India ranked second in cyber attacks on the healthcare system in 2021, according to a report released on August 18 by CloudSEK, an artificial intelligence company that predicts cyber threats.

Globally, cyber attacks against the healthcare industry rose by 95.35% in the first four months of 2022 compared to the same period in 2021.

At 28%, the United States accounted for the maximum cyber attacks and breaches in 2021. India witnessed 7.7% of the total global attacks while France, which recorded 7% of the total attacks, ranked third.

Advertisement

Digital push in India

In India, the findings come at a time when the country is aggressively expanding the digitisation of the healthcare sector even as the country still does not have a data protection law.

As reported by Scroll.in, the Indian government has been creating digital health account numbers of citizens without their knowledge. The accounts are being created under the Ayushman Bharat Digital Mission, which aims to digitise the health records of all patients.

Scroll.in had reported that of the 23.3 crore health account numbers generated for individuals till August 17, three-quarters had been created using the CoWIN, the government’s Covid-19 vaccination portal, and the databases of the Centre’s health insurance scheme. Many people did not know that accounts had been created in their name, with their Aadhaar number and mobile phone details.

Advertisement

The pandemic appears to have given an impetus to the generation of health data online, often without adequate protections.

The CloudSEK report observed that the pandemic forced the healthcare industry to adopt new technologies it was not completely equipped to handle. “The transition wasn’t smooth and left multiple gaps in cybersecurity for the attackers to exploit,” the CloudSEK report observed.

Cyber experts have also voiced concern over the large-scale digitisation of medical records and the risk of their being misused.

Advertisement

Vulnerable, lucrative data

In 2021, the Indian government began using the CoWIN portal and app to record immunisations against Covid-19.

According to the CloudSEK report, vaccination records witnessed the maximum breaches globally followed by the personal identifiable information of health workers and patients. Personal information included name, address, email, contact number, and gender.

The breach of administration log-ins and financial records were the other kinds of data to be targeted. A cyber attack on administrative logins can compromise patient confidentiality and provide access to a hospital’s internal data.

From the website of the Ayushman Bharat Digital Mission.

CloudSEK’s white paper also noted that the number of cyberattacks increased in the past two years since adequate security measures were not implemented amid the push to go digital.

Advertisement

“Medjacking”, where medical devices are hijacked, also surfaced as a major concern, the report said. Such an attack can shut down life-saving machines or equipment during surgery or in intensive care units.

The report also noted that several phishing campaigns were uncovered during the pandemic. “...Attackers posed as the WHO [World Health Organization] and sent malicious links to people claiming to be the most recently issued safety guidelines,” stated the report.

In 2021 and 2022, databases were the “most generally sought-after data type”. At least 69.2% of cases involved the leak or sale of databases from the healthcare industry in 2021. This increased to 78.6% in the first four months of 2022.

Advertisement

No data protection law

Patient data is a goldmine for several stakeholders, including major pharmaceutical and insurance companies. Armed with such information, insurance companies, for instance, can target specific populations to buy their policy. For an organisation, the leak of customer information can halt operations and lead to huge cost and legal ramifications.

Raman Jit Singh Chima, Asia policy director for AccessNow, an online rights nonprofit, said that with lack of a data privacy law in India, the threat ecosystem for digitised health records becomes very large. “There is no penalty for private parties who misuse the data,” he said. “Who do we go to complain?”

In its report, CloudSEK also mentioned that in one instance in August 2021, an e-pharmacy portal was targeted after its configuration settings were shared on a public platform. This cyberattack compromised the information of several user accounts on that portal, said CloudSEK.

Advertisement

Anita Gurumurthy, executive director of IT for Change, which works at the intersection of information technology and social justice, said the leak of data from the health sector will allow for abuse, misuse, and unabashed profiteering. Gurumurthy said data sharing norms must be centrally defined. “This is sensitive information and requires the highest degree of ethics,” she said. “We do not have that preparedness [in India].”

Scroll.in has contacted the National Health Authority, which handles the Ayushman Bharat Digital Mission, for a response on the cyber security concerns raised by CloudSEK. This report will be updated once they respond.

This reporting was supported by a grant from the Thakur Family Foundation. Thakur Family Foundation has not exercised any editorial control over the contents of this article.