Is India's e-Heath Secure? Jaspreet Singh EY India

Is India’s e-Health Secure?May 13, 2016

Page 2

Agenda

A Recent attacks across the world

B Security-Introduction

C e-Health status in India

DCyber security in healthcare- a rising concern

ECyber security in the health sector-key statistics

F Implications of cyber threat incidents

G Proactive measures against cyber attacks

Page 3

Recent attacks across the world

Is India's e-Health Secure?

Page 4

90%

of large organisations reported suffering a

security breach in 2014

$300 Billion –$1Trillion

Cost of cyber attacks a year

91%

Of cyber attacks are Spear Phishing

attacks

144%

Increase in cyber attacks on business

over a period of four-year

46%

Of the complaints or identity theft frauds reported globally

involved breaches of government documents

6,00,000

Facebook accounts are hacked everyday

Sources: Publicly available information and EY cyber security report

Key statistics about cybersecurity risks


88%Of respondents do not believe their

information security fully meets the

organizations needs 59% see criminal syndicates as most likely

source of an attack today compared with

53% in 2014

2014 2015

53%

59%

Page 5

Some of the key e-Health initiatives in India taken by the Government of India andprivate players

e-Health status in India


1. Mobile applications like Practo, SuperDoc, Credihealth, Mediexpress etc. that provide end to end information on medical services like doctors, hospitals, treatments and allows users to create their profile and upload their medical reports and records

2. Mobile applications like healthy You card and healthy you EHR by the Govt. of India that helps a user search for doctors ,hospitals , book an appointment and get notifications

3. National health portal for health awareness for the rural sector

4. E-Blood Bank and on-line registration in Hospitals

5. Kilkari to deliver weekly audio messages through phones to pregnant women

The e-health sector in India is still in the nascent stage, however with the advent ofbetter access to technology and health services, it is predicted that the spending one-Health initiatives will increase over the years.

Page 6

Security - Introduction

Security is commonly referred to as the confidentiality, integrity and availability of data.Data security ensures that the data is accurate and reliable and is available when thosewith authorized access need it.

In other words, it is all of the practices and processes that are in place to ensure data isn'tbeing used or accessed by unauthorized individuals or parties.

Confidentiality

Integrity Availability

Confidentiality: Ensuring that information is accessed by only those who have authorization to have access to it

Integrity: Safeguarding the accuracy and completeness of information and its processing methods

Availability: Ensuring that authorized users have access to information whenever required by them

Security in healthcare sector (e-Health)

Security in e-Health sector means protecting patient or client personal information andpersonal health information (PHI) against theft, loss and unauthorized collection, use ordisclosure and ensuring that the records containing the information are protected againstunauthorized copying, modification or disposal.


Page 7

Healthcare data is unique, which makes the privacy and security of it so critical

While credit cards can be cancelled while lost orstolen, medical records can be compromised foryears

Stolen healthcare credentials sell for 10 to 20 times more thanstolen credit cards on the black market.

Electronic health records sell for $50 per chart on the black market,compared to $1 for a stolen social security number or credit cardnumber

WHY? Medical records contain most of the data hackers want,making them ideal for ONE-STOP STEALING. Weak cybersecuritymakes electronic protected health information (ePHI) more vulnerable

Cybersecurity in healthcareA rising concern


Page 8

While cybersecurity and data breaches are rising across industries, healthcare is laggingbehind in cybersecurity investment

Cybersecurity in healthcare: IndiaWhy it’s not enough, Why it can’t wait?

Indian security spending(hardware , software andservices) in India touched$1.11 billion in 2015.

Health care providers in Indiaspent approx. $ 1.2 billionon IT in 2015.

Out of the allocated IT budgetof healthcare, <5% was spenton security, which signifiesthat security spending in themedical sector was <6% whencompared on a sector widesecurity spending.

91% of healthcare companies reported at least one incident in the past two years.

In the sample survey of 350healthcare companies, the meantime to identify a breach was 206days, with a range of between 20and 582 days being reported.

Some cybersecurity facts with respect to healthcare sector

1 2 3

Medical sector

Others sector

Source: Publically available information

1 2


Page 9

Connected Medical EndpointsConnected medical devices, applications and software used by healthcare organizations providing everything from online health monitoringto video-oriented services are fast becoming targets of choice forhackers

1

2 One-stop ‘treasure-trove’ to dataHealthcare industry holds vast collections of sensitive patient andmedical documents – data of significance value to hackers

3 Cost of a data breachAs of 2015, a recent data breach study estimates that breaches costthe healthcare industry about $5.6 billion annually.

4 Loss of reputationA data breach can raise questions and concerns as to the adequacy ofits data security protocols and can lead to loss of entire business

5 Cyber Murder:Medical devices vulnerable to hacking—an infusion pump officialswarned could be modified to deliver a fatal dose of medication. Devicescould allow improper access to networks of hospitals and otherhealthcare providers.While the potential of information technology in radically transforming healthcare is indisputable, protecting healthcare data against

misuse, without impeding healthcare professionals’ access to patient information, remains the biggest security concern.

Why should healthcare industry worry about cybersecurity

Top 3 concerns ofhealthcare CIOs in India:

Internal breach

Inadequate deployment of

technology

Regulatory compliance


Page 10

Out of the sample laboratories selected, 28% ofthem were aware of HIPAA where as 72% of thelaboratories were not aware of the HIPAAimplementation/audits.

However the need of HIPPA was felt in 92% of the labs

Another area of slight concern is in theappointing of officers who will be a single pointof contact at each business responsible forhandling any conflicts.

Only 30% of the healthcare companies selected in the sample had appointed a security officer.

Why should Indian healthcare industry worry about cybersecurity?

A research was done to understand the Indian diagnostic business and theimplementation level of HIPPA* in India. Key highlights were as follows:

*HIPPA-Health Insurance Portability and Accountability Act

Aware

Unaware

Not needed

Needed

Need for certified personnel and labs in the healthcare sector, based on the sample size

3325

616

9

34

Need for ISO certification Need for HIPPAcertification

Need for NABL accredatedlaboratory

Appointed

Not appointed

72%

28%

92%

8%

70%

30%


NoYes

Page 11

Unsatisfied customer

Implication of cyber incidents

Legal action

Brand reputation

Financial loss

Business disruption

The healthcare industry is constantly on the move and isextending beyond hospitals, confidentiality of patient data andhospital database becomes top most priority. The industry hasto go a step ahead with the standard antivirus and firewallcombination to safeguard the importantinformation of a patient and avoid anyinfringement.


Page 12

Proactive measures against cyber threats

Assess Your Network

Gain visibility into the enterprise and system including nontraditional devices like printer, personal medical devices andinstitutional medical instruments

Most of the out-of the box networked devices and applications arenot secure like VPN, firewalls etc and strong password policiesshould be implemented

Think like an attacker

Devices with default credentials, insecure ports and otherconfiguration pose attack surfaces

Physical pathway should also be considered, a surveillance cameracan be turned off or used to gather crucial information in gettingaccess to physical or network environment

Analyze your Network Pathway

Egress filtering restricts flow of unauthorized or malicious trafficoutbound from a network to prevent internal compromise

Real time analysis of outbound traffic

Combine visualization with threat intelligence to spot traffic trendsfor ports like TCP and UDP which are commonly open throughnetwork perimeter


Page 13

Thank You

EY Contact

Jaspreet SinghPartner

[email protected]

+91-(124) 464 4000

mailto:[email protected]