How can government healthcare organizations protect themselves from cyberattacks By Janifha Evangeline

How can government healthcare organizations protect themselves from cyberattacks

Janifha Evangeline | Monday, 12 December 2022, 00:56 IST

  •  No Image

The All-India Institute of Medical Sciences has not upgraded its computer as well as IT system for the last three decades, officials stated, & days after the IT came under a ransomware attack.

The medical records of millions of patients were compromised during the 10-day-long attack and this also includes VVIPs. Out-of-date, old equipment & software, as well as antiquated versions of the Windows operating system, were in use for managing medical records up until the attack. The need to upgrade the IT system surged many times with top authorities, but unfortunately, no actions were taken about it, the officials stated above said, speaking on condition of anonymity.

“There was no up-gradation computer and IT facility in the institute for at least the last 30-40 years. Out-dated and old equipment without the latest version of Windows was in use. We flagged concerns on this issue many times to the top administration but no improvement was done," said a senior official at AIIMS.

On November 23rd, the All-India Institute of Medical Sciences stated that it was hit by a ransomware attack that damaged all its servers being down & the hospital had to enter details manually. At present, the hospital administration is planning to frame a cyber security policy for the safety of hospital & patient data.

 “Under this new cyber security framework, AIIMS is planning to depute a cyber security officer and senior IT professionals for IT-related work. A separate network will be created for e-hospital and e-office-related work, while another will be set up for doctors for emails and other official work,” said another official at AIIMS aware of these developments.

“Besides this, all department faculties, HODs, and scientists have been directed to ensure security audits of the software they are using from CERT-IN certified auditing agencies to prevent malware spread from their software in the servers and connected endpoints," he added.

The computer & IT facility of the hospital has called a meeting of Information Technology vendors to render such solutions before the end of this month & block access to the AIIMS network & central servers from any other non-security audit applications.

All faculties & doctors have been directed that none of the routers should be connected to the AIIMS network port by any user. However, during the last week, the institute in one of the statements claimed that it has restored the e-hospital but owing to the humungous amount of data involved, hospital operations were being done manually.

At present, healthcare firms struggle for protecting patient data for several reasons & the first one is being the very nature of digital applications. Up to the present time, the data that used to be on paper & mostly with the patient is now stored in several databases that are accessed by numerous apps, hospital portals, health tracking tools, medical providers, and many others. Most of them allow the data to be accessed remotely too.

Furthermore, while patients are still trying to understand their privacy rights, healthcare staff are also low on security awareness since the organizations do not train doctors and other medical staff on information security. The equipment which hospitals use for collecting & storing data is either not monitored/protected adequately and for protecting patient privacy, healthcare firms should be building guardrails across all of these dimensions.

How can healthcare organizations ensure patient data privacy

Although there won't be a single loophole when it comes to data breaches, there could be vulnerabilities at any stage. Therefore, it is really important for setting up controls & countermeasures across the board.

Setup encryption

Data could either be at rest or in use or even in transit. Although data at rest should be encrypted with AES 256 or the equivalent, one of the best ways for securing data in use or motion is by controlling access that is based on user roles or providing access only based on the need or utilizing obfuscated data rather than raw data & leveraging HTTPS/transport layer security.

Secure the endpoint

The significance of data security in healthcare extends to everywhere that data can either be used or accessed which also includes the endpoint. It refers to any device which could either access, process or store the PHI, and comprises mobile devices, laptops, desktop devices or even connected devices like printers.

Strengthen device security

Data should not be accessed directly from the personal devices of the users & if accessing it from a user's personal device it should be an exception with the device possessing the right level of controls in order to  ensure data safety & there should also be an approval process which is defined to access data from the personal device of the users.

The road ahead

Since healthcare organizations such as private & public hospitals, medical device manufacturers coupled with health insurance providers help in managing personal data, comprising the special categories, their compliance with the GDPR requirements is crucial. Healthcare companies should be investing both time as well as capital in changing their perspective as well as approach, not just towards the GDPR but towards cybersecurity as well. Although, there are unique challenges which the healthcare sector faces now, there are also effective security solutions which will benefit any firm in the long run.

CIO Viewpoint

The Cyber Security Spar in Integrating IT and...

By Vimal Goel, CIO, HPCL-Mittal Energy

Towards Cyber Resilience: A Data-Centric...

By Puneet Gupta, Vice President & Managing Director, NetApp India/SAARC

Why DDoS Attacks Are on the Rise and How Can...

By Shibu Paul, Vice President – International Sales at Array Networks

CXO Insights

Emerging Trends, Challenges & Future Prospects...

By Sujoy Brahmachari, CIO & CISO, Rosmerta Technologies

Exploring Data-First Security and Automation in...

By Maheswaran S, Country Manager - S.Asia, Varonis Systems

Securing IT-OT Converged Infrastructure

By Saurabh Sharma, SMIEEE, FIE, CEH, Chief Manager (BIS) & CISO, Petronet LNG Ltd.

Facebook