KEY TAKEAWAYS
- The COVID-19 pandemic has caused cyberattacks on healthcare businesses, as they have to protect patient data, which is a valuable resource on the internet. Hackers can use stolen patient medical record information to create fake identification documents, submit false insurance claims, or accumulate expenses.
- The healthcare sector in India saw the second-highest number of cyberattacks in 2021, accounting for 7.7% of all incidents there. Accordingly, at least 71 lakh records would have been impacted. Experts are aware that satisfying a ransom demand does not ensure that the hacker will release the requested data or equipment or that they won't use it to sell patient data online.
- Governments must uphold laws and moral norms, healthcare institutions must invest in cybersecurity, and staff must be taught incident management procedures. Safety must also be considered while developing software and security solutions.
INTRODUCTION
Cybercrime is an illegal activity that either targets or makes use of a computer, a computer network, or a networked device. Most cybercrime is conducted by cybercriminals or hackers who want to make money. Cybercrime at times aims to damage computers or networks for purposes other than earning money.
Information breaches, human trafficking, hacking, and phishing are examples of surface-level risks. Businesses experience reputational harm as well as financial loss after a cyberattack because customers are less likely to trust them and their products or services. If sensitive data about customers and employees is accidentally disclosed, the company runs the risk of being sued if negligence is found to have occurred.
This sector offers products and services to treat patients with curative, preventative, rehabilitative, or palliative care in the health care or medical industry. The current pandemic continues to offer novel obstacles for the global health care sector and continues to demand the attention and resources of healthcare systems. They continue to improve the human experience of their workforce through modifying what, how, and where work is done, fast increasing online medical care for patients, and creating partnerships to manufacture and obtain vaccinations, treatments, and supplies.
Poor cybersecurity measures, sensitive data storage, and a desperate need to maintain business continuity at all costs make the medical sector a potential target for hackers—an inevitability compounded by the pandemic. Because of inherent flaws in its security posture, healthcare faces significantly greater cyber dangers than other industries.
The healthcare industry is an appealing target for hackers for two simple reasons: it has a huge supply of valuable data and is an easy target to aim for.
CASES AND THEIR AFTERMATH
The COVID-19 pandemic altered the danger landscape because of the increasing adoption of a remote work environment and the growing reliance on the internet to enhance worker access and maintain productivity during shutdowns and orders to stay at home. Criminals swiftly took advantage of vulnerabilities and launched a range of attacks across industries, from malware and viruses to phishing and targeted scams.
Healthcare businesses have been the subject of some of the most significant cyberattacks in the last year. These institutions face a particular obstacle since they have to protect not just their own networks and databases but also the data of patients, which is a valuable resource on the internet.
By collecting and using patient data as leverage, hackers can extort millions from healthcare organizations that are rushing to avoid long-term treatment interruptions. Alternately, hackers can use stolen patient medical record information to create "identity kits" on the dark web, which customers may buy and employ to create fake identification documents, submit false insurance claims, or accumulate other expenses.
DISRUPTION OF SERVICES
In 2021, the number of cyberattacks on the Indian healthcare industry was the second highest in the world, accounting for 7.7% of total occurrences in the country.
CloudSEK (a cyber threat intelligence organization) reports an "increased cyberattack on the global healthcare sector," with the US accounting for 28% of overall worldwide attacks.
According to the study, "India recorded the second highest number of incidents, with an aggregate of 7.7% of all attacks on the health care sector in 2021". This would mean that there are at least 71 lakh records affected in the country.
As a result of these attacks, many small healthcare providers are unable to pay high ransoms and are forced to close their doors. These experts realize that paying a ransom demand does not guarantee that the hacker will release data or equipment. It also does not ensure that they will not sell your patient's information on the internet.
USA
- Ransomware hit hundreds of dental practices in August 2019, according to the American Dental Association. The attack targeted a dental-tech business, blocking dentists from accessing their data.
- Due to a ransomware attack in August 2019, Wood Ranch Medical in Simi Valley, California, had to shut the facility on December 17, 2019.
- In 2019, a cyberattack targeted a small community health center in Wyoming. Campbell County Health is in charge of a 90-bed medical center hospital in Gillette as well as about 20 clinics across the county. Before demanding a ransom, attackers encoded sensitive patient data and medical devices. Health professionals were forced to cancel services such as radiography, endocrinology, and lung treatment as a result of the attack. According to accounts, the organization transported patients to South Dakota and Denver hospitals. Cash registers, email, and fax machines were all inaccessible. Patients had to bring their own bottles of medication to visits since doctors were required to utilize pen and paper to note medical problems and prescription records were absent.
INDIA
- AIIMS New Delhi: Patients were unable to register for appointments, and medical professionals were unable to access health records as a consequence of the cyberattack on the hospital.
The hospital's ransomware strike has sparked "serious concerns about the country's cybersecurity," said KC Venugopal, an elected member of Parliament from the primary opposition Congress party.
(risk, 2022)
LAWS ESTABLISHED (INDIA)
1) Any intermediary or person who exposes personal data without the owner's permission (with ill purpose and causing damages) is punished by imprisonment for a maximum of three years, a penalty of up to Rs 5 lakh, or both under Section 72A of the IT Act.
2) Section 43A of the IT Act, for example, mandates Indian businesses and organizations to use "reasonable security practices and procedures" to protect sensitive data from being hacked, destroyed, exposed, or exploited.
3) Individuals have the right to change their information according to the Indian SPDI Rules for Reasonable Security Practices, which impose limitations on disclosure, data transmission, and security measures. They are only applicable to corporations, but they are not liable for the truthfulness of sensitive personal data (SPD) such as medical records, biometric information, and passwords.
4) National Cybersecurity Policy (2013): The Department of Electronics and Information Technology (DeitY) established the National Cyber Security Policy 2013 in 2013 as a security framework for both particularly private and kind of public enterprises to pretty much better protect themselves against online attacks, which is definitely fairly significant.
CONCLUSION
Security must be considered throughout the creation of software and security solutions. This requires addressing security issues in the design of the product. In order to take action against dangerous actors, the governments both globally and nationally must enforce better laws and suitable moral standards. There should be more done to technically attribute cyberattacks so that the perpetrators and/or enablers of the assault may be identified with ease.
Healthcare institutions should also take further precautions, such as increasing their investment in cybersecurity to protect infrastructure, close gaps in systems, and update software. Additionally, they should develop and maintain the necessary level of employee training and raise cybersecurity awareness, develop competent infrastructure, close gaps in systems, and update software. Additionally, they should develop and maintain the necessary level of employee training and raise cybersecurity awareness. A commitment to caution and adherence to recognized incident management processes are also required from these organizations.
Join LAWyersClubIndia's network for daily News Updates, Judgment Summaries, Articles, Forum Threads, Online Law Courses, and MUCH MORE!!"
Tags :Others