We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

Cybersecurity for Healthcare Providers in India

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Cybersecurity for Healthcare Providers in India

A ransomware crew does not care that you are a hospital. If anything, they like it more. When a manufacturer goes down, its trucks stop. When a hospital goes down, patients on ventilators are at risk, surgeries get cancelled, and the pressure to pay lands on the CEO within hours. That is exactly why healthcare has become one of the most attacked sectors in India, and why the ransom demands keep going up.

We have sat in the war room the morning after. The clinical staff are running a paper triage, the radiology PACS is encrypted, and someone from IT is quietly asking whether the last good backup is three days or three weeks old. Nobody in that room is talking about DPDP consent notices. They are trying to keep the hospital running. The compliance conversation comes later, and it is always harsher than it needed to be.

Why a hospital is a softer target than a bank

Banks have been living under RBI cyber directions for a decade. They have SOCs, segmentation, and money for it. Most Indian hospitals do not. The board treats IT as a cost centre that keeps the HIS running, not as a control function. That gap is precisely what the attacker exploits.

Healthcare carries a specific kind of risk that makes it valuable and fragile at the same time:

  • Patient records are the richest data going. A single record can carry name, Aadhaar or ABHA number, phone, address, diagnosis, prescriptions, and payment card details. On criminal markets a full health record fetches multiples of a stolen credit card, because it cannot be cancelled the way a card can.
  • Medical devices run on unpatched, embedded operating systems. Infusion pumps, MRI consoles, and lab analysers often run Windows 7 or an OEM build that the vendor forbids you from patching. They sit flat on the same network as billing.
  • Uptime is non-negotiable. You cannot take a cardiac ICU offline for a maintenance window. That kills the appetite for hardening.
  • Third parties are everywhere. Diagnostic labs, teleradiology partners, insurance TPAs, and cloud EMR vendors all touch patient data. Your breach is often their breach.
  • Staff turnover is high and security awareness is low. A nurse clicking a fake NEFT refund email is how most of these start.

The regulatory ground has shifted under you

Two years ago you could argue that health data protection in India was vague. That excuse is gone. Three things now govern how you handle patient data, and they interact.

The DPDP Act and its Rules

The Digital Personal Data Protection Act 2023 (DPDP) is the law. Health data is personal data under it, and there is no separate lighter regime for hospitals. A few things every provider should internalise:

  • You are a Data Fiduciary. You decide the purpose and means of processing patient data, so the accountability sits squarely with you, not your EMR vendor.
  • Consent must be specific, informed, and revocable, with a plain-language notice. The blanket admission-form tick box that covers everything from treatment to marketing will not survive.
  • A data principal (your patient) can ask for correction and erasure, and you must have a Consent Manager and grievance officer to handle it.
  • Personal data breach notification to the Data Protection Board is mandatory. The DPDP Rules set the reporting obligation, and it is not the leisurely timeline people assume. Treat it as time-critical.
  • Penalties run up to Rs 250 crore for failure to take reasonable security safeguards. That single line changes the board conversation faster than any technical argument.

ABDM and the ABHA ecosystem

If you connect to the Ayushman Bharat Digital Mission (ABDM), you are also bound by its Health Data Management Policy and the technical requirements to become an HIP or HIU (Health Information Provider or User). ABDM expects encryption in transit and at rest, consent-artefact-based sharing through the Consent Manager, audit logging of every access, and empanelment through the ABDM sandbox before you go to production. The ABHA number is a health identifier tied to identity, so treating it casually is a fast route to trouble.

CERT-In and sector norms

The CERT-In Directions of 28 April 2022 apply to you as much as to any other body corporate. The headline obligations that hospitals routinely miss:

  • Report specified cyber incidents to CERT-In within 6 hours of noticing them. Ransomware, data breaches, and unauthorised access to systems are all on the list.
  • Maintain system logs for a rolling period of 180 days within Indian jurisdiction.
  • Synchronise all clocks to NIC or NPL NTP servers, so your forensic timeline actually holds together.
  • Keep KYC and transaction records if you run any payment or data-broker function.
FrameworkWhat it governsThe obligation people miss
DPDP Act 2023 and RulesAny patient personal dataBreach notice to the Data Protection Board and a real consent notice
ABDM Health Data Management PolicyABHA-linked records, HIP or HIU roleConsent-artefact sharing and full access audit logs
CERT-In Directions 2022All connected systems6-hour incident reporting and 180-day log retention in India
NABH Digital Health standardsAccredited hospital ITAccess control, backup, and data-integrity evidence for the assessor

What actually happens: the Friday night ransomware call

Here is a composite from cases we have handled. A 350-bed multispecialty hospital. On a Friday around 9 pm, a billing operator opens an email claiming a rejected insurance claim needs re-verification, and enters credentials into a cloned portal. Nothing visible happens. Over the weekend the attacker moves laterally using those credentials, finds a domain admin account cached on an old workstation, and disables the backup agent.

Monday, 6 am. The HIS login fails. The PACS is encrypted. Screens across radiology, pharmacy, and the lab show a ransom note demanding payment in Bitcoin. The OPD queue is already building at the gate. By 8 am the hospital is on paper. Lab reports are handwritten, the pharmacy cannot see prescriptions, and two elective surgeries are postponed.

Now the compliance clock starts, and this is where unprepared hospitals bleed. CERT-In wants a report within 6 hours of noticing. DPDP requires breach notification to the Board. The team cannot even confirm whether patient data was copied out, because there was no data-loss monitoring and the logs rolled over after 30 days. The backup that IT was counting on was on a NAS that the attacker also encrypted, because it was reachable from the same network. Recovery from an offline copy takes 11 days. The regulator asks one uncomfortable question in writing: what reasonable security safeguards were in place before the incident. The honest answer is what determines the penalty.

