The worst fears of cybersecurity experts came true as pharma major Sun Pharmaceuticals recently admitted to a data breach which lead to the theft of certain company and personal data.

This is the third instance when a large domestic drugmaker is reporting a cybersecurity linked incident in about three years (besides Dr Reddy’s and Lupin)—this is just the tip of the iceberg.

Most vulnerable

For long now, companies providing cybersecurity solutions have cautioned that healthcare is among the most vulnerable segments given the sensitive nature of the data they handle. Though it is difficult to estimate the payouts of a cyber attack on a healthcare entity, a Sophos report pegged the cost of recovery of systems after a cyberattack at $1.85 million.

The stakes are high in healthcare and for that reason, organisations are obliged to meet global benchmarks such as HIPAA (Health Insurance Portability and Accountability Act) and several other data security and privacy requirements to protect patient data. Hackers know this and target this sector through several chinks in the armour.

Data thefts and ransomware attacks on hospitals and pharmaceutical companies, for instance, saw an increase during the pandemic years, both internationally and in India. Besides data theft and data leaks, these attacks could also cause serious financial, reputational and operational losses.

Picture this. An average healthcare worker, according to cybersecurity firm Varonis, gets access to at least 11 million files and 31,000 sensitive files on day one of work. In reality, they need only a few thousand files to get their work done.

Varonis surveyed 58 healthcare organisations and went through at least 3 billion files to find out the state of data security in this sector. “At least 10 million files can be accessed by any employee in a healthcare organisation. This information overexposure (called ‘blast radius’) increases the attack surface for cybercriminals,” says Maheswaran S, Varonis’ Country Manager (India).

The job of a hacker becomes very easy because they can compromise or encrypt more files just by getting a single user’s credentials. Healthcare organisations need to evolve and embrace a data-centric approach as most attacks in this sector is around critical data.

Though awareness levels are better than what it was few years ago, healthcare largely remains a lame duck. The endpoints are not fully protected as most gadgets used by staff are their own. These devices are not secured well, exposing the computer networks to attacks.

Zero trust approach
Deploy a web application firewall
Implement anti-phishing capabilities in emails.
Secure apps, access with Multi-factor Authentication
Secure all SaaS applications, and infrastructure access points to protect against DDoS (Distributed Denial of Service) attacks
Know where critical data is and creat backups
Restrict data access to those who require it
Finally, implement a zero trust (trust no one) approach
Number one Victim

Rupal Shah Hollenbeck, President, Check Point Software Tech says that healthcare in India is victim number one when it comes to cyberattacks.

“In the healthcare sector, as digital technologies improve supply-chain, patient management, diagnostics, and remote care, they also bring the sector under the radar of malicious threat actors,” says Gaurav Shukla, Partner and Leader of Cyber, Deloitte India.

This, in turn, could lead to an increase in ransomware attacks, data breaches, unauthorised access, and loss of critical patient data—all of which have the potential to impact the lives of people. Healthcare organisations need to take a holistic approach to digital transformation, keeping cybersecurity at its core and understanding the ever-evolving threat landscape, its implications on the business, and by creating a playbook for robust resilience, Shukla advises.

Parag Khurana, Country Manager, Barracuda Networks India, says the biggest challenges to cybersecurity in these industries includes growing sophistication of hackers, proliferation of connected devices, and shortage of cybersecurity professionals. “It’s critical to recognise that cybersecurity is not just an IT issue, but a business-wide concern that requires a comprehensive approach,” he points out.

National threat

Ramakrishna Murthy, General Manager (India) and Vice-President of Securonix, says the ransomware attacks on AIIMS (All India Institute of Medical Sciences) and Sun Pharma shows that cybersecurity for healthcare can be a matter of national security.

“Attacks can leave victims extremely vulnerable—whether it is the theft of sensitive and non-transmutable biological data of individuals or the capture of critical hospital administration tools,” he said.

“This gives attackers increased negotiating power, making cybersecurity attacks against healthcare institutions a lucrative exercise,” he said. Healthcare players end-up paying a ransom for their data, given its critical nature, says Maheswaran.

All the more reason for healthcare companies to take proactive preventive measures in the interest of patient-safety.