Thiruvananthapuram, May 9 (FN Representative) A comprehensive layered security approach is essential to protect against the wide range of cyber threats at the Regional Cancer Centre (RCC), KS Manoj, one of the leading cyber security professionals in India, told UNI on Thursday. He was responding to the cyberattack on the Radiation Department at the RCC, a state-owned premium cancer care hospital and research centre, serving patients from across India, here on April 30, 2024. In one of the highest volumes of cyberattacks in India, details of 20 lakh patients with the Regional Cancer Center (RCC) here were compromised, affecting 11 out of 14 servers causing disruptions in many divisions, including the Radiation Department. There were allegations that the cybercriminals successfully infiltrated the data source of RCC and extracted sensitive information from over 80 lakh patients, demanding a ransom of USD 100 million. On security aspects, he said, “The layered security involves multiple layers of defense across the organization, including not just firewalls and antivirus but also intrusion detection and prevention systems, data encryption, access controls, and more.” Saying that the Operational Technology (OT) and Information Technology (IT) systems have different security requirements, he said segregating these can limit the spread of cyber threats from one system to another.“Dividing the network into smaller, secure segments can prevent an attacker from gaining access to the entire network if they breach one segment. The Defense in Depth Strategy uses a series of defensive mechanisms to protect data and information so that if one mechanism fails, another will already be in place to thwart an attack,” he added.Proper integration ensures that security measures are consistently applied across both OT and IT systems, which is crucial for the overall security posture of the hospital, he said. “Ensuring that data flows securely between different zones of the network and to external entities is critical to prevent data breaches and leaks. A domain expert or consultant is also crucial in developing, implementing, and maintaining robust security policies in hospitals.
They bring specialized knowledge in biomedical engineering, clinical engineering, robotic surgery, embedded systems, connected devices, IoMTs, and OT security,” he said. “They perform risk assessments, VAPT, provide customized solutions, offer training and education, ensure regulatory compliance, and offer crisis management guidance. Their expertise and experience can significantly improve the effectiveness of security policies, compliances, regulations, and procedures,” he explained.“A firewall is a fundamental component of network security, it is most effective when used in conjunction with IDS and IPS. Additionally, the real-time log monitoring performed by a SOC is vital for the early detection of and response to security incidents, making it an indispensable part of a comprehensive cybersecurity strategy,” he said. In conclusion, a robust cybersecurity strategy for a large hospital must include a mix of technological solutions, policies, and procedures to safeguard the confidentiality, integrity, and availability of healthcare information and infrastructure.It’s about creating a resilient environment that can not only defend against threats but also quickly recover from any security incidents that do occur, he said. “It is imperative that RCC engage with domain experts to establish robust, failsafe, and fault-tolerant security protocols that ensure at least graceful degradation. This approach is critical and should be prioritized over solely relying on the counsel of security professionals or the solutions offered by third-party vendors.” “The cavalier treatment of patient data must cease immediately, as it constitutes a blatant violation of patient privacy rights. The sanctity of personal health information is paramount, and RCC must uphold the highest standards of data protection and privacy.” KS Manoj, who is an engineering physicist and an electronics engineer with a research and design interest in industrial cybersecurity by deploying defense-in-depth (DiD) and layered security strategies to protect Critical Infrastructure, said a Board-approved security policy is crucial for hospitals to protect sensitive patient data, ensure compliance with regulations like HIPAA, and prevent unauthorized access to systems and patient information.
It also provides a standard for employees to follow, aids in risk management, and ensures regulatory compliance, he added. On awareness and training, he said CISO training hospital staff in GDPR, HIPAA, and DPDP Act is crucial for understanding legal requirements, handling sensitive data responsibly, preventing breaches, maintaining patient trust, and fostering a culture of data protection. KS Manoj worked for KELTRON, SCTIMST and KSEBL, before joining Intelegrid ECC(P) Ltd as an Research Engineer (OT Security) and a domain expert in critical infrastructure. He also authored numerous technical books and articles on cyber security.Pointing out that the RCC has demonstrated that their UTM system (which is one of the components of layered security) is not sufficient to prevent a breach, he said that for securing a large hospital like the RCC, simply placing firewalls and installing antivirus software are not sufficient. The healthcare sector is increasingly targeted by cyberattacks due to the sensitive nature of medical data, and the consequences of a breach can be severe, he added. “After the cyber-attacks on AIIMS, the Ministry of Healthcare has implemented layered security with a Defense in Depth strategy in AIIMS. A 3-2-1 backup system has has implemented.” “The Indian Computer Emergency Response Team (CERT-In) issued a special advisory on security practices to enhance the resilience of health sector entities by implementing layered security with Defense in Depth as it has been implemented in AIIMS. A 3-2-1 backup has also been recommended.” The RCC authorities ignored both directions, despite repeated cautions. This, in fact, paved the way for cyberattacks, he said.“Further, all health sector entities were advised to carry out special audits through CERT-inempaneled auditors and implement security best practices,” he added.