Dr Swati Subodh
Cyberattacks take multiple forms- from data breach, ransomeware attacks and crypto-jacking to threat to connected devices, and more. The evolving landscape of cybercrimes increased with nearly 26 million cyber threats to Indian companies in the third quarter of 2018 alone. Between 2015–2017, India witnessed 17% of the global cyberattacks, second only to the US (38%) and just above Japan (11%).
In 2018, India stood fourth in terms of number of cyberattacks. Data breach takes on an average 196 days to identify and costs a large-sized organisation about $3-$10 million annually; and mid-sized organisations about $11,000 annually in India.
If this still feels more like an issue that corporate entities dealing in megabytes or terabytes of data are affected by, then consider this; according to the World Economic Forum, India faced the world’s largest data breach in 2018 when the government ID database, Aadhar, was subject to multiple cyber breaches with the possibility of the data of all 1.1 billion registered citizens been exposed. This doesn’t just open access to yours and mine confidential personal information but also yields sensitive biometric data! This most definitely makes cybersecurity a very personal issue as well.
In healthcare, cybersecurity is taking on another facet, one that not only erodes information and identities or causes an economic dent, but one that can be permanently debilitating or potentially fatal!
Medical Devices at Risk
Implatable Medical Devices (IMDs) are electronic devices that are implanted within a person’s body to treat, monitor or improve an existing medical condition. Pacemakers and defibrillators for cardiac conditions; and neurostimulators for deep brain stimulation to treat epilepsy, Parkinson or other cognitive impairments are common examples of these. Additionally, infusion pumps, that are Drug Delivery Systems (DDS), and a variety of biosensors and connected devices also fall under this category.
‘Bioceuticals’ as many of the implants are being referred to, are efficient versions of the traditional therapeutic options. Besides playing a therapeutic role these implants have been used in lieu of damaged tissues, for example, artificial retina and cochlear implants, to restore functionalities. Currently, a lot of focus is being directed to this. For example, IIT Kharagpur is developing a coin-sized implant that will be powered wirelessly and will combine brain activity testing like electrical simulation, bio-potential recording and neuro-chemical sensing for use in rehabilitation and prostheses.
A Ponemon Institute study in 2017 reported that 80% of device-makers and organisations engaged in healthcare delivery and care rated the level of difficulty in securing medical devices as very high. While 67% of device manufacturers and 56% of healthcare organisations said that they were expecting a security breach of device over the next 12 months. This highlights the unpreparedness of manufacturers and providers in securing healthcare delivery for clinicians as well as the patient.
The new generation of IMDs now come with numerous communication and networking functions as well which enable remote configuration, tracking and reprogramming of the devices as per patient’s need in real-time. Although this is convenient, efficient and cost effective, this advancement makes the user susceptible to unauthorised remote access, the outcome of which can go wrong in multiple ways!
Intentional malfunctions are often more difficult to track than accidental ones in such cases, as recognised by the US Food and Drug Administration (FDA). It is no surprise that a few years back, the former US vice president, Dick Cheney, replaced his cardiac defibrillator to one without wi-fi capabilities pre-empting possible threat.
In 2017, the FDA took the unprecedented step of recalling 4,50,000 pacemakers of St Jude’s Medicals which were vulnerable to cyber threats. The suspected attack could have drained the battery of the device making it inoperable or could have modulated the pacing rate of the patient’s heart. The device’s software, ‘Firmware’, of the recalled Radio Frequency (RF) enabled pacemakers was updated to enable authorised of command sent to the device. Devices made after August 2017 now have the updated software preloaded in the device.
Drug delivery systems are equally prone to attack. Here the implant delivers a stipulated dose of drug directly to the affected organ thereby increasing efficiently while decreasing side effects. In 2016, Johnson & Johnson issued a warning to 114,000 users of its device, Animas OneTouch Ping system, in the US and Canada about a security bug. The system contains an insulin pump that delivers therapeutic dose of insulin to the diabetic patient by catheter. A cyber vulnerability of the system would mean that a hacker could potentially administer a fatal dose to the user causing the glucose levels of the patient to dip dangerously low! What was distinct, and somewhat alarming, in this case, was that the J&J’s OneTouch Ping system is not connected to the internet or any other external network. The hacker would have to be at a minimum of 25 feet proximity to the device to be able to spoof communication between the wireless remote and the pump. The company advised the users to discontinue the use of their wireless remote controls and set a maximum adminstrable limit on their insulin pumps as an added measure.
Since the flow of information between the IMD nad the medical personnel is bi-directional, data forging and fudging can happen at either end. This is irrespective of the nature of the wireless communication, which could be over the internet (online) or offline. The data captured and the resultant action taken can both determine the outcome and thus need to be secured and appropriately authenticated.
