There is no culture for cyber-security in medical organisations and enterprises that need them most when healthcare is rapidly going digital.
On November 23, 2022, the All India Institute of Medical Science (AIIMS) New Delhi—the premier Indian national medical institute’s entire digital infrastructure collapsed due to a ransomware cyber-attack launched by Chinese hackers. Dubbed by experts as one of the biggest cyber-attacks on Indian critical infrastructure, the cyber-beach led to the compromise of sensitive medical and personal data of approximately four crore patients. On a bigger social impact scale, the breach ensured that effective digitally-driven (automated) medical care within the hospital was disrupted—much to the scare of patients and their kin. This disruption took the shape of system processes within the hospital. Processes had to be run manually—which often can't bear the time-critical patient service demand given the scarce resource (employee time and effort) supply. In this article, we state the major cybersecurity issues that plagued AIIMS—and true of most other hospitals in the country—and provide a gist of management action items to boost cybersecurity in hospital environments.
Cyber-Security Issues in the AIIMS Case and Medical Hospitals in General
A post-mortem of the AIIMS cyber-attack broadly revealed a tale of medical administration negligence despite the Indian government’s recent push to digitise healthcare. The main negligence points sticking out were:
- The AIIMS department responsible for IT infrastructure did not have access to database, security, and system administrators despite the National Informatics Center (NIC) recommending them to do so.
- A disaster backup mechanism to maintain continuity of operations—reflective of cyber-resilience, in the event of a primary site failure—did not exist.
- There was no service-level agreement between AIIMS and the NIC, for the latter to be accountable for any lapses in service. AIIMS operated its own servers and was responsible for server OS and security software updates—though in reality, no such updates were done over time.
- Cyber-safety and resilience were never given importance inside AIIMS—reflecting a lack of cyber-security culture. As evidence of such a statement, (a) no workshops or seminars educated the medical IT staff and doctors about cyber-hygiene, (b) no NIC-recommended security audits were done, (c) many of the medical employees used personal Gmail for official activities instead of their official AIIMS email.
It should be emphasized that the above negligence factors are not restricted to AIIMS only and follow all other Indian hospitals throughout the country. In simple words, there is no culture for cyber-security in medical organisations and enterprises that need them most when healthcare is rapidly going digital. In the case of hospitals in general, the need for medical staff to access patient information and deliver care quickly is often orthogonal to adopting cyber-security best practices. As an example, it is common practice across employees of many healthcare providers to leave their workstations or laptops unlocked and/or unattended while expediting access to patient care information to provide comprehensive care. Moreover, clinicians are often given the power of discretion to adopt and install IT-driven health products that may serve patient benefit but might not satisfy the cyber-security requirements of enterprise-wide IT.
In addition, financial constraints, weakly cyber-protected legacy medical devices, and medical employees’ lack of knowledge and understanding—due to the unavailability of workshops and cyber-hygiene programs—of safety risks to patients that cyber threats pose to increase the latter’s impact on cyber-security in the hospitalised medical care sector. To drive home this point, many IT security teams (if they exist within a medical enterprise) have difficulty demonstrating the financial importance of cyber protections to C-suites and the value of proactive risk mitigation without experiencing a breach or data loss. A medical C-suite or board primarily consists of members who hardly have a background in cyber-security and, more importantly, are concerned with how the organisation is advancing on commercial business KPIs (e.g., revenue). They cannot gauge how cybersecurity can have a direct impact on the KPIs, and the CISOs cannot usually translate, to the board, technical jargon effectively into KPI-impacting control factors. Consequently, many C-suites surprisingly argue that they cannot budget for cyber-security even when they have sufficient resources. One of the main reasons, apart from the ones just mentioned, is their behavioural bias of cyber-attacks having a far lower probability than in practice. The other important reasons, especially for small and medium hospitals allocating insufficient cyber risk or resilience management budgets are the lack of
Also read: Cyberattacks: You could be the next target
- (a) infrastructure to identify and track threats,
- (b) the technical expertise that can analyse and translate the threat data into actionable information, and
- (c) the governance capability to act on that information for improved cyber-resilience.
Management Action Items to Boost Cyber-Security in Hospital Organisations
We propose five management solutions that can enable the highly vulnerable hospitalised medical care organisations (in our article, synonymous with healthcare organisations) in India to meet acceptable cyber-security standards by introducing financial incentives and regulatory requirements that integrally include cybersecurity factors towards resilient business and patient care.
