealed that hackers had breached into an India-based healthcare website and had stolen 68 lakh records containing patients’ and medical professionals’ Personally Identifiable Information (PII) as well as Protected Health Information (PHI). Additionally, as pharmaceutical markets are fast growing, healthcare data on patients, professionals and other medical records have become a lucrative target for various hacker groups across the world for supplementing, subverting and manipulating the research and development in the pharmaceutical industry as well as in the healthcare sector.

While such hacking incidents are usually ignored from the cyber security perspective by respective organisations especially in the healthcare sector, the current global lockdown situation has not just brought to light the prominence of the healthcare sector for the survivability of the human race but in drawing the attention of hackers too. As the sector is increasingly becoming dependent on digital infrastructures, the number of cyber attack incidents on healthcare data targets which is vulnerable yet lucrative would only increase in the future. An ‘Iran-Stuxnet’ type of attack in this sector in India especially during the on-going lockdown period or anytime later is bound to have a catastrophic effect. While the blame game has already begun among global players pointing fingers at each other for the emergence and spread of the virus, the case could fall precedence for any country with sinister plans to willingly create such a global emergency situation in the future cannot be ignored. In such a scenario, the situation would become worse if cyber means are used as force multipliers alongside biological options to subvert a country. Therefore, not only from cyber security perspective, but from the point of national security, for India to safeguard itself from any such a fatal situation, it is time to declare the country’s healthcare sector as a critical Sector.

So far, India has declared six sectors as critical sectors namely (i) Transport, (ii) Power & Energy, (iii) Telecom, (iv) Banking, Financial Services & Insurance, (v) Government and (vi) Strategic & Public Enterprises. The various information infrastructures operating under these critical sectors qualify as Critical Information Infrastructures (CII) and are deemed extremely critical to the national security and hence are protected by Section 70 of the IT ACT. Also, the cyber security of the CIIs comes under the specific responsibility of a dedicated agency known as National Critical Information Infrastructure Protection Centre (NCIIPC) and hence gets a focused cyber security protection.

Surprisingly, the sensitive healthcare sector is still not a critical sector in India. The severity of the sector has not been realised so far but the on-going Corona pandemic should create the much needed realisation in the government and relevant authorities for declaring the sector as a critical one.  Such a declaration would add the desired cyber security protection both legally as well as institutionally to the healthcare sector of India. Post declaration, possibly all healthcare networks and data including public/private hospitals, testing labs, scanning centres, domestic pharmaceutical companies etc would get covered by this cyber security protection thereby ensuring business continuity in this highly sensitive sector. Also, any breach of data or malfunction of network in the healthcare sector associated network or system could be dealt appropriately with utmost priority from the government. Additionally, it would also be advantageous to the country’s interest in the long run to safeguard its citizens from adversaries’ sinister plots of manipulating the health sector and protecting sensitive medical data of Indian citizens from getting breached. It should also be noted that India is one of the popular destinations for medical tourism from across the world mainly owing to its affordability combined with technically superior medical facilities available to all sections of society. In this scenario, declaring the healthcare sector as a critical one from the cyber security perspective would add more credibility to the country’s capabilities and ensure the trust of millions of patients from across the globe.

The Corona pandemic and the subsequent lockdown have given the much needed time for introspection for an all-inclusive approach including individuals and governments. Given the critical situation and the relevance of the health sector, one can only hope that the Indian government would take into consideration the sensitivity of the situation and promulgate the health sector as a critical sector of the country.

Dr. E. Dilipraj
Author is Research Fellow at the Centre for Air Power Studies (CAPS).

Leave a Reply

Your email address will not be published. Required fields are marked *