How can Indian Companies Improve their Cybersecurity Frameworks, Particularly in Critical Sectors like Healthcare? Rishi Agrawal, CEO and Co-Founder, Teamlease Regtech 2024-11-10 The advent of the digital revolution has transformed every sector and industry, and the $370+ billion healthcare sector is no exception. While the Digital India initiative has transformed both markets and their regulatory landscapes, the development of necessary checks, controls and protections for data security has not kept pace. The regulatory gaps around data privacy and protection were the key factors that led to the introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act). Even though the DPDP Act aims to limit data collection and usage, concerns about data security persist. For instance, the absence of standardized data encryption increases vulnerability to cyberattacks. Healthcare institutions and professionals, including hospitals, pharmaceutical companies, pharmacies, medical representatives and doctors, consistently handle highly sensitive personally identifiable information (PII). This data encompasses medical records, such as patients' illness histories, medication details, financial information and other sensitive personal data. All of which are highly attractive to cybercriminals. This data can reveal sensitive private information about the person's health and life. Its leakage can lead to societal stigma, discrimination in the workplace and damage to personal relationships. Sensitive conditions, like mental health or chronic illnesses, could expose individuals to judgment or bias. The breach of such data can tarnish a person's societal reputation, causing embarrassment and affecting their social standing. Additionally, these leaks undermine trust in the healthcare system. Threat actors exploit stolen data to access financial services like loans and credit cards, create fraudulent bank accounts, and conduct illegal transactions. The risk of identity theft has turned PII into a commodity traded in underground markets. Additionally, the widespread availability of such data enables malicious actors to prey on vulnerable individuals, luring them with false promises of inexpensive medicines or rapid medical treatments. Additionally, this data can be sold to businesses interested in the medical history of a person to advertise targeted products such as insurance and treatment procedures. The state of cybersecurity within the healthcare sector is also up for debate as most healthcare institutions lack in-house expertise. They end up outsourcing cybersecurity services to third-party providers. While outsourcing offers immediate access to expert knowledge and can be cost-effective, it also poses risks. Relying heavily on external vendors can lead to a loss of direct control over security protocols. Additionally, many service providers manage cybersecurity for multiple clients, resulting in a lack of dedicated attention to individual institutions. Should a service provider become the target of a cyberattack, all its clients, including healthcare organizations, may lose access to their data, exacerbating the risks associated with outsourcing critical security functions. Even for institutions that have an in-house cybersecurity framework, a lack of robust cybersecurity measures can cause significant harm. Ransomware, phishing and advanced persistent threats (APTs) are threats to proprietary information, financial records and PII. While regulatory frameworks provide cybersecurity guidance, they often act reactively as cybercriminals continuously evolve their tactics. As such, companies must be proactive by deploying advanced security technologies, conducting regular audits and offering employee training programs to bolster both resilience and awareness. Healthcare institutions should begin by strengthening their IT teams and infrastructure. Building a resilient, secure IT environment is vital for safeguarding data and preventing breaches. The NIST 800-53 framework, internationally recognized, offers comprehensive coverage across key domains. Organizations can adopt a five-step approach to developing a robust cybersecurity framework: Identify: - Asset management: Inventory and manage hardware and software assets to allow only authorized access. - Risk assessment: Regularly assess risks to identify vulnerabilities within the company's infrastructure. - Business environment: Understand the company's role within its supply chain to prioritize cybersecurity efforts. Protect: - Access control: Implement strict controls to restrict access to sensitive data to authorized users. - Data security: Encrypt sensitive data both at rest and during transfer to prevent unauthorized access. - Maintenance: Regularly update and maintain systems to ensure security patches are current. Detect: - Anomalies: Establish baselines for normal network behaviors to detect potential security incidents. - Continuous monitoring: Monitor networks and systems continuously to detect unauthorized access. - Security alerts: Use automated tools to detect and respond to potential threats. Respond: - Response planning: Develop incident response plans for addressing cybersecurity incidents. - Mitigation: Execute strategies to minimize the damage caused by security breaches. - Communication: Establish communication protocols with stakeholders and regulatory bodies during incidents. Recover: - Recovery planning: Develop recovery strategies to restore operations after a cybersecurity incident. - Improvements: Analyze incidents to prevent recurrence and improve cybersecurity measures. - Backup: Ensure regular data backups and test restoration processes for efficiency. Furthermore, organizations must invest in security technologies like data encryption and masking, along with extra controls like firewalls and network security. Establishing industry-standard certifications like ISO 27001 and SOC2 is crucial, and outdated technologies should be phased out. Regular penetration testing and vulnerability assessments should be conducted to address infrastructure vulnerabilities. Remote working environments also pose cybersecurity risks. Employees using personal devices and home networks are often exposed to attacks due to insufficient security controls. Enforcing the use of Virtual Private Networks (VPNs) and Two-Factor Authentication (2FA) can help protect sensitive data. Additionally, Data Loss Prevention (DLP) tools can be implemented to limit the data employees can transfer. International cybersecurity frameworks impose obligations on organizations, increasing their compliance burden. For instance, in India, businesses are subject to regulations like the Companies (Management and Administration) Rules, 2014 and the SPDI Rules, 2011, requiring companies to implement security controls and report cybersecurity incidents to CERT-In. While enterprises are focused on technological solutions for cybersecurity, they often overlook the importance of digitizing compliance functions. The complexity of India's regulatory environment, comprising over 1,500 acts and more than 69,000 compliance requirements, makes managing compliance challenging. Relying on manual compliance methods can lead to delays and lapses. Adopting regulatory technology (RegTech) platforms, which offer features like real-time updates, automated alerts and customizable checklists, can help employers manage compliance effectively. As India moves towards becoming a $10 trillion economy, digital solutions enabling regulatory compliance will be key to ease of doing business. Facilitating the flow of information between private enterprises and regulatory authorities will allow businesses to innovate while keeping pace with dynamic market conditions.

