Cyber Security and Healthcare: Is India Ready?

Nitish Chandan
Int. B.Tech in Computer Science + LL.B Hons. With Specialization in Cyber Law-IV Year
University of Petroleum and Energy Studeis, Dehradun
+918394029559, nitishchandan@hotmail.com

ABSTRACT
Hospitals and clinics today generate more data than ever in the form of Electronic Health Records
(EHR) which is protected by minimal security. This year is being talked of as the year of healthcare
hacks because of the early Anthem data breach that compromised 80 million customers' data.
Technology has opened new fronts for healthcare by offering digital systems and software but it has
also exposed vulnerabilities as cyber security is not a critical agenda for organizations in this field.
India, along with an unclear IT Law also lacks digital regulatory standards for healthcare industry.
Many reports have been published in different nations about how inappropriate are the existing norms
and strategies in healthcare data management that leave patient records, billing history and
confidential data open to hackers to steal and sell in the black market for a few tens of dollars. But in
the Indian context, even these are unavailable. So another problem with the Indian situation of things
is also that estimation of readiness is not statistically possible as of today. Many hospitals are using
central database systems to manage patients' data but with without regulations, liabilities and
restrictions cannot be fixed which only draws half the picture. This paper deals with the issue of
absence of regulatory standards in healthcare data management and in finding effective solutions to
tackle the current situation in India.
Keywords: Vulnerabilities, Security, Regulatory Standards, IT Law, Electronic Health Records

1. INTRODUCTION

It does not need mention that the next target of hackers (crackers really) is going to be healthcare and
medical equipment. The understanding via this paper has to flow from the Internet of things to basic
medical instruments. The discussion definitely has to start with whats and whys of hacking. Theres
going to be a serious attack, devices at risk and hospital networks breached, really, what are we
trying to do? In order to be able to able to understand the application and need of Cyber Security in
Healthcare we must look at why really does someone need to hack a hospital.
The second contentious issue is the fact that Cyber Security in Healthcare is a very big challenge.
The industry of healthcare has evolved wonderfully and that must be commended because back in
the day when a scan could take days or maybe wasnt even possible, today it can be done in minutes

and in seconds be sent to the examining doctors screen and to the patients email ID. How
convenient isnt it? And what possibly could any person possessing this data do?
The biggest hazard out of all possible issues is that it is going to be very easy to hack a medical
equipment or a hospital network for that fact when a hacker really comes down to it and for the simple
reason that it is not a techie who carries out the semi-technical job in healthcare.

2. CYBER SECURITY & HEALTHCARE ISSUES

2.1. Healthcare
As a basic background to this paper, the perception that has been kept throughout writing this paper
has been that healthcare is not just about a hospital, a blood test, medicine or a doctor.[1] It sure is a
lot more complicated but if it could be summed up in a couple of words, it deals with all the
equipment, tests, facilities, data, confidentiality, medicine and such things as a part of the transactions
in a persons life as a patient. Another clarity that is also important is that though healthcare
encompasses a lot of sectors and people, the major target of vulnerabilities is a patient. Keeping all of
that on the front page, when this paper talks about healthcare it is going be about everything
aforesaid and that can possibly fall under the banner.

2.2. Cyber Security

Cyber Security has constructed a bridge over all possible gaps. From physical identity cards to virtual
social media identities, all of them are stolen today. While we are at it, it is imperative that every
reader knows some important things about Cyber Security.

If you are on Facebook today, odds are that a hacker already has your PAN
card.
Well, the reason really behind this vulnerability goes beyond the scope of the paper but it is still
important that it be mentioned because it forms the basis for why we must be afraid. Often when
people even know this fact they dont worry about what really can happen. The worst they think is that
somebody could get a SIM card against their ID. The real threat scenario is this:
A hacker gets your PAN Card, goes somewhere far off and establishes your identity there for a couple
of years, things like buying a house, getting a TV and Internet Connection and after years it might be
sold on the black market for millions. This sale could get your identity to a terrorist possibly to commit
crimes over the internet and when police finds out, it might be your doorstep they land at. Now that is
the level of threat an honest mistake can get one into.

3. POSITION OF CYBER SECURITY IN HEALTHCARE

According a report on Wired, the condition of healthcare equipment and data is not very good either.
When a researcher Scott Erven was given access to the medical equipment at one of the Midwest
health care facilities in the United States , over a period of two years, he found some interesting
results. It was found that drug infusion pumps used to deliver morphine drips, chemotherapy and
antibiotics could be remotely manipulated to change the dosage amount. Definitely if not now, then a
couple of years down the line we are looking at the same thing in India too. The ease that technology
gives us often makes us clumsy and careless, but it wouldnt matter when the technology itself is
sound enough. Sadly, there, even the Defibrillators controlled via Bluetooth could be manipulated to
deliver random shocks to a patients heart or prevent a medically needed shock from occurring;
temperature settings on refrigerators storing blood and drugs could be reset, causing spoilage.
One thing that has been observed in India is that people, Governments and organisations are a little
cautious about technology. They wouldnt use it for the fear or cost of it. In a way that has kept India
out of the picture of Cyber attacks on healthcare but it is not very late before it happens.
Even in a scenario as discussed above, at the least, health records are still a matter of digital
applications. The most elementary clinic today uses certain Database Management Technique to
store patient records, their medications and other personal data. Needless to say, personal data
needs to be protected in order to ensure confidentiality and in certain cases even identity theft. There
have been reported incidents of database changing that has led to misdiagnosing, prescribing wrong
drugs and administration of unwarranted care.

