Cybersecurity for Healthcare Providers in India
A ransomware crew does not care that you are a hospital. If anything, they like it more. When a manufacturer goes down, its trucks stop. When a hospital goes down, patients on ventilators are at risk, surgeries get cancelled, and the pressure to pay lands on the CEO within hours. That is exactly why healthcare has become one of the most attacked sectors in India, and why the ransom demands keep going up.
We have sat in the war room the morning after. The clinical staff are running a paper triage, the radiology PACS is encrypted, and someone from IT is quietly asking whether the last good backup is three days or three weeks old. Nobody in that room is talking about DPDP consent notices. They are trying to keep the hospital running. The compliance conversation comes later, and it is always harsher than it needed to be.
Why a hospital is a softer target than a bank
Banks have been living under RBI cyber directions for a decade. They have SOCs, segmentation, and money for it. Most Indian hospitals do not. The board treats IT as a cost centre that keeps the HIS running, not as a control function. That gap is precisely what the attacker exploits.
Healthcare carries a specific kind of risk that makes it valuable and fragile at the same time:
- Patient records are the richest data going. A single record can carry name, Aadhaar or ABHA number, phone, address, diagnosis, prescriptions, and payment card details. On criminal markets a full health record fetches multiples of a stolen credit card, because it cannot be cancelled the way a card can.
- Medical devices run on unpatched, embedded operating systems. Infusion pumps, MRI consoles, and lab analysers often run Windows 7 or an OEM build that the vendor forbids you from patching. They sit flat on the same network as billing.
- Uptime is non-negotiable. You cannot take a cardiac ICU offline for a maintenance window. That kills the appetite for hardening.
- Third parties are everywhere. Diagnostic labs, teleradiology partners, insurance TPAs, and cloud EMR vendors all touch patient data. Your breach is often their breach.
- Staff turnover is high and security awareness is low. A nurse clicking a fake NEFT refund email is how most of these start.
The regulatory ground has shifted under you
Two years ago you could argue that health data protection in India was vague. That excuse is gone. Three things now govern how you handle patient data, and they interact.
The DPDP Act and its Rules
The Digital Personal Data Protection Act 2023 (DPDP) is the law. Health data is personal data under it, and there is no separate lighter regime for hospitals. A few things every provider should internalise:
- You are a Data Fiduciary. You decide the purpose and means of processing patient data, so the accountability sits squarely with you, not your EMR vendor.
- Consent must be specific, informed, and revocable, with a plain-language notice. The blanket admission-form tick box that covers everything from treatment to marketing will not survive.
- A data principal (your patient) can ask for correction and erasure, and you must have a Consent Manager and grievance officer to handle it.
- Personal data breach notification to the Data Protection Board is mandatory. The DPDP Rules set the reporting obligation, and it is not the leisurely timeline people assume. Treat it as time-critical.
- Penalties run up to Rs 250 crore for failure to take reasonable security safeguards. That single line changes the board conversation faster than any technical argument.
ABDM and the ABHA ecosystem
If you connect to the Ayushman Bharat Digital Mission (ABDM), you are also bound by its Health Data Management Policy and the technical requirements to become an HIP or HIU (Health Information Provider or User). ABDM expects encryption in transit and at rest, consent-artefact-based sharing through the Consent Manager, audit logging of every access, and empanelment through the ABDM sandbox before you go to production. The ABHA number is a health identifier tied to identity, so treating it casually is a fast route to trouble.
CERT-In and sector norms
The CERT-In Directions of 28 April 2022 apply to you as much as to any other body corporate. The headline obligations that hospitals routinely miss:
- Report specified cyber incidents to CERT-In within 6 hours of noticing them. Ransomware, data breaches, and unauthorised access to systems are all on the list.
- Maintain system logs for a rolling period of 180 days within Indian jurisdiction.
- Synchronise all clocks to NIC or NPL NTP servers, so your forensic timeline actually holds together.
- Keep KYC and transaction records if you run any payment or data-broker function.
| Framework | What it governs | The obligation people miss |
|---|---|---|
| DPDP Act 2023 and Rules | Any patient personal data | Breach notice to the Data Protection Board and a real consent notice |
| ABDM Health Data Management Policy | ABHA-linked records, HIP or HIU role | Consent-artefact sharing and full access audit logs |
| CERT-In Directions 2022 | All connected systems | 6-hour incident reporting and 180-day log retention in India |
| NABH Digital Health standards | Accredited hospital IT | Access control, backup, and data-integrity evidence for the assessor |
What actually happens: the Friday night ransomware call
Here is a composite from cases we have handled. A 350-bed multispecialty hospital. On a Friday around 9 pm, a billing operator opens an email claiming a rejected insurance claim needs re-verification, and enters credentials into a cloned portal. Nothing visible happens. Over the weekend the attacker moves laterally using those credentials, finds a domain admin account cached on an old workstation, and disables the backup agent.