Latest on IT News Online

Ericsson ConsumerLab: Rising Use of GenAI Apps Boosts User Interest in Differentiated Connectivity IT News Online

Gartner: 80 Percent of NEDs Believe Current Board Practices and Structures Are Inadequate to Oversee AI IT News Online

Hitachi Vantara Expands Hybrid Cloud Storage Platform with Object Storage, All-QLC Flash and Advancing Cloud Integration IT News Online

HonKuwa Pharmaceutical Debuts at the 7th CIIE, showcasing a new trend of natural health Media OutReach

Press Releases via Business Wire India

CyberArk and Wiz Team Up To Provide Complete Visibility and Control for Cloud-Created Identities

E-Commerce AI Startup BiteSpeed Raises USD 3.5M Funding, Led by Peak XV's Surge

Tecnotree Selected to Provide Multi-Tenant MVNE Platform and Moments Marketplace to Power Tier 1 MVNE in EMEA

PopVax Announces that the U.S. National Institute of Allergy and Infectious Diseases will Conduct and Sponsor the U.S.-based Phase I Clinical Trial of PopVax's Next-Generation mRNA-LNP COVID-19 Vaccine as part of the U.S. Government's Project NextGen

Press Releases via Globe Newswire

Cloudera to Acquire Octopai's Platform to Deliver Trusted Data Across the Entire Hybrid Cloud Data Estate

Cloudera Unveils New AI Assistant to Help Supercharge Efficiency for Data Practitioners

AVFX Capital Introduces – Forex for Everyone Initiative- Affordable Trading

Unifiedpost continues to report double-digit growth in its digital services business

Press Releases via PR Newswire

National Nonprofit Partners with Arkansas Community Colleges to Build Skills-Based Pathways and Promote Economic Growth

Vantage Markets Emerges as Top-ranked Broker across Multiple Categories in Investing.com's Recent Performance Test during the US Election Period

IMC LOGISTICS AND KUEHNE+NAGEL ENTER INTO STRATEGIC PARTNERSHIP

GrayMatter acquires US-based Servy

Press Releases via PR.com

Google Joins the Texas Nuclear Alliance as a Founding Member

TeachMe TV® Welcomes Industry Leader Nathaniel Fairfield as Chief Technology Officer

STS Metals, a Portfolio Company of Tinicum, Has Acquired Brown Europe

NAF Appoints Executive Chairman of RTX, Gregory J. Hayes as Chairman of the Board of Directors, Founder Sanford I. Weill Becomes Chairman Emeritus

Press Releases via RealWire

Speedcast Delivers First Live Deployment for OneWeb’s Maritime LEO Service

Infinigate Group Appoints Simon England as Chief Growth Officer

neXat expands further East with KT SAT partnership

Upgraded RADOX® EV-C with high-voltage Flex cable to ease harness preparation and installation for electric vehicles