3.1. Premera & Anthem Hack

Health Insurance, another important element of the healthcare industry was hit very recently earlier
this year. Now what happened in case of the Premera Hack shocked people around the entire United
States: 11 Million records were accessed by hackers, meaning Social Security Numbers, Birthdays,
Emails, Home Addresses, Bank Information, Clinical Information and detailed claims of 11 million
people were compromised. Is it Sad? No, but it is shocking at a very different level if it is mentioned
that this attack was a continuous attack for 10 months and it stayed unnoticed.
A similar hack was faced by Anthem, just that the numbers were 80 million. Seeing all this it would not
be wrong to conclude that the state of critical infrastructure in healthcare is not very promising.

3.2. Technical Vulnerabilities

Some emergency equipment could be rebooted, wiped clean of the configurations allowing
hackers to take control of important healthcare infrastructure.

Passwords are still names of people, admin, password, 1234.

The biggest Cyber Security fact in any system is that no firewall or IPS can protect a system that
is protected by a password like the above.

Another problem is with the level of encryption and secure channels for communicating
embedded systems data into patient records and vice versa.

Newer technologies like infusion pumps with web administration interface for nurses to change
drug dosage are easily hackable because of hardcoded passwords that are often never
changed.[2]

Implantable medical devices are forecast to grow about 7.7% through 2015, and more than 2.5 million
people already rely on them to keep various illnesses at bay, according to a study by Freedonia
Group. [3]

3.3. Targeted Malware

As per Reuters, Medical information can be worth 10 times as much as a credit card number. And
another threat that this has caused is that of malware. This is something most corporations,
manufacturers and users cannot do much about. All devices are on a network these days, whether or
not they are on the internet, a network still exists. Now this network enables communication and this
has often formed the basis for numerous attacks on hospitals. An attack was demonstrated by TrapX
that confirmed Blood Gas Analyzers to have created a security backdoor into the hospitals network to
read data and bring it back to the attackers. Often the software that runs this hardware is out of date,
Operating Systems like Windows XP, Windows 2000 and other such platforms that have been
declared obsolete and of no use are still being implemented in controlling and managing millions of
records. The report titled MEDJACK [4] by TrapX has exposed many vulnerabilities and attack
anatomy. There was even an attack via the X-ray machines on the network but all of which only
moved data. And it is time that administrations understand the importance of data and the need to
preserve and keep it secure.

4. RESULTS AND DISCUSSION: COMPLIANCE AND IS INDIA READY?

In what the world calls the real IT or the security fields, the only differentiating factor is compliance.
For all critical infrastructures, the basis is an embedded microprocessor that processes data as bits
and bytes which forms the fundamentals of computers and computing. The computers and systems
used in healthcare are no different, they have a similar architecture. Where we fail at the level of
policy is compliance, auditing and testing. If not much, at the least corporations and organisations that
do store and transact in vital data and patient records should make use of the Penetration Testing and
Vulnerability Assessment Security firms and get an audit done to identify their stand against an attack
and the loopholes that an attacker can possibly exploit. The need in India afar is a National Policy on
Cyber Crime, though one is in the offing yet the real deal might be years away. The kind of security
needed for healthcare infrastructure might not be like that of a bank apart from basics like encryption
technology, so the Government must devise a policy that lays down these guidelines that need to be
followed in order to achieve a cyber safe ecosystem. The answer to whether India is ready is a little
confusing because on the face of it we are ready for what we are facing but we are actually not facing
what the rest of the world is. And a definite answer to that is no. India can be ready soon if there is a
National Healthcare Cyber Security Policy in play sooner than it is too late. Apart from that the system

users need to be sensitized about safe usage of equipment and their own personal information so that
they do not get compromised.
The future trends in this scope are the Internet of Things where we talk about things going online, the
possibility of hacking and clocking wearable devices like fitness bands and BYOD (Bring your own
device).

5. CONCLUSION
By this paper, an urgent need is being looked at to create a regulatory framework for Cyber Security
Compliances in the Healthcare industry. It has to be realized that nothing can be achieved without
sensitization of people involved in healthcare transactions. They key to cyber safety as opposed to
vulnerabilities and threats is Cyber Awareness. Industries, Offices, Corporations and individuals
should invite expert lectures on matters of security in the digital age in order to get first-hand
experience and knowledge about live cases that keep happening. The next generation is going to be
of Cyber Murders and when we look back then, the question that is in the present tense today might
seem like Shouldnt we have been ready?

REFERENCES
[1] Sherry JD, Cyber Security in Healthcare: A Unique challenge Accessed: 1 September 2015
Available: http://blog.trendmicro.com/cybersecurity-healthcare-unique-challenge/
[2] Grau Alan, Hackers Invade Hospital Netowrks Through insecure Medical Equipment Accessed: 21
August 2015
Available:

http://spectrum.ieee.org/view-from-the-valley/biomedical/devices/hackers-invade-hospital-

networks-through-insecure-medical-equipment
[3] Freedonia Report on Implantable Medical Devices Accessed: 28 August 2015
Available: http://www.freedoniagroup.com/industry-study/2852/implantable-medical-devices.htm
[4] MEDJACK : Storm Darlene, : Hackers Hijacking Medical Devices Accessed: 1 September 2015
Available:http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackershijacking-medical-devices-to-create-backdoors-in-hospital-networks.html