In November 2022, the ransomware attacks on the All India Institute of Medical Sciences (AIIMS) and the Indian Council of Medical Research (ICMR) exposed the vulnerability of India’s biomedical research organizations to cyber attacks. These organizations are increasingly becoming victims of cyber attacks due to the sensitive data they hold, such as patient samples, pathogens, incubators, and so on. Reports suggest that the cyber attack on AIIMS resulted in the compromise of data for about 30 to 40 million patients, including high-level political figures.
Biomedical organizations are often rendered more vulnerable to cyber attacks due to minimal awareness regarding potential cyber threats among researchers, limited communication between the research and IT teams, insufficient safeguards to prevent cyber attacks, and budgetary constraints.
The attacks on AIIMS and ICMR should therefore act as a warning for biomedical institutions in India to implement cyber hygiene best practices to ensure the security of their organizations.
The work produced by biomedical institutions should be protected for two reasons:
- If the work is stolen or lost before it is completed, credit may not be given to the right person. For example, the discovery of the structure of DNA is attributed to Watson and Crick and not Rosalind Franklin.
- Trust is key for the field. If trust is lost due to data theft, it might lead to reputational damage, resulting in difficulties in acquiring further data for research.
Cyber-biosecurity is an emerging field that could be a starting point for biomedical institutions in India to cultivate best practices to prevent cyber attacks and raise awareness among researchers regarding the need to implement them. Cyber-biosecurity does not supersede cybersecurity or biosecurity; rather, it highlights the vulnerabilities at the growing interface between the biomedical and cyber worlds. Implementing cyber-biosecurity can ensure accurate identification of valuable assets and establish the right safeguards to protect scientific research.
It is, however, important to note that there is no blanket solution to protect scientific research across all organizations in India. Each biomedical research organization should therefore identify its own valuable assets, recognize possible threats, ascertain the funds available to establish cyber hygiene best practices, and design a security framework accordingly.
This article is based on insights derived from a closed-door workshop organized by Carnegie India in collaboration with Health Security Partners. The workshop brought together IT professionals, biosafety officers, laboratory scientists, technicians, and researchers from various biomedical research institutions. The participants discussed strategies to implement cyber hygiene best practices at the institutional level to protect valuable research data and other sensitive information from cyber attacks.
This article is therefore a primer for researchers and the IT community in biomedical research institutions in India to enable them to:
- recognize valuable assets in a research organization;
- identify sources of threats, motives behind cyber attacks, and the detection of a cyber attack; and
- implement best practices to safeguard scientific research.
Identifying Valuable Assets
To safeguard an organization against cyber threats, it is crucial to identify the valuable assets it possesses and understand the opportunity cost in case they are compromised or stolen. All research organizations should try to categorize their valuable assets into the following four broad categories:
- Biological samples: microbial or viral cultures, patient samples, pathogens, vaccines, toxins, plasmids, cell lines, embryos, and so on. For example, the motivation behind cyber attacks on multiple Indian and global pharma companies during the coronavirus pandemic was largely to steal vaccine research data, patient information, and data from clinical trials.
- Data: data samples (raw or analyzed), equipment for data storage, software that enables data transfer, and so on. For example, a cyber attack on IPCA laboratories, one of the largest pharmaceutical companies in India, led to the compromise of 500 GB of data with sensitive information on their research, employee data, and internal audits.
- Instruments: incubators, microscopes, computers, biosafety cabinets, deep freezers, medical devices, and so on. For example, Medtronic, a medical device company, realized that the remote controller for certain insulin pumps could be compromised and could prove dangerous for diabetic patients. They therefore issued an urgent warning to recall such controllers.
- Human resources: people who have access to assets, such as employees, vendors, contractors, and so on. For example, the World Health Organization noted an exponential increase in the number of cyber attacks targeting its staff with email scams and an approximate leak of 450 active email IDs and passwords online.
Once the assets have been identified, the next step would be to evaluate the importance and value of each asset. In addition to the cost of acquiring the asset in the first place, factors such as the impact of an asset’s compromise on research, the time it would take to recover from the incident, and the interdependency of assets (that is, whether the asset would fail in isolation or would have a domino effect on other processes) should also be taken into account to identify the value of assets. This process of evaluating the criticality of each asset should take place from the perspective of both the institution and the attacker. This is because an asset that may be worthless to the organization could be extremely valuable to the attacker—for example, biomedical waste could be a potential target for attackers to retrieve sensitive information from.
