1

Healthcare and Cyber Security 2015: Is India Ready?

Nitish ChandanInt. B.Tech CSE + LL.B Hons. Cyber Law (UPES, Dehradun)

Founder & Technical WriterThe Cyber Blog India

2

Cyber Security in Healthcare is divided into two fronts:

Data: EHR(Electronic Health Record)

Critical Network Infrastructure

(All devices and equipment on a network that are responsible for monitoring and evaluation of patient health and to deliver some or the other treatment facility)

Contains a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory and test results in a digital version

3

Problem in the Indian Scenario: Data

• Estimation of Readiness is not possible as of today; numerous health centres still in the digital disconnect.

• Standards for EHRs are available but only to the point that they should be secure.

• “Generally, all electronic health information must be encrypted and decrypted as necessary according to user defined preferences in accordance with the best available encryption key strength. “

• NeHA has been constituted which will also deal with privacy issues and healthcare.

• Data Leaks are not only due to insufficient standards and policy (Similar standards in IT Law as well ; user awareness: both patients and caretakers is lacking.

• Who is the owner of an EHR?

4

Critical Infrastructure• Study by a researcher at one of the Midwest Healthcare

facilities revealed that drug infusion pumps could be remotely manipulated to change dosage.

• Defibrillators being controlled over Bluetooth were prone to attack to give random shocks to a patient’s heart or to prevent one.

• Thermostats on networks vulnerable to temperature settings change. Has caused spoilage of drugs.

• Misdiagnosis, Wrong Prescription and Administration of unwarranted care.

• Leads to a new type of crime: Cyber Murders.

5

Vulnerabilities• Some emergency equipment could be rebooted, wiped clean

of the configurations allowing hackers to take control of important healthcare infrastructure.

• Passwords are still names of people, admin, password, 1234.

• The biggest Cyber Security fact in any system is that no firewall or IPS can protect a system that is protected by a password like the above.

• Another problem is with the level of encryption and secure channels for communicating embedded systems’ data into patient records and vice versa.

• Newer technologies like infusion pumps with web administration interface for nurses to change drug dosage are easily hackable because of hardcoded passwords that are often never changed.

6

• Implantable medical devices to grow about 7.7% through 2015, and more than 2.5 million people already rely on them.

• Medical information can be worth 10 times as much as a credit card number.

• We are a little ready for what we are facing; but we are not yet facing what the rest of the world is.

• A lot has been talked of about EHRs in the national EHR Standards but an overall Cyber Security Policy for the infrastructure is absent.

7

To Conclude

“Awareness and Sensitization is the key to Cyber Safety”

• Carefully categorize and classify data: about patients, hospital and staff etc.

• Sensitize user groups who are responsible for handling digital equipment.

• Employ security audits and penetration testing of devices, networks and users.

• The next generation is going to be of Cyber Murders and when we look back then, the question that is in the present tense today might be, “Shouldn’t we have been ready?”