The outbreak of COVID-19 has not only pushed economies into recession but also brought forth the fragility of healthcare systems in general. Migrating to digital mode has since been a major move across the healthcare sector. Increased digitalisation is expected to help service providers create a robust and critical infrastructure focused on patient’s safety and quality care. The future of digital healthcare appears promising as patients would be more comfortable using digital services for complex and sensitive medical conditions. However, a major downside of going digital is the imminent threat of attacks lingering in the cyberspace. Considering that the healthcare sector is critical infrastructure, patient information and medical reports available online would be a gold trove that could be exploited for various malicious purposes.
Digital healthcare refers to the integration of medical knowledge with information technology (IT) applications (apps) to help improve medical care and supervision of patients. This means that a smartphone can be used to determine patient’s medical condition by monitoring patient’s vital data (pulse, blood pressure and oxygen saturation) including body temperature and movement patterns. It can also be used to determine if the patient has taken the prescribed medication.
Digital technologies enable need-oriented solutions and the provision of preventative, clinical and rehabilitative services. Deploying advanced technologies like digital health, big data, artificial intelligence (AI), augmented reality (AR) and virtual reality (VR), wearables and internet of things (IoT), 3D printing technology and so on would impact different forms of treatment, care concepts, and image of the medical profession and role of patients. In terms of IT strategy, many of these areas relate to opportunities for the formulation of hospital processes subject to the concept of “hospital 4.0”. New diagnostic and therapeutic approaches are developed with the support of IT management in the context of “precision medicine” approach and digital therapeutics that powers personalised predictive care.1
Today’s telehealth technology is empowering patients in the remotest locations of the world to access quality healthcare and receive life-saving diagnoses. Telemedicine allows access to quality healthcare at any time thereby levelling the playing field – geographically and financially. Additionally, it has been observed that using AI and deep learning, body scans have been shown to analyse CAT scans up to 150 times faster than human radiologists, detecting acute neurological events in just 1.2 seconds.2 With several medical-grade sensors including optical, temperature, electrodermal, accelerometer and barometer being incorporated within wearables, these devices can be comfortably worn on the arm for several days and have higher-than-average patient satisfaction and adherence rates. The data from these wearables can be used in effective ways like monitoring health and providing preventative care. For instance, Hong Kong has been putting electronic wristbands on arriving passengers to enforce the coronavirus quarantine.3 The wristbands are connected to a smartphone app to make sure that people stay at home and break the chain of further spread of the virus.
There has been a slew of technologies deployed to check the spread of COVID-19 like contact tracing apps, electronic fences, robots, and infrared (IR) thermal screening. These technologies that aid round-the-clock remote monitoring and analytics are providing clinicians with decision support for early identification of any physiological alterations that could indicate deterioration, and facilitating early interventions for better outcomes.4
It has been predicted that by 2025 most of the hospitals worldwide would move to the digital platform, thereby increasing the market size of the healthcare sector from US$ 16.92 billion in 2017 to about US$ 58.78 billion by 2025.5 However, there is an evident downside to these healthcare innovations. These new devices open-up more entry points of cyberattacks and challenges for those in charge of online security and patient data protection.
The healthcare sector has been the prime target of online attacks threatening day-to-day work and compromising confidential patient data. The critical infrastructure systems in hospitals are particularly threatened by ransomware, besides different types of malware and distributed denial of service (DDoS) attacks, which can be locked up by malicious actors and unlocked only following payment of ransom.
Security researchers in Israel have been able to create malwares capable of adding tumours into CAT and MRI scans and misleading doctors into misdiagnosing high-profile patients.6 Another reason for increased attacks is the availability of enormous patient data that is worth a lot of money. Nefarious actors sell the data to counterfeiters who then produce genuine-looking insurance claims. Tampering of health and personal data like medical history, allergies, and medications can have dire consequences.
Medical devices are designed for one-point tasks like monitoring of heart rates or dispensing drugs. They are not designed with security in mind. Although the devices themselves may not store the patient data that attackers pursue, they can be used as launching grounds to attack a server that holds valuable information, or facilitates access to other networks, or let hackers install expensive ransomware on servers. In a worst-case scenario, medical equipment can completely be overridden by attackers, limiting hospitals from providing vital life-saving treatment to patients.
Since 2009, medical data theft has occurred either by stealing laptops or hard drives or identifying and stealing passwords. However, in recent years, myriad cyberattacks have compromised millions of medical records and patients’ personal information. For instance, in 2018, the MGM Hospital in Vashi, Mumbai fell victim to a cyberattack that locked the hospital data and demanded a ransom in bitcoins.7 Similar incidents of WannaCry, Petya and NotPetya ransomware attacking the healthcare sector have been reported from many countries, notably the 2017 attack on the United Kingdom’s National Health Service (NHS) where more than 70,000 devices like laptops, desktops and medical machinery were infected with attackers demanding ransom in cryptocurrency to decrypt the encrypted data of the hospitals.8
In the backdrop of COVID-19, many healthcare organisations have seen an increase in cyber exploitation. According to a report, the cyberattacks in the healthcare sector increased by 150 per cent during January-February 2020 as criminals sought to take advantage of the system vulnerabilities during the crisis.9 Scams by grey-marketers for personal protective equipment (PPE) have also seen a steady rise as healthcare professionals remain short of critical supplies.