Action Item #1: Establish Minimum Cyber-Hygiene Practices
Given the evolving cyber-threat space that is increasing the cyber risk against patient safety, all healthcare organisations—from the C-suite level to the general employee level—should be familiar with and enforce certain minimum cybersecurity practices on their employees as standard operating procedure. Regulations should generate appropriate trade-offs between the amount of cyber-risk it is mitigating and the ease of effectiveness for medical employees to carry out existing day-to-day hospital activities and consequently boost KPI metrics. All hospitalised medical care organisations must meet accreditation-approved health and safety standards that work to protect beneficiaries, and the management should check on employees to individually meet these standards—offering penalties for not being able to do so. Hospitalised medical care organisations must have emergency and standby power systems at the least to prevent a hospital-wide blackout due to a cyber-attack on the national energy/power infrastructure.
Action Item #2: Patch Insecure Medical Legacy Devices/Systems
Medical equipment is becoming increasingly IoT and software-driven. Hence they have become more connected and technologically advanced. However, unlike some hardware, no software has a lifespan of 20 years, i.e., older versions of software retire from the market with no available security patches for earlier versions. As a result, more legacy medical devices (often with weak passwords) are left vulnerable to cyber-attacks. To this end, the government or regulators, together with the industry, should develop incentive programs to smoothly phase out legacy equipment gradually over time. One could take a leaf out of the automobile industry in the US where the Car Allowance Rebate System (CARS) of 2009 allowed the federal government to take less fuel-efficient cars off the road—such a concept in cars being introduced in India also. There is a need for an incentive-based program to push the medical industry towards developing more modular, updatable medical technology or software equipment that satisfies minimum cybersecurity standards.
Also read: Cybersecurity awareness, education dismal in Indian boardrooms
Action Item #3: Publish Software Bill of Materials
A software bill of materials (SBOM) is a key component in software used by health care services security and software or firmware-driven supply chain risk management. It is a nested inventory of ingredients that make up software components (including those in hardware) that should be published by hospitals or healthcare organisations, in collaboration with regulatory agencies. This requirement could be enforced during pre-market approval and coupled with post-market monitoring to make sure that a much-increased number of cyber vulnerabilities are fixed when compared to the scenario of not publishing the SBOM. Moreover, the management staff should deploy cost-effective incentive mechanisms for the organisation to promote the adoption of SBOM.
Action Item #4: Budget Sufficient Funds to Boost Health Care Security
It is common knowledge that there is an insufficient amount of investment in cybersecurity by Indian healthcare organisations whose management often gives priority on a budget to other commitments that are perceived to be of immediate impact on stakeholder and shareholder interests. This issue is amplified for smaller hospitals and healthcare organisations whose priority is to remain financially solvent. Care should be taken by healthcare C-suites to ensure that
Also read: Seven challenges against securing the systemic cyberspace in the industrial IoT age
- (a) there is no cybersecurity talent shortage within the organisation by offering good pay packages,
- (b) they need not wait for days to fill roles after posting, and
- (c) multiple talented security personnel are often responsible for managing the cyber-security of a large network of hospital chains and facilities, sometimes spread across an extensive geographic area.
Action Item #5: Strengthen Information Sharing Between Healthcare Organisations
Cyber-vulnerable information about healthcare services should voluntarily be shared among hospitals and healthcare organisations for improved medical care ecosystem security. Human life should ideally be above the political and profit interests of healthcare management institutes that must realise that sharing vulnerable information is going to improve individual enterprise cyber-resilience. However, the status quo as it stands in practice is that it is quite difficult for healthcare organisations to know where to locate relevant information—primarily because of the lack of regulatory enterprise liability protection mechanisms and competing business interests between profit-minded hospitals in the private or public sectors. Health Information Sharing and Analysis Centers (H-ISACs) should be set up for cyber-vulnerability information sharing within the health and public health sector industry but not necessarily with government partners. Such H-ISACs should consist of industry leaders who would not only share cyber-vulnerability information but also recommend tools, guidance, and cyber-security best practices for employees in healthcare organisations. The regulators should ensure that ransomware incidents should be mandatorily reported to central regulatory bodies within a few hours of their occurrence.
Ranjan Pal (Massachusetts Institute of Technology, Sloan School of Management)
Bodhibrata Nag (Indian Institute of Management Calcutta)
[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]