8.1 - Nitish Chandan

Download Report

Transcript 8.1 - Nitish Chandan

Healthcare and Cyber Security 2015: Is India Ready?
Nitish Chandan
Int. B.Tech CSE + LL.B Hons. Cyber Law (UPES, Dehradun)
Founder & Technical Writer
The Cyber Blog India
1
Cyber Security in Healthcare is divided into two fronts:
Data: EHR
(Electronic Health Record)
Contains a patient’s medical history, diagnoses,
medications, treatment plans, immunization dates,
allergies, radiology images, and laboratory and test
results in a digital version
2
Critical Network Infrastructure
(All devices and equipment on a network
that are responsible for monitoring and
evaluation of patient health and to deliver
some or the other treatment facility)
Problem in the Indian Scenario:
Data
• Estimation of Readiness is not possible as of today; numerous health centres still in the digital disconnect.
• Standards for EHRs are available but only to the point that they should be secure.
• “Generally, all electronic health information must be encrypted and decrypted as necessary according to
user defined preferences in accordance with the best available encryption key strength. “
• NeHA has been constituted which will also deal with privacy issues and healthcare.
• Data Leaks are not only due to insufficient standards and policy (Similar standards in IT Law as well ; user
awareness: both patients and caretakers is lacking.
• Who is the owner of an EHR?
3
Critical Infrastructure
• Study by a researcher at one of the Midwest Healthcare facilities revealed that drug infusion
pumps could be remotely manipulated to change dosage.
• Defibrillators being controlled over Bluetooth were prone to attack to give random shocks to a
patient’s heart or to prevent one.
• Thermostats on networks vulnerable to temperature settings change. Has caused spoilage of
drugs.
• Misdiagnosis, Wrong Prescription and Administration of unwarranted care.
• Leads to a new type of crime: Cyber Murders.
4
Vulnerabilities
• Some emergency equipment could be rebooted, wiped clean of the configurations allowing hackers
to take control of important healthcare infrastructure.
• Passwords are still names of people, admin, password, 1234.
• The biggest Cyber Security fact in any system is that no firewall or IPS can protect a system that is
protected by a password like the above.
• Another problem is with the level of encryption and secure channels for communicating embedded
systems’ data into patient records and vice versa.
• Newer technologies like infusion pumps with web administration interface for nurses to change
drug dosage are easily hackable because of hardcoded passwords that are often never changed.
5
• Implantable medical devices to grow about 7.7% through 2015, and more than 2.5 million
people already rely on them.
• Medical information can be worth 10 times as much as a credit card number.
• We are a little ready for what we are facing; but we are not yet facing what the rest of the world
is.
• A lot has been talked of about EHRs in the national EHR Standards but an overall Cyber Security
Policy for the infrastructure is absent.
6
To Conclude
“Awareness and Sensitization is the key to Cyber Safety”
• Carefully categorize and classify data: about patients, hospital and staff etc.
• Sensitize user groups who are responsible for handling digital equipment.
• Employ security audits and penetration testing of devices, networks and users.
• The next generation is going to be of Cyber Murders and when we look back then, the
question that is in the present tense today might be, “Shouldn’t we have been ready?”
7