Ensuring Information Security in Indian Hospitals
By Ishaq Quadri, Group CIO, Kerala Institute of Medical Sciences
In the backdrop of the 12th May 2017 Wanna Cry ransomware virus attack which impacted an estimated 150,000 systems in over 100 countries including UK (including National Health Services), Russia, countries in Europe, Latin America and parts of Asia. This attack is called as a Ransomware as the objective of the attack is to lock (by way of encryption) data files of systems and demand a ransom to restore (decrypt) them back to readable format on paying the demanded ransom amount. In England, 48 trusts reported problems at hospitals, GP surgeries or pharmacies and 13 NHS organizations in Scotland were also affected. Some hospitals were forced to cancel treatment and appointments and, unable to use computers, many doctors resorted to using pen and paper.
When developed countries with some of the best technologies and resources at their disposal literally struggled with the latest cyber virus attack situation back home in India can be left to the reader’s imagination in the unlikely event of us getting impacted.
With the current digitization drives happening in a big way in both Private and Government Hospitals in India it is imminent on decision makers to give enough importance to information security before it is too late. Also it is worth mentioning about a common misconception on information security which grossly and criminally equates it to applying the latest anti-virus software is a grave injustice to the whole issue.
In this article, we try and unravel the information security conundrum, understand the vulnerabilities,evaluate possible strategies and workarounds to address the challenges especially in a hospital environment. Before we get into the solutions galore, let us first get our basic understanding clear on concepts pertaining to information security and its importance in a Hospital and Healthcare Environment.
What is Information Security?
Before we venture into describing information security let us take the baby steps of defining what information is and why we need to worry about it. Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.
Moving on to Information Security, in simple layman terms it is to:
• Protect information from a range of threats
• Ensure business continuity
• Minimize financial loss
• Maximize return/value on investments
• Seek business opportunities
• Ensure compliance
Having attempted to describe information security let me add a few more dimensions here
• It is an ongoing battle hence there is no beginning and no end
• The complexity and Vulnerabilities waver all the time
• The principle ‘Strength of the chain is decided by its weakest link’ is applicable all the time
Objectives of Information Security
The core objectives of Information Security is to preserve confidentiality, intregrity and availability of information among other things. Confidentiality, is to ensure that information is available to only those authorized to have access. Integrity is about safeguarding the accuracy and completeness of information & processing methods. Availability, it to ensure that information and vital services are available to authorized users when required. Other areas include privacy, authenticity, accountability, non-repudiation and reliability.
Why Health Data is Vulnerable?
In general we all understand the importance of information security but what is so special about Health Data? Are we being paranoid here? Absolutely not, the reasons being:
• Healthcare Data is Detailed and Rich in Content
• Black market for patient data is up to 10 times more valuable than that for credit card data
• Increased competition and growth pressures in the Hospital Sector
• Medico Legal Cases
• Media Attention
• Sabotage and Espionage
Vulnerability Statistics
The following are some statistics that gives us some idea of the vulnerability of health data:
• According to Identity Theft Resource Center, 35.4% of the data breaches reported in 2015 were in the healthcare industry
• December 2014, Anthem – the US’s second largest healthcare insurer announced that an outside hacker accessed personal health information (PHI). About 80 million patient records were stolen in one single cyberattack
• Numerous cases reported across the country on data theft
• A US study has shown that almost 58% of the data breaches in a healthcare organization occur from third party/ business partners who have access into the application
Information Security Challenges
As Healthcare IT professionals, we face a variety of challenges and dilemmas related to information security especially in a Hospital environment wherein patient and their health data is stored, referred, and shared by the care giver community in ensuring quality, safe and timely discharge of services. The safety and privacy of this information becomes imminent as described in the previous section on vulnerability of health data. The information security breaches and threats are for real happening all the time and can and can emerge from External and Internal Sources covering the entire ecosystem.
The key challenge is to make patient data accessible/ available while maintaining its privacy, confidentiality and integrity. The need to have Internet access, Email for official communication adds to the challenge. Devices, Wearables, IOT, Mobile Apps, BYOD, Remote Access to service providers, and Business Associates all multiply the challenge. To top it all absence of comprehensive regulation in the India context and discriminating budgets serves as the icing on the cake.
The various risks can emanate from:
• Unrestricted Access
• Virus Attacks
• Theft, Sabotage, Misuse, Hacking
• Systems/ Network Failure
• High User Knowledge of IT Systems
• Natural and Infrastructure Calamities
Solutions and Safeguards
In the previous sections, we looked at the background and tried to understand the veracity of the problem with some data points. So what are the solutions known to us and where we need to look at workarounds?
As mentioned in the introductory section Information Security is an ongoing battle without a definite beginning and an end. There are no absolute solutions which means a solution you apply today can fail tomorrow with the increase in threat, intensity and variety.