Recently the UK faced its largest cyber breach on its healthcare system. WannaCry, a global ransomware, affected UK’s National Health Service (NHS), in a way that healthcare providers and patients were locked out of the network and thus unable to access patient data or scheduled medical procedures, etc. for many hours. In another incidence last year, the health data of 1.5 million Singaporeans was breached. This included targeted breach of the health data of the country’s Prime Minister, Lee Hsien Loong.
Apart from being a source of inconvenience causing delays or interruption of crucial healthcare services, intrusion of healthcare data could be damaging in many other ways, both for the provider and for the patient:
i) The healthcare provider (e.g. hospitals, clinics) whose data is stolen or made inaccessible loses confidence of its clients’- this could cause an irreparable damage to its reputation and its business.
ii) In a show of strength by the hacker, the healthcare organisations’ security loopholes may be exposed by hackers, which would be of interest to the competitors or people who stand to benefit from the stolen data in multiple ways. The hacker may breach corporate network and online infrastructure, or scan the system to analyse for structural vulnerabilities, and then extort money from the company to disclose the security flaw. The affected organisations would be forced to submit to the hackers to prevent this loopholes from going public before it had the chance to rectify it, thereby causing them a big financial dent.
iii) Data stolen or copied from patient databases can be sold to ready buyers who may utilise this for their own business, for example, insurance companies.
iv) Identity theft is another outcome of stolen data. Cybercriminals may utilise Personal Identifiable Information (PTI) of a patient to utilise other services and resources. This could be applying for loans or credit cards; opening bank accounts, making online transactions, filing tax returns to collect rebates, or conducting illegal activities while maintaining the victim’s facade.
Data privacy is a huge concern when data is being collected and uploaded in cloud servers, and other private or public IT networks. HIPAA (the Health Insurance Portability and Accountability Act) has set the standard for protecting patient data that is created, received, maintained, or transmitted electronically. Since now there are sensors automatically collecting and storing medical data in real-time, security of individual data is even more critical. These factors have prevented many hospitals from adopting network capacities for patient data and other medical information. However, it is a matter of time when the need to digitize records would prompt even the most conservative operators due to the volume of patients and the need for record keeping to maintain continuum and care and service.
Understanding the Anatomy of Data Breach
The number one reason is human error! Believe it or not, the overlapping layers of regulation, bureaucracy, technology and science in healthcare can result in unintentional human errors (33,5% cases), which opens the database to miscreants and fraudsters.
The second cause is the misuse (29.5%) of privileges (termed privilege abuse) or possession (termed possession abuse). This is a result of miusing authority of access to sensitive data. Physical data theft (16.3%) comes next where the device or drive storing the data is stolen and the data is extracted from it. In this case, however, encrypted data may be difficult to decipher as opposed to unencrypted one. Hacking (14.8%) comes next where a person intentionally gains unauthorised access to a system or device. Here the strategy, more often than not, is to get hold of stolen credentials to gain access to the database rather than use brute force to access the database directly. Malware (10.8%), most often ransomeware, is another way of data breach which is traded for cash.
Unlike other sectors, the data breach in healthcare is often reported to precipitate due to ‘internal factors’ rather than ‘external factors’. This makes cybersecurity of healthcare data a unique challenge.
FDA and other organisations are contributing to the elaboration of cybersecurity measures including tele-biometrics, mobile secure transmissions, secure transmission of personal health information, etc. FDA recently released a pre-market cybersecurity guidance to manufacturers to comply with before entering the market with their products. FDA also recently adopted UL-2900–2–1 as a consensus standard. It is for manufacturers of healthcare technology to demonstrate via objective test-based evidence that good cybersecurity hygiene has been exercised.
In India, the Ministry of Health and Family Welfare has drafted DISHA (Digital Information Security in Healthcare Act) which defines penalties for offenders. For the healthcare industry, experts have adopted measures that can be implemented at the providers end. These include;
- Regular Risk Assessment: As cybercriminals get more creative, it’s imperative to ramp up risk assessment as an organisation’s annual exercise.
- Penetration test: This mimics a cyber attack to identify loopholes and patch them.
- Disrupt visible data: Encryption and anonymisation of data gives an added layer to keep data private.
- Integrating security into medical devices: Including modules to safely communicate data travelling in either direction.
- Data is largely being viewed as the new oil, a precious asset. As the type of data evolves, the architecture of attacks will evolve with it, and so much the counter-attack
The article was previously published in the World Health Day special issue of Science Reporter in April 2019.