IIM Lucknow Develops Healthcare Cyber Risk Assessment Model to Safeguard Patient Data

The research team at the Indian Institute of Management Lucknow, led by Prof Arunabha Mukhopadhyay, has developed a Healthcare Cyber Risk Assessment model to strengthen global healthcare systems against threats posed by cybercrime.

The model evaluates and mitigates the risks associated with cyberattacks, ensuring security of patient data and the uninterrupted provision of digital healthcare services for healthcare institutions.

The model critically supports Chief Information Officers (CIOs) in assessing risks and formulating tailored mitigation plans. Recommendations drawn from Rational Choice Theory and NIST standards encompass essential cybersecurity measures like firewalls, antivirus software, and comprehensive staff training. 

Additionally, the model includes vulnerability assessments, threat intelligence integration, and cyber insurance options to combat cyber threats effectively.

In an era where the healthcare sector increasingly relies on digital data, the vulnerability to cyberattacks has surged, especially during the COVID-19 pandemic. 

Digital health records house sensitive personal information, including government IDs (e.g., Aadhaar), medical histories, financial data, and insurance details, making healthcare organisations prime targets for cybercriminals.

The IIM Lucknow team has identified critical lapses in healthcare data security that cybercriminals exploit. They underlined that cyber threats are exacerbated when healthcare staff lack training to counter tactics like phishing and when IT governance and security technology are inadequately implemented.

Prof Mukhopadhyay elaborated on the Healthcare Cyber Risk Assessment Model, stating, "Our risk assessment and quantification models have allowed us to categorize 1788 US healthcare firms on a 'heat matrix,' showcasing the likelihood and potential severity of a cyberattack. This enables a clear understanding of the firm's preparedness to combat cyber threats. We also propose a customized plan to mitigate these risks based on the firm's position in the matrix."

The model, extendable to the Indian healthcare sector, features three primary components. Firstly, it aids CIOs in healthcare institutions to determine vulnerability to cyberattacks.

Secondly, it employs Collective Risk Modelling to assess the potential severity of cyberattacks, enabling hospitals to predict their impact. 

Finally, the model provides recommendations on how to mitigate and prevent cyberattacks.

Based on Rational Choice Theory and NIST standards, the recommendations advocate prioritising cybersecurity measures such as firewalls and antivirus solutions. 

For healthcare firms in high-risk quadrants of the heat matrix, practical cyberattack safeguards are suggested. These include data backup, staff anti-phishing training, senior management engagement, advocacy for cybersecurity laws, and investments in various cybersecurity technologies. 

Additionally, proactive threat response is facilitated through regular Vulnerability Assessment and Penetration Testing (VAPT) and threat intelligence integration. Obtaining insurance coverage to mitigate potential financial impacts is also presented.

This research, funded by the Cyber Security Division of the Ministry of Electronics and Information Technology, Government of India, has been published in the Journal of Organizational Computing and Electronic Commerce (ABDC A category). 

Co-authored by Prof Arunabha Mukhopadhyay and his research scholars, Swati Jain and Saloni Jain, the paper provides valuable insights into securing healthcare data. 

In parallel efforts toward ensuring the security of patient data and protecting against cyber threats, the Union Health Ministry of India has taken several significant steps in collaboration with the Indian Computer Emergency Response Team (CERT-In). 

This scheme was initiated in response to escalating concerns regarding data breaches and privacy violations in healthcare.