India ranks second in the world in cyberattacks on healthcare systems – as government pushes digitalization

India ranked second in cyberattacks against the healthcare system in 2021, according to a report released on August 18 by CloudSEK, an artificial intelligence company that predicts cyber threats.

Globally, cyberattacks against the healthcare sector increased by 95.35% in the first four months of 2022 compared to the same period in 2021.

With 28%, the United States accounted for the maximum number of cyberattacks and breaches in 2021. India witnessed 7.7% of total attacks globally while France, which recorded 7% of total attacks, placed third.

Digital push in India

In India, the findings come at a time when the country is aggressively expanding the digitization of the healthcare sector, even though the country still lacks a data protection law.

As reported by Scroll.in, the Indian government has created digital health account numbers for citizens without their knowledge. The accounts are created as part of the Ayushman Bharat digital mission, which aims to digitize the health records of all patients.

Scroll.in had reported that of the 23.3 crore health account numbers generated for individuals up to August 17, three-quarters were created using CoWIN, the government’s Covid-19 vaccination portal and databases. of data from the Centre’s health insurance scheme. Many people were unaware that accounts had been created in their name, with their Aadhaar number and mobile phone details.

The pandemic seems to have given impetus to the generation of online health data, often without adequate protections.

The CloudSEK report observed that the pandemic has forced the healthcare industry to adopt new technologies for which it was not fully equipped. “The transition was not smooth and left multiple cybersecurity gaps that attackers were able to exploit,” the CloudSEK report observed.

Cyber ​​experts have also raised concerns about the large-scale digitization of medical records and the risk of them being misused.

Vulnerable and lucrative data

In 2021, the Indian government started using the CoWIN portal and app to record Covid-19 vaccinations.

According to the CloudSEK report, immunization records recorded the highest number of breaches globally, followed by personally identifiable information of health workers and patients. Personal information included name, address, email, contact number and gender.

The breach of administrative credentials and financial records were the other types of data to be targeted. A cyberattack on administrative connections can compromise patient privacy and provide access to internal hospital data.

On the Ayushman Bharat Digital Mission website.

CloudSEK’s whitepaper also noted that the number of cyberattacks has increased over the past two years because adequate security measures have not been implemented as part of the push to digital.

Medjacking, where medical devices are misused, also emerged as a major concern, according to the report. Such an attack can shut down vital machinery or equipment during surgery or in intensive care units.

The report also notes that several phishing campaigns have been uncovered during the pandemic. “… Attackers impersonating the WHO [World Health Organization] and sent malicious links to people claiming to be the latest security guidelines,” the report said.

In 2021 and 2022, databases were the “most commonly searched type of data”. At least 69.2% of cases involved the leak or sale of healthcare databases in 2021. This figure rose to 78.6% in the first four months of 2022.

No data protection law

Patient data is a gold mine for several stakeholders, including large pharmaceutical and insurance companies. Armed with such information, insurance companies, for example, can target specific populations to purchase their policy. For an organization, leaking customer information can disrupt operations and lead to huge financial and legal consequences.

Raman Jit Singh Chima, policy director for Asia for AccessNow, an online rights nonprofit, said that in the absence of a data privacy law in India, the ecosystem of threats to digitized health records becomes very important. “There is no sanction for private parties who misuse the data,” he said. “Who are we going to complain to?

In its report, CloudSEK also mentioned that in one case in August 2021, an online pharmacy portal was targeted after its configuration settings were shared on a public platform. This cyberattack compromised the information of several user accounts on this portal, CloudSEK said.

Anita Gurumurthy, executive director of IT for Change, which works at the intersection of information technology and social justice, said leaking health sector data will enable abuse, abuse and profiteering shameless. Gurumurthy said data sharing standards should be defined centrally. “This is sensitive information and requires the highest degree of ethics,” she said. “We don’t have that preparation [in India].”

Scroll.in contacted the National Health Authority, which runs the Ayushman Bharat Digital Mission, for a response on the cybersecurity concerns raised by CloudSEK. This report will be updated once they respond.

This reporting was supported by a grant from the Thakur Family Foundation. Thakur Family Foundation exercised no editorial control over the content of this article.