Monday, 6 am. The HIS login fails. The PACS is encrypted. Screens across radiology, pharmacy, and the lab show a ransom note demanding payment in Bitcoin. The OPD queue is already building at the gate. By 8 am the hospital is on paper. Lab reports are handwritten, the pharmacy cannot see prescriptions, and two elective surgeries are postponed.
Now the compliance clock starts, and this is where unprepared hospitals bleed. CERT-In wants a report within 6 hours of noticing. DPDP requires breach notification to the Board. The team cannot even confirm whether patient data was copied out, because there was no data-loss monitoring and the logs rolled over after 30 days. The backup that IT was counting on was on a NAS that the attacker also encrypted, because it was reachable from the same network. Recovery from an offline copy takes 11 days. The regulator asks one uncomfortable question in writing: what reasonable security safeguards were in place before the incident. The honest answer is what determines the penalty.
None of the expensive part of this was the malware. It was the missing basics: no phishing-resistant login, a flat network, backups reachable from production, and logs too short to prove anything.
Five gaps that sink healthcare audits
When we assess a hospital or a health-tech platform, the same five findings come up again and again. Fix these and you are ahead of most of the sector.
1. Flat networks with medical devices on the billing LAN
An MRI console talking to the same switch as the reception desktop is the single most common critical finding. Medical devices cannot be patched, so they must be isolated. You need VLAN segmentation with the clinical device network firewalled off, and no direct internet path from those devices.
2. Backups that are not actually recoverable
Everyone has backups. Almost nobody tests restores. The attacker targets your backup infrastructure first. You need at least one immutable or offline copy that the production domain cannot reach, and a restore drill you have actually run against your HIS and PACS in the last quarter.
3. Shared logins and no privileged access control
A single reception login used by six people, and a domain admin password taped under a keyboard, defeat every other control. Individual accounts, multi-factor authentication on anything internet-facing, and a break-glass process for admin access are non-negotiable.
4. No log retention and no clock sync
When the incident hits, logs are the only thing standing between you and a total loss of forensic story. CERT-In mandates 180 days retained in India, with NTP synced to NIC or NPL. Most hospitals we see retain 15 to 30 days and have devices drifting minutes apart.
5. Vendor and API sprawl with no data-processing agreements
Teleradiology, lab integrations, TPAs, EMR clouds. Each one is a Data Processor under DPDP, and you owe a written contract that binds them to the same safeguards. Missing DPAs turn one vendor breach into your liability.
| Control area | Common state we find | Where you need to be |
|---|---|---|
| Network | Flat, devices on billing LAN | Segmented VLANs, clinical devices isolated and firewalled |
| Backup | Online NAS, never test-restored | Immutable or offline copy, quarterly restore drill |
| Identity | Shared logins, no MFA | Named accounts, MFA on all external access, PAM for admins |
| Logging | 15 to 30 days, clocks drifting | 180 days in India, NTP to NIC or NPL |
| Third parties | Handshake integrations, no DPA | Signed data-processing agreements and vendor risk reviews |
What a defensible security programme costs
Boards always ask for the number. There is no single answer, because a 50-bed nursing home and a 500-bed chain are different animals. But here are honest, current ranges for the Indian market so you can budget realistically. These are indicative, not quotes.
| Activity | Typical INR range | Cadence |
|---|---|---|
| VAPT of HIS, PACS and public web or app | Rs 1.5 lakh to 6 lakh | At least annually and after major change |
| Network segmentation project (mid-size hospital) | Rs 5 lakh to 20 lakh | One-time, then maintained |
| EDR or managed detection across endpoints | Rs 300 to 900 per endpoint per year | Annual subscription |
| DPDP readiness and consent and notice framework | Rs 3 lakh to 10 lakh | One-time, reviewed yearly |
| Immutable backup and DR setup | Rs 4 lakh to 15 lakh | One-time plus recurring storage |
| Security awareness and phishing simulation | Rs 50,000 to 3 lakh | Ongoing, quarterly campaigns |
Compare that to a single ransomware event. Between forced downtime, recovery labour, forensic and legal fees, possible ransom, patient churn, and a DPDP penalty that can reach Rs 250 crore, the incident dwarfs the prevention budget. We say this to every board: the cheapest security programme you will ever run is the one you build before the breach.
