A wake-up call for India

By Suman Kochhar & Rishabh Kochhar

With around 150 countries recovering from the recent blitz of cyber-attacks on May 12, we too are facing some questions. How safe are our e-data? What about our medical and health records? What about our personal information?

An attack that could have been prevented

Hospital staff from 48 trusts of the UK National Health Service (NHS) first became aware of a cyber-attack around noon on May 12 when computers displayed messages asking for ransom to decrypt certain hacked files. 

What started off as a national scare for Britons soon turned out to be a global shock, as it emerged that hackers, exploiting a security flaw in Microsoft’s software, held several companies from North America and Europe to ransom. WannaCry, the ransomware which found victims such as Fedex, NHS, and the Tirupati Temple in Hyderabad, used a loophole in the Windows operating system (OS) to encrypt its victims’ files. Users were asked to pay a ransom in Bitcoins to be able to see their files decrypted, leading to a chaos. Interestingly, while Microsoft had released a security patch for this very issue in March, several users, including the cyber-attack victims, did not install the upgraded patch. 

A study conducted into the software used by the NHS revealed 90 per cent of the systems were using the obsolete Windows XP as an OS, for which security patches have been unavailable for three years. IT experts, even Microsoft, had repeatedly advised users to upgrade to newer version of Windows, but the NHS, among others, continued using this ‘legacy system’, leaving its systems exposed to hackers.

The impact

As hospitals under the NHS were held to ransom, it was the patients who suffered the most. With networks down between computers and medical equipment, surgeries had to be cancelled and ambulances diverted. For the most critical of cases, staff were forced to resort to the traditional pen and paper and used their own electronic devices to register patients’ details. Not unexpectedly, the cyber-attack also sparked off a political row with the Labour Party demanding a probe into why the Conservatives had cut cybersecurity support when it axed a £5.5m deal with Microsoft a year ago.

Global healthcare

It is through sheer good luck that a 22-year-old cyber security analyst found a ‘kill switch’ in WannaCry and helped end the ransomware’s wrath, thereby averting what was feared to be a long week of cyber-misery. The attack found victims from industries around the world, but the most worrisome is its impact on the healthcare sector. The US has tried its best to protect the details of its citizens, especially Personally Identifiable Information and Protected Health Information, such as the Social Security Number. The data is protected with the help of laws such as the Health Insurance Portability and Accountability Act. 

Compromise of the data has led to identity thefts, with imposters claiming benefits of the deceased. This information can also be used with cruel effects. Arthur Ashe, one of America’s best tennis players, was left in an unenviable position after the news of him contracting HIV/AIDS leaked to the public. It was only after he explained how he contracted the virus during a brain surgery, his social victimisation ended. Others have suffered worse fates. A truck driver in New Orleans was unlawfully fired after news of him contracting HIV/AIDS leaked to his employer, who did not want to pay for the expenses. These are laymen; but what would happen if PHI of a global figure leaked out? One cannot even imagine how different the world might be today if news of Franklin Roosevelt’s polio and heart condition had reached Hitler and Stalin, or if the news of Muhammad Ali Jinnah’s tuberculosis had found its way to the erstwhile Indian public.

Going digital

Modern healthcare has become increasingly dependent on IT. Electronic Health Records (EHRs) are electronic versions of what we once knew as hospital cards and store most of the information of patients from vital statistics to known health issues, and previous diagnoses and prescriptions. EHRs have reduced the paperwork and human effort involved. But banal as it might sound, with great power comes great responsibility, and the same applies for EHRs. Experts have always held their reservations against the security of EHRs, but the recent NHS cyber-attack is the first large-scale example of such a security breach. 

At home, in India

India is in the midst of a digital revolution with campaigns such as Digital India, and concepts such as Aadhaar, UID, and digital money gaining popularity. EHRs, too, have gained popularity in India, with many government and private hospitals embracing this technology. However, as we move towards a digital future, we must be wary of the potential security risks which digitalisation brings. With WannaCry bringing many nations to a standstill, and even as several new attacks are predicted in the immediate future, we must use this as a wake-up call to cover the loopholes in our cyber security systems, especially with the kind of neighbours that we have.

Dr Suman Kochhar is a professor and head of Radiodiagnosis at GMCH, Sector 32, Chandigarh and Rishabh Kochhar is an IT professional engaged in the healthcare sector