How can Indian Companies Improve their Cybersecurity Frameworks, Particularly in Critical Sectors like Healthcare?
Rishi Agrawal, CEO and Co-Founder, Teamlease Regtech
2024-11-10

Rishi-Agrawal-200The advent of the digital revolution has transformed every sector and industry, and the $370+ billion healthcare sector is no exception. While the Digital India initiative has transformed both markets and their regulatory landscapes, the development of necessary checks, controls and protections for data security has not kept pace. The regulatory gaps around data privacy and protection were the key factors that led to the introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act). Even though the DPDP Act aims to limit data collection and usage, concerns about data security persist. For instance, the absence of standardized data encryption increases vulnerability to cyberattacks.

Healthcare institutions and professionals, including hospitals, pharmaceutical companies, pharmacies, medical representatives and doctors, consistently handle highly sensitive personally identifiable information (PII). This data encompasses medical records, such as patients' illness histories, medication details, financial information and other sensitive personal data. All of which are highly attractive to cybercriminals. This data can reveal sensitive private information about the person's health and life. Its leakage can lead to societal stigma, discrimination in the workplace and damage to personal relationships. Sensitive conditions, like mental health or chronic illnesses, could expose individuals to judgment or bias. The breach of such data can tarnish a person's societal reputation, causing embarrassment and affecting their social standing. Additionally, these leaks undermine trust in the healthcare system.

Threat actors exploit stolen data to access financial services like loans and credit cards, create fraudulent bank accounts, and conduct illegal transactions. The risk of identity theft has turned PII into a commodity traded in underground markets. Additionally, the widespread availability of such data enables malicious actors to prey on vulnerable individuals, luring them with false promises of inexpensive medicines or rapid medical treatments. Additionally, this data can be sold to businesses interested in the medical history of a person to advertise targeted products such as insurance and treatment procedures.

The state of cybersecurity within the healthcare sector is also up for debate as most healthcare institutions lack in-house expertise. They end up outsourcing cybersecurity services to third-party providers. While outsourcing offers immediate access to expert knowledge and can be cost-effective, it also poses risks. Relying heavily on external vendors can lead to a loss of direct control over security protocols. Additionally, many service providers manage cybersecurity for multiple clients, resulting in a lack of dedicated attention to individual institutions. Should a service provider become the target of a cyberattack, all its clients, including healthcare organizations, may lose access to their data, exacerbating the risks associated with outsourcing critical security functions.

Even for institutions that have an in-house cybersecurity framework, a lack of robust cybersecurity measures can cause significant harm. Ransomware, phishing and advanced persistent threats (APTs) are threats to proprietary information, financial records and PII. While regulatory frameworks provide cybersecurity guidance, they often act reactively as cybercriminals continuously evolve their tactics. As such, companies must be proactive by deploying advanced security technologies, conducting regular audits and offering employee training programs to bolster both resilience and awareness.

Healthcare institutions should begin by strengthening their IT teams and infrastructure. Building a resilient, secure IT environment is vital for safeguarding data and preventing breaches. The NIST 800-53 framework, internationally recognized, offers comprehensive coverage across key domains. Organizations can adopt a five-step approach to developing a robust cybersecurity framework:

Identify:
- Asset management: Inventory and manage hardware and software assets to allow only authorized access.
- Risk assessment: Regularly assess risks to identify vulnerabilities within the company's infrastructure.
- Business environment: Understand the company's role within its supply chain to prioritize cybersecurity efforts.

Protect:
- Access control: Implement strict controls to restrict access to sensitive data to authorized users.
- Data security: Encrypt sensitive data both at rest and during transfer to prevent unauthorized access.
- Maintenance: Regularly update and maintain systems to ensure security patches are current.

Detect:
- Anomalies: Establish baselines for normal network behaviors to detect potential security incidents.
- Continuous monitoring: Monitor networks and systems continuously to detect unauthorized access.
- Security alerts: Use automated tools to detect and respond to potential threats.

Respond:
- Response planning: Develop incident response plans for addressing cybersecurity incidents.
- Mitigation: Execute strategies to minimize the damage caused by security breaches.
- Communication: Establish communication protocols with stakeholders and regulatory bodies during incidents.

Recover:
- Recovery planning: Develop recovery strategies to restore operations after a cybersecurity incident.
- Improvements: Analyze incidents to prevent recurrence and improve cybersecurity measures.
- Backup: Ensure regular data backups and test restoration processes for efficiency.

Furthermore, organizations must invest in security technologies like data encryption and masking, along with extra controls like firewalls and network security. Establishing industry-standard certifications like ISO 27001 and SOC2 is crucial, and outdated technologies should be phased out. Regular penetration testing and vulnerability assessments should be conducted to address infrastructure vulnerabilities.

Remote working environments also pose cybersecurity risks. Employees using personal devices and home networks are often exposed to attacks due to insufficient security controls. Enforcing the use of Virtual Private Networks (VPNs) and Two-Factor Authentication (2FA) can help protect sensitive data. Additionally, Data Loss Prevention (DLP) tools can be implemented to limit the data employees can transfer.

International cybersecurity frameworks impose obligations on organizations, increasing their compliance burden. For instance, in India, businesses are subject to regulations like the Companies (Management and Administration) Rules, 2014 and the SPDI Rules, 2011, requiring companies to implement security controls and report cybersecurity incidents to CERT-In.

While enterprises are focused on technological solutions for cybersecurity, they often overlook the importance of digitizing compliance functions. The complexity of India's regulatory environment, comprising over 1,500 acts and more than 69,000 compliance requirements, makes managing compliance challenging. Relying on manual compliance methods can lead to delays and lapses. Adopting regulatory technology (RegTech) platforms, which offer features like real-time updates, automated alerts and customizable checklists, can help employers manage compliance effectively.

As India moves towards becoming a $10 trillion economy, digital solutions enabling regulatory compliance will be key to ease of doing business. Facilitating the flow of information between private enterprises and regulatory authorities will allow businesses to innovate while keeping pace with dynamic market conditions.

more...
more...
more...
more...
more...
more...