Three major cyber attacks in the Indian pharma industry in the last few months have left people wondering whether there is a pattern indicating the reason for this spurt. First was the Breach Candy Hospital one in February 2020 where over 121 million medical records were compromised. Of these, 120 million were images stored in the Digital Imaging and Communications in Medicine system consisting of X-rays, scan reports, etc. One million records contained Aadhaar information, medical history, etc. The data breach reportedly occurred because the access system of the hospital was compromised. Though this was an alarming data breach, the matter was hushed up and there was no apparent investigation by the Indian Computer Emergency Response Team (CERT-IN) or any further announcements in the media.
In October 2020, Dr Lal PathLabs reported a data breach of millions of records because their Cloud records reportedly did not have a password for access. Again, this was brushed under the carpet and no action was initiated by CERT-IN.
More recently, Dr Reddy’s Laboratories, which was testing a Covid vaccine from Russia, was attacked. Questions must be asked whether the lack of prompt action by CERT-IN earlier emboldened the criminals to continue their attacks on these pharma companies, which are soft targets holding highly valuable data assets.
The first reaction when such cyber incidents are reported is to find out how the breach occurred, whether there were any vulnerabilities in the technical architecture or whether there was failure of controls. But the possibility of insider frauds causing such breaches cannot be ruled out since negligence and failure of information security are easily visible to the extent that ignorance alone cannot be the cause of these attacks.
Most of these companies are certified by various agencies under ISO 27001 standards or other quality ratings and the incidents highlight the failure of these systems to protect data. Indian lawmakers have provided undue legal recognition to ISO 27001 as if it is “deemed compliance” under Section 43A (ITA 2000). These incidents highlight the folly of those who wrote these rules. Hopefully, this will be automatically obliterated after the passage of the Personal Data Protection Act in India.
But a closer look at the incidents indicates that we should not see these incidents only as an information security issue and the responsibility of the ministry of electronics and information technology alone. This is the result of the failure of many other ministries such as finance, health and law. All these divisions must collaborate in taking steps to reduce the risk of such cyber attacks in future.
There are many studies of data breach incidents in the world which have indicated that designating a chief information security officer in an organisation has the effect of reducing the cost of data breaches significantly. Similarly, operationalising the Data Protection Law and the Data Protection Authority is expected to have its own effect in reducing such incidents. In fact, it appears as if the hackers are in a hurry to complete their hacks before India passes the Personal Data Protection Bill, (PDPB) 2019. Had the law been in force, companies such as Dr Reddy’s Laboratories, Dr Lal PathLabs or Breach Candy Hospital would have fortified their data protection system and possibly prevented the attack or mitigated its impact.
Incidentally, the finance ministry has two kinds of responsibilities associated with the mitigation of risks in such incidents. These are often completely out of our radar. The first is to ensure that every company holding valuable data should see its value in the financial statements and balance sheets by tweaking the principles of accounting and disclosure.
It is estimated that the black market rate for medical data sets in the dark web is $250. Hence, a loss of one million data sets in a company like Dr Lal PathLabs means that the total value of assets compromised could be around Rs 1,750 crore.
Today, the fact that a company may hold that value of data as its asset is not visible either to it, the shareholders or SEBI. Hence, allocation of resources to secure this invisible asset would suffer. Like in the case of “goodwill” and other intangible assets, or “contingent liabilities” that are brought into balance sheets as “special reserves” or “contra entries”, there is a need to bring the value of data asset of a company into the balance sheet for public disclosure.
If this system is followed, then the company management would be aware of the value of assets they hold, which have to be secured and insured even if it has a cost. If the value is visible, the company would also realise the value of following data protection principles such as restricting the collection of data to the purpose for which it is required and deleting used data after the purpose of its collection is accomplished.
If the data can be segregated into “personal” and “non-personal data” (including anonymised personal data) in the balance sheet, then the company can have an even better visibility of its data assets from the data governance principle and unlocking the value of non-personal data or the value of anonymising the personal data.
The finance ministry should, therefore, work with the Institute of Chartered Accountants to initiate a system of bringing data value into the books of accounts from the next financial year. It should also make data breaches less remunerative for data thieves.
Incidentally, the entire dark web economy is based on the use of cryptocurrencies like Bitcoin. Hence, if financial cyber crimes are to be reduced in the world, there is no option but to demonetise cryptocurrencies and criminalise their use. We need to recognise that Bitcoin is like the menace of narcotic drugs and can compromise bureaucracy, the government and even the judiciary. There is no cyber security without banning of Bitcoins and cryptocurrencies and the ministry of finance needs to realise this and act without further delay. The law ministry should assist the finance ministry and the RBI in bringing the necessary law for banning cryptocurrencies so that even the Supreme Court cannot legitimise this evil.
The health ministry has already introduced Electronic Health Record (EHR) guidelines which are as stringent as Health Insurance Portability and Accountability Act regulations in the US followed by hospitals. Though the passage of PDPB 2019 would bring in similar regulations, the ministry can notify all private hospitals and large healthcare agencies to start implementing the suggestions of the EHR guidelines as a sectoral regulation which can be adopted as a ready “Code of Practice” under PDPB 2019.
The responsibility of CERT-IN has already been set under the Information Technology Act as the nodal agency for cyber security in the country. Cyber security cannot be complete without properly responding to data breach incidents in the private sector, for which there are enough directions and powers under Section 70B.
Questions have been raised in the media about why Dr Reddy’s Laboratories chose to shut down production of its facilities in the UK, the US, Brazil and India because of the cyber attack and whether this would be the trend in future. It must be recognised that when a major data breach occurs in a life critical industry like pharma, action should be initiated to contain the damage first, then identify the root cause. Thereafter, action can be taken to eliminate the cause. This may require a temporary shutdown of operations to prevent further damage.
In the case of Dr Reddy’s, the responsibility was higher as the company is exposed not only to Indian laws, but to General Data Protection Regulation and Food and Drug Administration regulations. The management of Dr Reddy’s should be appreciated for taking the bold decision to close down its operations until the risk is identified and eliminated.
It is also necessary to flag one more risk that should be recognised because of the publicity gathered by these three data breaches. We are all aware of fake fire accidents that many unscrupulous organisations resort to to claim fire insurance. Similarly, it is possible for unscrupulous organisations to use “fake data thefts” to sell the personal data of citizens on the dark web. In the past, we have seen “data laundering” carried out through mergers and acquisitions where valuable data assets from Indian companies have been transferred to foreign entities. One example was how the ownership of CIBIL, owned by public sector banks having a huge treasure of sensitive personal data of Indian citizens, was surreptitiously transferred to a US company by the sale of shares by individual banks. Though this was a scam involving transfer of thousands of crores of data assets, the finance ministry never recognised the suspicious nature of this acquisition.
Similarly in the coming days, “fake data breaches” may also be used to siphon off data from Indian owners to a foreign company. It is for this reason that in all such major data breaches, CERT-IN should not remain silent and must conduct a mandatory inquiry to document the findings to rule out frauds by the management. A joint inter-ministerial task force is required to find a solution to prevent such data breaches in future.
—The writer is a cyber law and techno-legal information security consultant based in Bengaluru