On March 13, 2020, one of the Czech Republic’s biggest testing laboratories, Brno University Hospital, was hit by a cyberattack. As a result, the hospital had to postpone urgent surgical interventions and transfer patients with acute conditions to a different hospital while shutting down their entire IT network.10 Similarly, the website of Champaign-Urbana Public Health District in the United States was attacked by new ransomware called NetWalker.11 Victims received a ransom demand for the encryption key to regaining access to their data. This ransomware camouflaged itself within essential Windows functions to evade anti-virus detection. Health district employees became aware of the ransomware attack on March 10 when they lost access to the medical files. The Federal Bureau of Investigation (FBI) thereafter issued a warning about Kwampirs (a backdoor Trojan that grants remote computer access to the attackers) malware targeting supply chains including the healthcare industry.12
Microsoft has also been warning healthcare organisations to watch out for sophisticated ransomware attacks that could target them through their virtual private networks (VPNs) and other network devices. In particular, Microsoft warned about ransomware campaign called REvil (also known as Sodinokibi), which actively exploits gateway and VPN vulnerabilities to gain a foothold in the target organisations.13 After successful exploitation, attackers steal credentials, elevate their privileges and move laterally across compromised networks, installing ransomware or other malware payloads.
India has not been very far behind in riding the digital wave. In 2017, the union cabinet approved the formulation of National Health Policy, under which a National e-Health Authority (NeHA) is to be setup.14 Such a policy would evolve and expand health information networks across the continuum of care, such as e-Health, m-Health, and cloud technology and IoT in healthcare delivery. Major IT initiatives include ‘India Fights Dengue’ mobile app which provides interactive information on the identification of symptoms and links users to the nearest hospitals and blood banks. The Swasth Bharat (Healthy India) app provides information on healthy lifestyle, disease conditions and their symptoms, treatment options, and first aid and public health alerts.15 Through the Kilkari mobile app initiative, audio messages about pregnancy as well as childbirth and child care are directly sent to the families and parents. A mobile-based audio training course has been developed for expanding the knowledge base of the rural voluntary health workforce. Other m-Health applications include National Health Portal, Online Registration System, E-Rakt Kosh, ANM Online (ANMOL), telemedicine projects (in remote and inaccessible areas), Tobacco Cessation Programme and leveraging mobile phones for reaching out to the tuberculosis patients.16
The Ministry of Health and Family Welfare introduced a draft bill on Digital Information Security in Healthcare Act (DISHA) in March 2018.17 One key purpose of the proposed bill is to secure and create reliable storage of healthcare data. It will help constitute a health information exchange, as deemed eligible by the Act, and maintain the digital healthcare data of individual patients. The central government plans to incorporate a database to store information of patients and other health system components at the district and national-levels (National Health Information Network) which is expected to be implemented by 2020 and 2025, respectively.18 A key suggestion is to link Aadhaar to the health information network so that the patient identification works seamlessly. It also includes the participation of the private sector in developing a common network to help in accessing information by both public and private healthcare providers.
With the allocation of funds in the 2019 union budget for the Ayushman Bharat Yojana,19 developing the healthcare sector is a top priority. Meanwhile, to ensure better coverage for the healthcare initiative, the Ministry of Health has issued a critical document for public consultation to completely digitalise the healthcare data, and create a national digital health network called National Digital Health Blueprint.20 This would help deliver value-added services to the concerned users with a consent-based flow of citizen’s health record.
India is committed to financially support all the digital initiatives and looks for multi-stakeholder engagement and private-public partnerships to scale up these initiatives. Even under the current crisis, the government has rolled out apps such as Aarogya Setu21 to help citizens identify the risk of contracting COVID-19 and AYUSH Sanjivani22 to spread awareness about traditional Ayurvedic medicines.
Going digital is the most effective way to protect the first line of healthcare workers especially in the case of highly communicable viruses like COVID-19 while increasing the efficiency of health services. However, cybersecurity cannot be an afterthought in the healthcare sector. Medical specialists often use old and outdated software/hardware with minimum security features, staff lacks the necessary security know-how to implement updates and patches promptly, and many medical devices lack security software altogether. Human error opens a hole in systems as most breaches are triggered by employee mistakes or unauthorised disclosures. Experts note that hospitals often do not know what systems run on the devices they use. Many of these devices are black boxes to hospitals as there is a general lack of awareness, besides the usual lack of resources. Without a multi-layered protective cyber ecosystem, the medical staff may not even know when they are under attack.
India is at the cusp of digital transformation. However, with digital threats becoming trickier, a more holistic approach towards cybersecurity would be needed to facilitate the creation of a vibrant digital healthcare environment. If going digital is necessary for the country to be on par with the digital world, then building a resilient and trusted cyber ecosystem is also a necessity.
Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.