Common medical devices such as oximeters, hearing aids, glucometers, and pacemakers can be turned into spyware and malware, say experts, warning that such devices can even leak your medical data if not layered with adequate cyber protection. Industry experts are now seeking urgent Central government intervention to recognise this threat and immediately put in place measures to plug any possible drain.
Their warning comes close on the heels of the ransomware attacks suffered by India’s top tertiary care hospitals, leading to the siege of millions of medical records and vast amounts of health data at Delhi’s All India Institute of Medical Sciences, Safdarjung Hospital and Lady Hardinge Medical College and Hospitals. A ransomware attack is a computer virus that encrypts one’s essential files and renders them inaccessible unless the hacker is paid for the key to open them.
Health records at risk
Indian multinational pharmaceutical company Sun Pharma, the world’s fourth largest generic pharma firm, was also among the establishments that recently took a hit. These attacks ran parallel to the series of failed attempts to hack into India’s top medical research organisation, the Indian Council of Medical Research (ICMR).
“What these attacks indicate is our vulnerability,’’ said Shuchin Bajaj, founder director of the Ujala Cygnus Group of Hospitals, adding that these electronic health records contain one of the most valuable databases of knowledge: sensitive patient information.
Medical devices to malware
Now, experts are warning that it is not only large healthcare establishments that are under threat. Many personal use medical technology devices — including oximeters, hearing aids, glucometers, medical monitoring watches, and implants such as pacemakers and insertable loop recorders meant for long-term monitoring and recording of electrical activity of the heart — all contain software as medical device (SaMD) and software in medical devices (SiMD) and are usually connected to the internet, mobile phones, servers, and the cloud.
“If not given adequate cyber protection, these devices can be turned into spyware and malware and can even breach data. Currently, there are no guidelines on the regulation of SaMD and SiMD. Therefore, we suggest that the government should consult with industry experts to identify the challenges that could pose a risk to national security,” warned Pavan Choudary, chairman, Medical Technology Association of India (MTaI), adding that the biggest challenge with medical devices was their small size.
India has one of the world’s top 20 markets for medical devices and the fourth-largest in Asia. The medical devices sector in India is projected to reach $50 billion by 2025, according to the India Brand Equity Foundation. According to statistics from the Commerce Ministry analysed by the Association of Indian Medical Device Industry (AiMeD), medical device imports rose by a record 41% to ₹63,200 crore ($ 7.91 billion) in 2021-22 from ₹44,708 crore ($5.59 billion) in 2020-21.
The Indian population is growing at a rate of 1.6% per year and has an elderly population of over 100 million. Rapid economic growth, rising middle class incomes, and the increased market penetration of medical devices has left the population vulnerable, experts say.
India currently lacks any centralised data collection mechanism which gives an exact cost of data corruption for the healthcare industry. However, it is clear that data -- now called the new oil -- is seeing a threat that has become rampant, sophisticated, and severe, said Arushi Jain, director, Akums Drugs and Pharmaceuticals. As pharmaceutical companies continue to embrace digital transformation, their highly sensitive, valuable information becomes even more at risk for cyberattacks, she said.
“Pharma companies face their IT environment being landed with legacy hardware and software. In particular, operational technology devices, networks and systems that support business did not have IT security in mind when built. These networks and systems need to connect with IT networks, which exposes them to an organisation’s entire threat landscape and creates new opportunities for cyber criminals,’‘ she explained.
Data governance needed
While the Central government is currently pushing to digitise health records, data protection and cyber-security are governed by the Information Technology Act and the Contract Act. The government has also introduced the Digital Personal Data Protection Bill, which is currently pending before the Parliament.
Data protection is not rocket science, but requires legal and technical artisanship, the allocation of adequate resources and the training of all professionals involved in the processing of personal data, says the World Health Organisation (Europe) in its paper, titled “The protection of personal data in health information systems – principles and processes for public health”. It advocates for continuous effort that is based on an institutional vision, a governance concept and a willingness to be accountable.