Sources of Cyber Threats
The threats to a biomedical institution can originate from two sources:
- External threats: These threats are posed by people outside the organization and can take the form of ransomware attacks, malware attacks, supply chain attacks, denial of service attacks (which are intended to render a network inaccessible to intended users), distributed denial of service attacks (which are meant to disrupt the normal traffic to a server by overwhelming the target with multiple requests), and social engineering (which is a strategy to either trick someone into downloading malicious software or manipulate them into revealing specific information for illegitimate reasons). For example, a pro-Russian hacker group targeted the Indian health ministry’s website to gain access to the data of all employees and physicians across all hospitals in India. Active since January 2022, the group used social engineering to lure their victims in a phishing scam, thereby compromising their systems. This allowed hackers to steal their victims’ passwords and gain access to their confidential information.
- Internal or insider threats: These threats come either directly from people working in the organization, such as employees, or indirectly from third-party vendors or contractors. These threats can, however, be divided based on intent, where some can be malicious, and others can be unintentional in nature. Threats of a malicious nature are those where someone is intentionally looking to cause harm through the theft of critical information, the sabotage of physical infrastructure, or the disclosure of trade secrets, confidential information, or proprietary software. For example, a disgruntled employee at Woodwinds Hospital in the United States, while leaving the organization, stole 200 pages of confidential patient files to accuse them of medical misconduct later. Unintentional threats could result from ignorance or a lack of awareness regarding cyber attacks. While unintentional, these employees make the internal systems more vulnerable to external threats. For example, leaving your workstation without locking your laptop could provide unintended access to someone with malicious intention.
Motives Behind a Cyber Attack
The motivation for a cyber attack could be different for people who are external to an organization and those who work for it internally. Some of these differences are described below:
External threats: External threats can arise for a myriad of reasons, such as financial gain, political or ideological reasons, biological weaponization, competition, and so on:
- Financial Gain: Since biomedical institutions store vast amounts of sensitive patient data, ransomware is the most common motive behind a cyber attack. These are conducted for financial gain, either to cause reputational damage to an organization or to gain access to proprietary information by a competitor. Reports suggest that any healthcare data breach costs approximately $10 million per attack. For example, in the case of the November 2022 AIIMS attack, the attackers allegedly demanded 2 billion rupees as ransom. Although there are no official reports to validate this, the attack highlights the vulnerability of Indian authorities when they had to negotiate with the hackers to retrieve patient data.
- Competition: The data can also be tampered with to compromise ongoing research, stall someone’s business activity, or steal their data as in the case of the cyber attack on AIIMS, which affected online services such as patient registration or appointment. Another example is the Chinese state-backed cyber attack on the Serum Institute of India and Bharat Biotech, the two biggest COVID-19 vaccine manufacturers in India, to gain a competitive advantage over Indian pharmaceutical companies.
- Geopolitical reasons: A state or nonstate actor can also sabotage a country’s critical infrastructure, which is vital to delivering public services. For example, the NotPetya malware attack, which aimed to disrupt Ukraine’s financial system, has been blamed on the Russian government.
Insider threats: These could be motivated both by personal and professional reasons, such as an individual’s discontent with the organization, lack of growth, jealousy, or coercion:
- Personal: financial distress, jealousy of another colleague, ideological differences, lifestyle choices, and so on.
- Professional: stress created by unfavorable working conditions, such as long working hours, improper delegation of work, poor morale due to lack of recognition and appreciation, dissatisfaction with work, and so on.
Detecting a Cyber Attack
Due to the sophisticated nature of cyber attacks, it is difficult to identify whether a system has been compromised. In cases where it is recognized, it takes organizations an average of twenty-one days to discover the breach. However, most organizations choose to not disclose the occurrence of an attack because of the fear of reputational loss and other legal liabilities. Additionally, in instances where people detect an attack in time, organizations most often do not have a well-established mechanism to report the attack, thereby limiting the scope of detection and reporting of cyber attacks. For example, the SolarWinds attack, which affected approximately 18,000 customers and compromised major tech companies such as Microsoft and Intel, along with several federal agencies in the United States such as the Cybersecurity and Infrastructure Security Agency and the Department of Justice, was discovered after nearly a year.
Therefore, early detection is crucial to minimizing the damage caused by an attack. It can allow an institution to isolate the compromised system, thereby preventing the attack from affecting other critical infrastructure in the organization. Since threats originate from both internal and external sources, strategies to detect a cyber attack should also be developed accordingly.
External threat: If the threat is external, it is imperative to be vigilant for any aberrant behavior of the network. An intrusion detection system (IDS) is a promising solution that can reveal unauthorized access or malicious activity. An IDS monitors the network for suspicious behavior and alerts the system administrator when an anomaly is detected. To enhance the detection capacity, an organization can also install a signature-based, centrally managed antivirus program, which enhances detection capabilities compared to a regular antivirus program. However, as datasets become larger, it becomes challenging for people to detect changes in the data. Yet even small manipulations can have catastrophic outcomes. In such scenarios, security information and event management (SIEM) systems based on artificial intelligence and machine learning can be deployed to detect changes where firewalls and other traditional cybersecurity tools fail.
