An evidence-based investigation of cert-in's reporting on cyber-threats in healthcare sector

Abstract

The pandemic underscored the significance of a digital health system. Healthcare sector has become one of the most important infrastructures since then. Undoubtedly, the digital health is the ultimate way to ensure accessibility, inclusiveness and delivery of healthcare services in an affordable and efficient manner. However, rising cyber-threat is one of the biggest concerns for healthcare organizations. The data breach incidents on Indian Council of Medical Research and on Covid-19 vaccine database in 2023 highlight the utter need to address the issue. To mitigate such incidents, India has established Computer Emergency and Response Team (CERT-In) which has been endowed with primary responsibility to prevent, treat, respond and report such threats. Although, CERT-In is responsible to report any cyber-incident but there is no information concerning the affected organizations and on frequency and severity of such cyber-incidents. It is doubtful as to how any authority is supposed to respond in lack of data or policy makers formulate a comprehensive framework to deal with the issue. CERT-In faces challenges in accurately reporting cyber incidents and contain discrepancies compared to other organizations' data and lacking detailed incident information. This research aims to analyze government records and secondary sources to understand the cyber-threat landscape, particularly in the healthcare industry. Using normative and comparative methods, it suggests measures which can be adopted by CERT-In based on assessments of U.S. and E.U. reporting practices. Findings stress the need for improved reporting practices and transparency in cybersecurity assessments to enhance data accuracy and completeness, urging policymakers and stakeholders to take action against cyber threats.