The order to fix things in
Do not try to boil the ocean. Sequence it so that the highest-impact, lowest-cost controls land first. A realistic 90-day arc for a mid-size provider looks like this.
| Phase | Weeks | Focus |
|---|---|---|
| Stop the bleeding | 1 to 4 | MFA on all external access, isolate backups offline, patch internet-facing systems |
| Contain and see | 5 to 8 | Network segmentation for medical devices, deploy EDR, extend log retention to 180 days |
| Prove and govern | 9 to 12 | VAPT, DPDP consent and breach playbook, incident response runbook, vendor DPAs |
The fix-it checklist
If you do nothing else this quarter, work down this list in order. Every item here has stopped a real incident or saved a real audit.
- Turn on multi-factor authentication for all remote access, admin accounts, and email today.
- Confirm you have one backup copy that is offline or immutable, then actually restore it into a test HIS.
- Move MRI, CT, PACS consoles, and other medical devices onto an isolated VLAN with no direct internet.
- Set log retention to 180 days and sync every device clock to a NIC or NPL NTP server.
- Write and rehearse a 6-hour CERT-In incident report drill so the first hour is not chaos.
- Draft a real DPDP consent notice and a breach-notification runbook that names who calls the Data Protection Board.
- Get signed data-processing agreements from every lab, teleradiology, TPA, and cloud partner.
- Run a phishing simulation against your own staff and retrain the click-throughs.
- Book an independent VAPT of your HIS, PACS, and any patient-facing portal or app.
- Appoint a named grievance officer and publish how patients exercise their DPDP rights.
The point
The attacker who hits a hospital is betting on one thing: that keeping patients alive will always outrank keeping systems secure, so the basics never get done. That bet is usually right. Your job is to make it wrong, quietly, before Friday night, by getting segmentation, backups, identity, and logging in place while nobody is watching. The clinical mission and the security mission are the same mission. A hospital that cannot access its records cannot treat patients.
If you want a second set of eyes from people who have stood in that war room, our team at CyberSigma are senior CERT-In empanelled auditors and PCI QSAs who do this work hands-on for Indian hospitals and health-tech, from DPDP and ABDM readiness to VAPT and incident response. We are happy to walk your estate with you before an attacker does.
FAQs
Does the DPDP Act require hospitals to report data breaches?
Yes. Under the DPDP Act and Rules a hospital is a Data Fiduciary and must notify the Data Protection Board and affected patients of a personal data breach. Treat it as time-critical rather than something you file at leisure, and have a runbook that names who makes the call and what evidence you attach.
What is the CERT-In 6-hour rule and does it apply to us?
The CERT-In Directions of 2022 require any body corporate, including hospitals, to report specified cyber incidents such as ransomware, unauthorised access, and data breaches within 6 hours of noticing them. You must also keep logs for 180 days within India and sync clocks to NIC or NPL NTP servers.
We connect to ABDM. What extra security do we owe?
As an HIP or HIU under ABDM you must follow the Health Data Management Policy: encryption in transit and at rest, sharing only against a valid consent artefact through the Consent Manager, full audit logging of every access to a health record, and clearing the ABDM sandbox and empanelment before production.
How much should a mid-size hospital budget for cybersecurity?
As a rough guide, expect annual VAPT of Rs 1.5 to 6 lakh, EDR at roughly Rs 300 to 900 per endpoint per year, network segmentation of Rs 5 to 20 lakh one-time, and DPDP readiness of Rs 3 to 10 lakh. Against a ransomware event and a DPDP penalty of up to Rs 250 crore, prevention is far cheaper.
Why are medical devices such a big risk?
Devices like MRI consoles, infusion pumps, and lab analysers run embedded, often unpatchable operating systems that vendors forbid you from modifying. If they sit on the same flat network as billing, one compromised desktop can reach them. The fix is isolation on a segmented VLAN with no direct internet access, not patching.
Our EMR is on the vendor's cloud. Are they responsible for a breach?
Under DPDP your cloud EMR vendor is a Data Processor, but you remain the Data Fiduciary and stay accountable to your patients and the regulator. You need a signed data-processing agreement that binds the vendor to equivalent safeguards, plus your own controls for access, monitoring, and breach handling.
Liked the post? Share on:





Leave A Comment