India ranked second in cyber attacks on healthcare systems of all countries in 2021, according to a report released by CloudSEK, an artificial intelligence company that deals in cyber threats. India accounted for 7.7% of the total cyber attacks on healthcare systems last year.

At 28%, the United States recorded the highest number of cyber attacks and breaches in 2021 due to heavy digitisation of the health sector, and huge investments and growth opportunities in the industry that makes it a lucrative area to target.

France, with 7% of total attacks, came third after the US and India.

Globally, cyber attacks against the healthcare industry rose by 95.35% in the first four months of this year compared to the same period in 2021.

The findings are significant and released at a time when India is aggressively expanding its digital footprint in the healthcare sector.

The Ayushman Bharat Digital Mission, a portal under the Union health ministry, is digitising health records of patients for easy paperless exchange. Under this, a health account number will be generated for each person and medical reports will be stored online. Cyber experts, however, have raised concerns about the possible misuse of storing large amounts of digital medical records.

In 2021, the Indian government also unveiled the CoWIN portal to record vaccinations against the coronavirus disease.

According to CloudSEK, vaccination records witnessed the most number of breaches globally, followed by personal information of health workers and patients. Personal information included name, address, email, contact number and gender.

Breach in administration logins and financial records was third on list in types of breaches. A cyber attack on administrative logins can compromise patient confidentiality and provide access to hospital’s internal data.

“Several phishing campaigns were uncovered during the global pandemic, in which attackers posed as the WHO [World Health Organization] and sent malicious links to people claiming to be the most recently issued safety guidelines,” the report stated.

In both 2021 and 2022, databases were the “most generally sought-after data type”, the report said. At least 69.2% of cases involved a leak or sale of databases from the healthcare industry in 2021. The figure increased to 78.6% in the first four months of 2022.

“The Covid-19 pandemic forced the healthcare industry to adopt various new technologies which they weren’t fully equipped to handle,” the report said. “The transition wasn’t smooth and left multiple gaps in cybersecurity for the attackers to exploit.”

Experts weigh in

Raman Jit Singh Chima, Asia policy director for AccessNow, an online rights non-profit, told Scroll.in that with no law on data privacy in India, the threat ecosystem for digitised health records becomes very large.

“There is no penalty for private parties who misuse the data,” he added. “Who do we go to complain?”

The CloudSEK report noted that one of the cyber attacks in August 2021 targeted an e-pharmacy portal. The portal for buying medicines and health products was compromised after its configuration settings were shared on a public platform.

The attack compromised several user account information, the report said.

Patient data is a goldmine for several stakeholders, including large pharmaceuticals and insurance companies. This secondary information provides an insight into a person’s health background.

With access to this kind of information, insurance companies can target specific populations to buy their policy. For an organisation, leakage of customer information can halt operations and lead to huge cost and legal ramifications.

Anita Gurumurthy, executive director of IT for Change, an organisation that works at the intersection of Information Technology and social justice, said data sets from the health sector can lead to abuse, misuse and unabashed profiteering.

“Data sharing norms have to be centrally defined,” Gurumurthy said. “This is sensitive information and requires the highest degree of ethics. We do not have that preparedness [in India].”

CloudSEK’s report also mentioned why cyber attacks on the health system rose in the last few years.

The Covid-19 pandemic led to fast digitisation but budget constraints could not allow health systems to set up robust cybersecurity. Medjacking, where medical devices are hijacked, also surfaced as a major concern, the report added. It can lead to shut down of a life saving machine or equipment during surgery or in intensive care units.

Scroll.in has reached out to the National Health Authority and in-charge of the Ayushman Bharat Digital Mission for a response about the cyber security concerns raised by CloudSEK. The article will be updated once they respond.