‘Deep Armor has worked with the US FDA closely and would be happy to work
with the GoI and with private businesses to ensure high security standards of
India IoMT and healthcare products.’
Healthcare Industry is in the verge of major growth, besides the significant adoption of IoMT devices, SaMD and many more internet based advanced medical equipments. Needless to say that this industry is becoming a hot target for hackers, as it promises a quantum leap.
Digital CIO bureau spoke to Mr. Sumanth Naropanth, CEO, Deep Armor to understand the growth, direction and challenges this healthcare cyber security industry is bound to face.
1) How big is the market for healthcare cyber security globally? Where does India stand
in global scenario?
Healthcare cybersecurity is poised to grow significantly over the next 3-5 years. This is because
of two reasons:
- Rapid digitalization in the medical device sector means that software and hardware systems now have access to patient and medical data a lot more than the previous years. Personal Health Information (PHI) and various other forms of personal information is now collected, stored, processed and accessed in new ways. While this offers a rich set of use cases and experiences, it also increases the risk of cyberattacks against such sensitive information. Many forms of medical devices are also used for drug administration and therapy, so cyber attacks against such systems may lead to lethal consequences.
- Compliance and regulatory standards are more mature and advanced today. For example, the US Food &Drug Administration (FDA) very recently (in September 2023) announced a new final guidance for cybersecurity of medical devices. Similar standards and regulatory requirements exist in other countries as well. Medical device manufacturers (including Software as a Medical Device (SaMD) vendors) are required to mandatorily comply with these standards in order to sell their solutions to customers
The healthcare cyber security market is in infancy in India. We do not have as many med-tech industries as the western world, but this is changing as we speak. Deep Armor has worked with a handful of startups in the healthcare/medical device sector and has advised them on long-term strategies for cyber security for their devices.
Our privacy laws and medical regulations are developing and maturing, but we have a long way to go. In August 2023, the Indian Parliament passed the Digital Personal Data Protection Act, which will have implications to vendors and device manufacturers who process medical/private information. This is a big step forward.
2) As healthcare data breaches are on the rise even though tough healthcare compliance
and regulations are in place, how can healthcare data breaches be prevented?
Cybersecurity for healthcare and medical devices require a defense-in-depth approach. Traditional approaches will no longer work, when you have modern technologies such as IoT/IoMT and cloud services being actively used in this industry.
For example, a very common misconception is that data in cloud is secure by default, which is not true. All cloud service providers explicitly say that cloud security is a shared responsibility,
which means that their customers are responsible for the security IN the cloud, while the service provider is responsible for the security OF the cloud. Poor or insufficient security practices often lead to medical information theft, ransomware attacks (which are on the rise against hospitals, unfortunately — even leading to patient death), and loss of critical services.
A defense-in-depth approach should ensure that the product architecture, design, implementation, deployment and maintenance — all stages of the product lifecycle have cybersecurity embedded in them. Holistic and redundant security measures are required. An important aspect of cybersecurity planning is also response and disaster recovery. No industry or medical service provider should assume that they will not be hacked. They should be adequately prepared to respond in a timely and effective manner when an incident occurs.
3) Medical transcription service is one of the areas, where hackers are investing big time
and forcing organizations to bear significant loss of reputation. How do you see it?
Medical transcription business is very attractive target for cyber criminals. This is because such businesses collect, process and store a wealth of personal and patient-related information (PHI, PII and personal data). Such data can often be used to sell on the dark web, extortion and for other nefarious means. Medical transcription businesses are also usually small and mid-sized companies, without adequate know-how about cyber security.
This makes them an easy target as well. Modern services such as public cloud have, on the one hand, helped such MT companies to rapidly scale their businesses and offer a rich set of use cases to their customers. Unfortunately, if such systems are not designed and developed with security in mind, they are very likely to be breached.
Cyberattacks against MT businesses can lead to very expensive legal implications and impact to the brand image.
4) Several significant data breaches have forced to strengthen the security posture of Internet of Medical Things (IoMT). Is this an area where future attacks will happen at higher scale, as it invites hackers at large?
IoMT promises to offer capabilities that have never existed before. For example, use of digital insulin pumps and blood glucose monitors can eliminate the need for expense lab tests and visitsto the hospital. While these solutions will improve the quality of medical services and eventually the quality of life, they have a dark side. Using the same example, if a hacker is able to get into an insulin pump, he/she may be able to inject a lethal dose of insulin to the user without their knowledge.
IoMT systems use the same underlying technologies that have been in use in the IoT industry — use of small microcontrollers, wireless technologies such as Bluetooth/BLE/Zigbee/Z-Wave,mobile applications and cloud services. All these building blocks of IoT systems have known weaknesses and can be difficult to design securely.
While some IoT systems may be viewed as luxury or optional (for example, smartwatches, home automation, etc.), IoMT systems are mission critical.
They CANNOT fail, especially when patient safety is at stake. Therefore, such attacks are also likely to become high-profile and expensive — attracting cyber criminals to dig more into these systems.
5) How seriously GoI should look at preparing strong healthcare cyber security regulations and what should be the major guidelines to follow?
The GoI should have a well-rounded process for auditing healthcare and medical devices that enter the market in India. In addition to functional audits, cyber security should play a key, mandatory role in approval of such devices.
Such cyber security audits should include end-to-end product security assessments, ensuring that the manufacturer owns sufficient responsibility for the cyber security maintenance of the product throughout its life cycle, and is prepared to respond to security incidents when they occur.
The GoI should also look at the US FDA 510(k) Premarket and Post-Market guidance as examples of how healthcare and medical devices should be regulated. India needs its own cyber security standards for this sector.
6) Do today healthcare devices or IoMT devices need Security by Design & approach, while developed? Is that a tough one asked for?
Yes. This is because while several other market technologies such as web and mobile apps are commoditized to a certain extent, IoT and IoMT systems are not.
These solutions may take many different forms, shapes, form factors, use cases and deployment environments. An insulin pump may not have much in similar to a drug therapy machine in a hospital, but both run serious risks of cyber attacks and could lead to patient death. However, a fundamental Security by Design & framework could be drafted, put into effect and regularly updated so that the cyber security principles could apply to all such IoMT systems.
Such a framework should help in holistic understanding of the threat actors, trust boundaries, security objectives/non- objectives, vendor responsibilities and other topics.
Deep Armor has worked with the US FDA on such topics, and has successfully led many US-vendors in implementing a secure-by-design methodology for their products and clearing the 510(k) Cybersecurity audits.
We would be happy to work with the GoI and with private businesses to ensure that India IoMT and healthcare products achieve and maintain a high security bar.