India's Cybersecurity Skill Shortage & AI Posed Risks In Healthcare

The healthcare sector, a treasure trove of sensitive personal information, faces escalating cybersecurity threats as cybercriminals seek to exploit valuable data. What makes them alluring targets for malicious actors are patient health records, medical histories, insurance details, and more. 

The nature of Personally Identifiable Information (PII) held by healthcare companies today is highly sensitive and private. Attackers can quickly use this to profile cyber victims and conduct personalised attacks with a very high degree of success. 

Enterprises in the country experienced over 2000 attacks every week in Q1 2023, marking an 18 per cent increase compared to the previous year. The healthcare industry was a prime target, with 7.7 per cent of attacks directed towards it, as per TeamLease Digital.

Recently, Amit Shah, Union Minister of Home Affairs, expressing apprehensions around cyber security, conveyed that many countries have become victims of cyber attacks and that this threat is hovering over all major economies. "The World Bank estimates that cyberattacks could have caused losses of around USD 5.2 trillion to the world during 2019-2023. The use of cryptocurrency by malicious threat actors further complicates its detection and prevention," Shah said.

Shah added that 840 million Indians have an online presence, and by 2025, another 400 million Indians will enter the digital world which means the possibilities of cyber threats will also increase.

Nikhil Kurhe, CEO, Finarkein Analytics, emphasised the impending importance of cyber security and stated, "Cyber security is of paramount importance, especially in PII data like health data. Unfortunately, for the longest time, IT and data infrastructure were not a primary focus as they weren’t core to their business. That is changing, though, as secure encryption protocols are baked into DPI rails like ABDM to ensure safe health data communication. Awareness around the same for the general public is needed, though, to drive adoption combined with benefits." 

Cybersecurity Skill Shortage

Although India had 40,000 job openings for cybersecurity professionals as of May 2023, 30 per cent of these vacancies could not be filled due to a huge skill shortage, reported TeamLease Digital.

The demand for cybersecurity professionals has far exceeded the supply, causing many businesses to struggle to recruit qualified personnel. "Cyber Security skill sets that are in high demand include data privacy, cloud security, AI security, and network security. The top job roles include IT auditor, Information Security Analyst, Network/IT Security Engineer/Specialist, Security Testing/Penetration Tester, and Computer Forensics analyst," conveyed TeamLease Digital on the basis of their analysis.

"It is in everyone’s interest to make sure that healthcare workers are keyed in on the various online risks. Social engineering is another attack vector leveraged by criminals where people are less aware of common good practices. Great and consistent awareness campaigns can pretty much eliminate this angle," Kurhe commented on the awareness of health professionals. 

Threats from AI & Medical devices

Professionals have been using AI to improve their productivity, software development, and even business communications for the past few months. The chatbot keeps a record of all user inquiries and AI responses. As a result, any illegal access could possibly endanger sensitive data. Later, companies and their personnel may be the target of this sensitive information. According to the most recent Group-IB research, ChatGPT is extremely well-liked among dark web communities.

Kiran Vangaveti, CEO and Founder of BluSapphire Cyber-Systems commenting on complicated threat actors, added, "Today’s threat actors are sophisticated. Implementing robust AI/ML-driven security operations centred with a constant vigil on potential behaviour anomalies inside IT/IoMT infrastructure is a must, allowing better visibility and faster cyber threat detection and response. Alongside this, it is important to have access control measures like strong passwords, multi-factor authentication, and role-based access control, which limit data access to authorised personnel only. Implementing zero-trust networks shall allow secure network channels and regular patching, and system updates are essential to address known vulnerabilities while safeguarding the overall infrastructure."

India has one of the world’s top 20 markets for medical devices and is the fourth-largest in Asia. The medical devices sector in India is projected to reach USD 50 billion by 2025, according to the India Brand Equity Foundation. 

Many personal medical technology devices contain software as a medical device (SaMD) and software in a medical device (SiMD) are typically connected to the internet, mobile phones, servers, and the cloud. These devices include oximeters, hearing aids, glucometers, medical monitoring watches, and implants.

Experts convey that rapid economic growth, rising middle-class incomes, an elderly population of over 100 million, and increased market penetration of medical devices have left the population vulnerable.

Data Protection Law and Risk Management

The Information Technology Act and the Contract Act regulate data protection and cyber-security, even though the central government is currently pushing for the digitization of health information.

Commenting on the requisites of the law, Kurhe stated, "We need a general data protection bill with the right mechanisms to encourage compliance and good behaviour while also ensuring that bad behaviour from malicious actors and lapses in security are punished punitively. If there are only wrist taps, incentives for the adoption of good cyber security practices fall short as the cost of compliance and upgrading can become a factor. A further specialised law for healthcare can be proposed, due to the nature and vulnerability of health infrastructure. However, laws must align with rewarding good behaviour and the adoption of best cybersecurity practises."

Vangaveti underlines the importance of risk management for organisations, mentioning, "Compliance, regulatory certifications, and laws provide a minimum level of security but do not and cannot assure a standard of due care, especially with respect to cyber security. Primarily because cyber security is rapidly evolving, and compliance requirements alone cannot keep up with the fast-paced change. Also, compliance focuses on controls, not risk. Organisations should also focus on risk management, employee training, proactive monitoring, and other security initiatives to reduce the risk of a data breach."