India ranks second in cyberattacks on healthcare system, report says

India ranked second in cyberattacks against healthcare systems of all countries in 2021, according to a report by CloudSEK, an artificial intelligence company that deals with cyberthreats. India accounted for 7.7% of total cyberattacks against healthcare systems last year.

At 28%, the United States recorded the highest number of cyberattacks and breaches in 2021 due to the strong digitization of the healthcare sector, and the huge investments and growth opportunities in the industry that make it an area profit to target.

France, with 7% of the total number of attacks, comes third after the United States and India.

Globally, cyberattacks against the healthcare sector increased by 95.35% in the first four months of this year compared to the same period in 2021.

The findings are significant and released at a time when India is aggressively expanding its digital footprint in healthcare.

The Ayushman Bharat Digital Mission, a portal under the Union Health Ministry, digitizes patient health records to facilitate paperless exchange. As part of this, a health account number will be generated for each person and medical reports will be stored online. Cyber ​​experts, however, have expressed concern about the possible misuse of storing large amounts of digital medical records.

In 2021, the Indian government also unveiled the CoWIN portal to register vaccinations against coronavirus disease.

According to CloudSEK, immunization records had the highest number of breaches globally, followed by health worker and patient personal information. Personal information included name, address, email, contact number and gender.

Violation of administrative logins and financial records was third on the list of types of violations. A cyberattack on administrative connections can compromise patient privacy and provide access to internal hospital data.

“Several phishing campaigns have been uncovered during the global pandemic, in which attackers impersonate the WHO [World Health Organization] and sent malicious links to people claiming to be the latest security guidelines,” the report said.

In 2021 and 2022, databases were the “most commonly searched type of data,” according to the report. At least 69.2% of cases involved a leak or sale of healthcare databases in 2021. This figure rose to 78.6% in the first four months of 2022.

“The Covid-19 pandemic has forced the healthcare industry to adopt various new technologies for which it was not fully equipped,” the report said. “The transition was not smooth and left multiple cybersecurity gaps for attackers to exploit.”

Experts weigh

Raman Jit Singh Chima, director of Asia policy for AccessNow, an online rights nonprofit, said Scroll.in that in the absence of data privacy law in India, the threat ecosystem for digitized health records becomes very large.

“There is no sanction for private parties who misuse the data,” he added. “Who are we going to complain to?

The CloudSEK report noted that one of the August 2021 cyberattacks targeted an online pharmacy portal. The medicine and health products purchasing portal was compromised after its configuration settings were shared on a public platform.

The attack compromised several user account information, according to the report.

Patient data is a goldmine for multiple stakeholders, including big pharma and insurance companies. This secondary information provides insight into a person’s health status.

With access to this type of information, insurance companies can target specific populations to purchase their policy. For an organization, leaking customer information can disrupt operations and lead to huge financial and legal consequences.

Anita Gurumurthy, executive director of IT for Change, an organization that works at the intersection of information technology and social justice, said health sector datasets can lead to abuse, abuse and shameless profiteering.

“Data sharing standards need to be defined centrally,” Gurumurthy said. “This is sensitive information that requires the highest degree of ethics. We don’t have that preparation [in India].”

The CloudSEK report also mentioned why cyberattacks against the healthcare system have increased over the past few years.

The Covid-19 pandemic has led to rapid digitization but budgetary constraints have not allowed healthcare systems to implement robust cybersecurity. Medjacking, where medical devices are misused, also emerged as a major concern, the report adds. This can cause life-saving machinery or equipment to shut down during surgery or in intensive care units.

Scroll.in has reached out to National Health Authority and Head of Digital Mission Ayushman Bharat for a response regarding the cybersecurity concerns raised by CloudSEK. The article will be updated once they respond.