The overall approach to information security solutioning can be categorized in the following heads:
• Policy and Process Measures: Softer Aspects pertaining to Strategy, Policies, Process, Education and Awareness in a Legal framework usually carried out by the Senior Management and Non-Technical Resources
• Technical Safeguards: The real actionable technical safeguards or in other words the ‘Nuts and Bolts’ of information security as attended to by the Technical team
Policy and Process Measures
Have Information Security Policy Framework in place, the one which has the blessings and commitment of Top Management.The framework is an embodiment of the management thought process, significance it attaches to information security by way of committing resources, and the overall approach by way of various controls being in place that cover all information assets.
The information security management system (ISMS) framework need to include and address physical and environment security, human resources, asset management, access control, operations, communications, DRP, Business continuity management, supplier relationships, incident management and compliance. Try and conform to standards like ISO 27001. To enable the conformance to defined policies having competent people with right skillsets is imminent.
Education and Awareness of the defined policies and processes is a critical aspect that goes a long way in successful implementation. Multiple rounds on orientation at various levels need to be carried out.
To verify the conformance to the defined policies and processes conduct structured and formal Internal and External Security Audits and Drills.
Establish a business continuity and incident response strategy and conduct regular vulnerability assessments.
From a Legal perspective Publish Terms of Use and take consent from Patients before sharing their data.
At this juncture let us look at what all are the legal covers available to the disposal of a Hospital IT system:
• IT Act 2000
• Information Technology (Reasonable Security Practices and Procedures and sensitive Personal data or Information) Rules, 2011
• Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002
• Indian Contract Act 1872
• Other ancillary statutes dealing with disclosure of medical sensitive information.
IT (Reasonable Security Practices and Procedures and sensitive Personal data or Information) Rules, 2011
• The medical records and history of patients are categorized as sensitive personal data of a person
• Rule 3 – What constitutes sensitive personal data or information
• Rule 4 – Formulation of privacy policy
• Rule 5 – Collection of Medical Sensitive Information
• Consent and Knowledge
• Lawful Purpose
• Intended Recipients
• Rule 6 – Disclosure of Medical Sensitive Information
• Rule 7 – Transfer of Information
• Rule 8 – Reasonable Security Practices and Procedures
Technical Safeguards
There are numerous technical safeguards at our disposal that can be put in place to both prevent an occurrence and to respond to a contingency. A very common misconception around technical solutions is that anti-virus is a panacea for all problems and the security manager/ administrator can relax once the latest version is implemented.
What is needed is a holistic approach in applying technical controls encompassing the entire ecosystem and in line with the policies and processes defined.
• Network Level Security
It is an important aspect of information security that ranges from Firewalls, Switches to VLAN and NAC. One needs to understand that network level vulnerabilities are the gateway to any attack.
The following is a partial and indicative list of areas and opportunities to be focused upon
o Hardware Firewall is a must
o Port security on switches
o Dynamic Host Configuration Protocol (DHCP) snooping
o Encryption on Wireless Network
o Virtual Lan (VLAN), Network Access Control(NAC) and Network Monitoring System
• Domain Security
o Strong Password and Expiry Policy
o Approval Controls on account creation
• Anti-Virus, Web Filtering, Data Leak Prevention (DLP) and End Point Security
o Update the software on regular basis with databases updated
o Conduct regular full system scans
• Application Level Security
o Security as part of Product Audit
o Look for Strength of encryption, Authentication and Authorization procedures, Change Password, Secure Socket Layer (SSL) implementation, Role Based Security and Session handling
• Regular Data Backup and DRP
o Automated and Frequent Backups
o Restoration test to verify the integrity of backed up data
o DRP Site to be used
• Patch Management
o Automated,Centralized, Regular and Routine
o Ensure you have a test environment is place
• Emails
o Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
o Disable macro scripts in files transmitted via email
• Mobile Device Management (MDM)
o Check for the strength of encryption
o Enforce Personal, Device and Compliance Policies
o Check the Remote Wipe Features
• Web Application Firewall(WAF) for preventing
o Cross Site Scripting (XSS)
o SQL Injection
• Consider Virtual Desktop Infrastructure (VDI) – Ensures Data and Application Security
• Activities to be carried out in case your organization is effected by a virus attack
o Isolate infected devices by removing them from the network to prevent virus from spreading to the networked or shared drives
o If your network has been infected, immediately disconnect all devices.
o Power-off affected devices that have not been completely corrupted. This may provide time to clean and recover data, contain damage, and prevent conditions from worsening.
o Backed up data should be stored offline. When an infection is detected, take backup systems offline as well and scan backups to ensure they are free of malware.
o Contact law enforcement immediately to report any ransomware events and request assistance.
– Ishaq Quadri is the Group CIO of Kerala Institute of Medical Sciences, and Vice President HIMSS APAC India Chapter.