Healthcare industry of India is facing novel techno legal issues that were absent few years back. These include issues like techno legal regulatory compliances, cyber security requirements, cyber breach disclosure requirements, obligations of directors of healthcare companies for cyber law and cyber security, privacy compliance, data protection requirements (pdf), etc. This article is discussing the cyber security issues of healthcare industry of India that is equally applicable to healthcare industry of other jurisdictions.
As healthcare industry has started using information and communication technology (ICT) in the form of telemedicine, online pharmacies, e-health, m-health, etc, cyber criminals have found that this industry is a goldmine and a money minting industry. Sophisticated malware are now targeting healthcare industry in the form of ransomware and information stealing malware. These malware are so sophisticated that even cyber security products and services are ineffective against the same.
There is no doubt that ICT has enabled the healthcare industry but at the same time it is also true that there is an increasingly high risk of healthcare cyber security attacks. Healthcare companies of all sizes need to ensure that they are not only regularly reviewing policies and procedures when it comes to privacy protection and data security but also that they are implementing the right cyber security best practices to keep healthcare related information secure. Ransomware is of particular concern to healthcare industry as sensitive healthcare information is encrypted and decrypted only once the ransom is paid.
Healthcare industry is not spending adequate amount on cyber security and is also not good at acquiring cyber law and cyber crimes related knowledge. This has made the healthcare organisations vulnerable to sophisticated cyber attacks. The overall impact of cyber attacks on the hospitals and healthcare systems is estimated to be nearly six billion per year. Furthermore, these organisations face internal threats due to factors such as the use of cloud services, insecure networks, employee negligence, bring your own device (BYOD), lack of internal identification and security systems, stolen devices with unencrypted files, etc. Human beings are the weakest link in the cyber security environment and healthcare organisations are no exception to this rule.
Presently, healthcare cyber security market consists of protection against malware, ddos, advanced persistent threat, spyware, lost and stolen devices, etc. However, the list is just illustrative and the cyber security requirements are as vast as are the options available to the cyber criminals.
Perry4Law Organisation (P4LO) strongly recommends that the healthcare industry must work on three fronts i.e. formulation of techno legal policies, adoption of best cyber security practices and a mechanism to ensure cyber breach disclosure and coordination with the statutory and government authorities. If any of these three stages is missing, then the concerned healthcare organisation is at graver risk of cyber attacks and loss of sensitive healthcare information.