Insider threat: In case of an insider threat, behavioral indicators can help in detecting the threat. Coworkers are the best resource for detecting changes in behavior or identifying unusual behavior. These changes can manifest as increased stress levels, an unjustified interest in security measures, frequent or secretive phone calls, signs of eavesdropping, persistent interest in unusual questions, suspicious contacts or associates, curiosity to work in sensitive areas, and so on. It is important to remember that these behavioral traits do not necessarily reveal the presence of an insider threat and can be harmless, but any signs of unusual behavior must be reported and investigated thoroughly. Personnel reliability programs should be included as part of a lab’s biosecurity policy. As part of this program, every person working in a lab should be screened before they are granted access to biological reagents and equipment. Background verification and security checks for all new hires and existing employees can be the starting point for this program to prevent the risk of insider threats. Specific measures should also be introduced to ensure that vendors are given limited access to laboratory assets so that the lab’s biosecurity is not compromised.
Strategies to Prevent a Cyber Attack
Cybersecurity is the collective responsibility of all employees in an organization and not just the IT department. Most often, the IT department is left in charge of handling the cybersecurity requirements of an organization. But representatives in the IT department sometimes do not possess adequate scientific temper to identify valuable assets in an organization. The research team, on the other hand, has a limited understanding of cyber threats but can identify valuable assets in their laboratories. It is therefore important to bridge this gap to facilitate collaboration between the IT department and the researchers in an organization to enable them to detect anomalies in the system.
As elaborated below, three specific strategies can be implemented to protect an organization against cyber attacks:
- Easy-to-implement solutions: Simple strategies such as encouraging employees to use strong and unique passwords, enabling two-factor authentication for all accounts, ensuring encryption of all devices and communication (because most ransomware attacks encrypt data and demand ransom for a decryption key), and using a virtual private network while working remotely can significantly decrease the risk posed by cyber attacks. Another important measure is to ensure that employees’ phones are as secure as their official laptops to prevent unintentional slippage of data or information.
- Institutional changes through a stringent policy: The security policies for guarding valuable lab assets should be modeled along the CIA triad, a widely used information security model that considers confidentiality, integrity, and availability as the three pillars of information security.
Confidentiality ensures that the data is kept secret and protected from unauthorized access. Integrity makes sure that the information is trustworthy and is not manipulated or tampered with. And the availability pillar facilitates access to information on demand while maintaining the confidentiality and integrity of the data.
However, it is challenging for organizations to strike a balance between these elements of the triad. For example, while confidentiality can be easily ensured by disconnecting information from the internet, doing so will restrict access to information and will also compromise data integrity by preventing regular updates. Similarly, while integrity can be maintained by verifying information from multiple independent sources, confidentiality might suffer due to more people accessing the information. Security is realized at the intersection of the three elements, and an organization must therefore build a balanced framework.
Once a security policy is established, it is important to conduct regular training exercises for all employees or vendors to ensure that all members affiliated to an organization are updated with its latest cybersecurity policy. Moreover, access to all information and equipment must be on a need-to-know basis. Contracts with third-party vendors should have a confidentiality and non-disclosure agreement to prevent the loss of sensitive information. To prepare for cases where a cyber attack is detected, organizations should also establish a reporting mechanism. This will involve assigning a point of contact, such as a public information officer, to formalize a reporting protocol.
3. Independent risk assessment mechanisms: Independent risk assessments, third-party audits, or interdepartmental audits (which involve both researchers and the IT team) can help to identify vulnerabilities in a system. Ethical hacking could be another potential strategy to expose vulnerabilities in the system. These steps could enable an organization to establish a cybersecurity framework with adequate checks and balances built in at all levels in a system. They can also notify the organization of any updates required by its information security management system (ISMS) to maintain cybersecurity. However, any changes to the cybersecurity policy following these steps should be communicated to all stakeholders.
Conclusion
Biomedical institutions in India, as described above, are at an increasing risk of cyber attacks. These attacks can originate from both external and internal sources and are driven by distinct motivations. Cyber-biosecurity is the right safeguard to protect these institutions from cyber threats. In addition to encouraging collaboration between the research and IT teams, cyber-biosecurity can guide institutions to assess their cyber vulnerabilities in an organized manner. This includes the identification of valuable assets in an organization, the regulation of access to these assets by both employees and third-party vendors, and the enforcement of customized security policies to safeguard biomedical institutions against cyber threats. Considering the rise in the number of cyber attacks on biomedical institutions, organizations should prioritize adopting cyber-biosecurity strategies to protect their sensitive research data and other assets.
The author would also like to acknowledge the contribution of Adarsh Ranjan, an intern with the Technology and Society Program at Carnegie India, for his research assistance.