Disclaimer: Copyright infringement not intended.

Context

• Common medical devices such as oximeters, hearing aids, glucometers, and pacemakers can be turned into spyware and malware, say experts.

Background

• The healthcare industry has become a hot target for hackers.
• Healthcare-focused ransomware attacks on medical devices are causing major disruptions in healthcare industry.

A ransomware attack is a computer virus that encrypts one’s essential files and renders them inaccessible unless the hacker is paid for the key to open them.

Recent Ransomware attacks

• Recently, ransomware attacks were suffered by India’s top tertiary care hospitals, leading to the siege of millions of medical records and vast amounts of health data at Delhi’s All India Institute of Medical Sciences, Safdarjung Hospital and Lady Hardinge Medical College and Hospitals.
• Indian multinational pharmaceutical company Sun Pharma, the world’s fourth largest generic pharma firm, was also among the establishments that recently took a hit.
• These attacks ran parallel to the series of failed attempts to hack into India’s top medical research organisation, the Indian Council of Medical Research (ICMR).

Medical devices to malware

• Electronic health records contain one of the most valuable databases of knowledge: sensitive patient information.
• Many personal use medical technology devices — including oximeters, hearing aids, glucometers, medical monitoring watches, and implants such as pacemakers and insertable loop recorders meant for long-term monitoring and recording of electrical activity of the heart — all contain software as medical device (SaMD) and software in medical devices (SiMD) and are usually connected to the internet, mobile phones, servers, and the cloud.
• If not given adequate cyber protection, these devices can be turned into spyware and malware and can even breach data.

Concern

• Currently, there are no guidelines on the regulation of SaMD and SiMD.

Vulnerable population

• India has one of the world’s top 20 markets for medical devices and the fourth-largest in Asia.
• The medical devices sector in India is projected to reach $50 billion by 2025, according to the India Brand Equity Foundation.
• Rapid economic growth, rising middle class incomes, and the increased market penetration of medical devices has left the population vulnerable, experts say.

Inadequate systems

• India currently lacks any centralised data collection mechanism which gives an exact cost of data corruption for the healthcare industry.
• However, it is clear that data -- now called the new oil -- is seeing a threat that has become rampant, sophisticated, and severe. As pharmaceutical companies continue to embrace digital transformation, their highly sensitive, valuable information becomes even more at risk for cyberattacks.
• Pharma companies face their IT environment being landed with legacy hardware and software.
• In particular, operational technology devices, networks and systems that support business did not have IT security in mind when built.
• These networks and systems need to connect with IT networks, which exposes them to an organization’s entire threat landscape and creates new opportunities for cyber criminals.

Way Ahead: Data governance needed

• The government should consult with industry experts to identify the challenges that could pose a risk to national security.
• While the Central government is currently pushing to digitise health records, data protection and cyber-security are governed by the Information Technology Act and the Contract Act.
• The government has also introduced the Digital Personal Data Protection Bill, which is currently pending before the Parliament.
• Data protection requires legal and technical artisanship, the allocation of adequate resources and the training of all professionals involved in the processing of personal data.
• WHO advocates for the continuous effort that is based on an institutional vision, a governance concept and a willingness to be accountable.
• As security risks continue to rise, the need for greater levels of automation in conjunction with smart and intelligent AI-based tools becomes ever more necessary. 

TYPES OF MALWARE: https://www.iasgyan.in/blogs/malwares-and-its-types

PRACTICE QUESTION Q. Cybersecurity threats to medical devices are a growing concern. As security risks continue to rise, the need for greater levels of automation in conjunction with smart and intelligent AI-based tools becomes ever more necessary. Substantiate.

https://www.thehindu.com/news/national/your-medical-device-could-be-spying-on-you-industry-demands-protective-laws/article66710678.ece