None of the expensive part of this was the malware. It was the missing basics: no phishing-resistant login, a flat network, backups reachable from production, and logs too short to prove anything.

Five gaps that sink healthcare audits

When we assess a hospital or a health-tech platform, the same five findings come up again and again. Fix these and you are ahead of most of the sector.

1. Flat networks with medical devices on the billing LAN

An MRI console talking to the same switch as the reception desktop is the single most common critical finding. Medical devices cannot be patched, so they must be isolated. You need VLAN segmentation with the clinical device network firewalled off, and no direct internet path from those devices.

2. Backups that are not actually recoverable

Everyone has backups. Almost nobody tests restores. The attacker targets your backup infrastructure first. You need at least one immutable or offline copy that the production domain cannot reach, and a restore drill you have actually run against your HIS and PACS in the last quarter.

3. Shared logins and no privileged access control

A single reception login used by six people, and a domain admin password taped under a keyboard, defeat every other control. Individual accounts, multi-factor authentication on anything internet-facing, and a break-glass process for admin access are non-negotiable.

4. No log retention and no clock sync

When the incident hits, logs are the only thing standing between you and a total loss of forensic story. CERT-In mandates 180 days retained in India, with NTP synced to NIC or NPL. Most hospitals we see retain 15 to 30 days and have devices drifting minutes apart.

5. Vendor and API sprawl with no data-processing agreements

Teleradiology, lab integrations, TPAs, EMR clouds. Each one is a Data Processor under DPDP, and you owe a written contract that binds them to the same safeguards. Missing DPAs turn one vendor breach into your liability.

Control areaCommon state we findWhere you need to be
NetworkFlat, devices on billing LANSegmented VLANs, clinical devices isolated and firewalled
BackupOnline NAS, never test-restoredImmutable or offline copy, quarterly restore drill
IdentityShared logins, no MFANamed accounts, MFA on all external access, PAM for admins
Logging15 to 30 days, clocks drifting180 days in India, NTP to NIC or NPL
Third partiesHandshake integrations, no DPASigned data-processing agreements and vendor risk reviews

What a defensible security programme costs

Boards always ask for the number. There is no single answer, because a 50-bed nursing home and a 500-bed chain are different animals. But here are honest, current ranges for the Indian market so you can budget realistically. These are indicative, not quotes.

ActivityTypical INR rangeCadence
VAPT of HIS, PACS and public web or appRs 1.5 lakh to 6 lakhAt least annually and after major change
Network segmentation project (mid-size hospital)Rs 5 lakh to 20 lakhOne-time, then maintained
EDR or managed detection across endpointsRs 300 to 900 per endpoint per yearAnnual subscription
DPDP readiness and consent and notice frameworkRs 3 lakh to 10 lakhOne-time, reviewed yearly
Immutable backup and DR setupRs 4 lakh to 15 lakhOne-time plus recurring storage
Security awareness and phishing simulationRs 50,000 to 3 lakhOngoing, quarterly campaigns

Compare that to a single ransomware event. Between forced downtime, recovery labour, forensic and legal fees, possible ransom, patient churn, and a DPDP penalty that can reach Rs 250 crore, the incident dwarfs the prevention budget. We say this to every board: the cheapest security programme you will ever run is the one you build before the breach.

The order to fix things in

Do not try to boil the ocean. Sequence it so that the highest-impact, lowest-cost controls land first. A realistic 90-day arc for a mid-size provider looks like this.

PhaseWeeksFocus
Stop the bleeding1 to 4MFA on all external access, isolate backups offline, patch internet-facing systems
Contain and see5 to 8Network segmentation for medical devices, deploy EDR, extend log retention to 180 days
Prove and govern9 to 12VAPT, DPDP consent and breach playbook, incident response runbook, vendor DPAs

The fix-it checklist

If you do nothing else this quarter, work down this list in order. Every item here has stopped a real incident or saved a real audit.

  • Turn on multi-factor authentication for all remote access, admin accounts, and email today.
  • Confirm you have one backup copy that is offline or immutable, then actually restore it into a test HIS.
  • Move MRI, CT, PACS consoles, and other medical devices onto an isolated VLAN with no direct internet.
  • Set log retention to 180 days and sync every device clock to a NIC or NPL NTP server.
  • Write and rehearse a 6-hour CERT-In incident report drill so the first hour is not chaos.
  • Draft a real DPDP consent notice and a breach-notification runbook that names who calls the Data Protection Board.
  • Get signed data-processing agreements from every lab, teleradiology, TPA, and cloud partner.
  • Run a phishing simulation against your own staff and retrain the click-throughs.
  • Book an independent VAPT of your HIS, PACS, and any patient-facing portal or app.
  • Appoint a named grievance officer and publish how patients exercise their DPDP rights.

The point

The attacker who hits a hospital is betting on one thing: that keeping patients alive will always outrank keeping systems secure, so the basics never get done. That bet is usually right. Your job is to make it wrong, quietly, before Friday night, by getting segmentation, backups, identity, and logging in place while nobody is watching. The clinical mission and the security mission are the same mission. A hospital that cannot access its records cannot treat patients.

If you want a second set of eyes from people who have stood in that war room, our team at CyberSigma are senior CERT-In empanelled auditors and PCI QSAs who do this work hands-on for Indian hospitals and health-tech, from DPDP and ABDM readiness to VAPT and incident response. We are happy to walk your estate with you before an attacker does.

FAQs

Does the DPDP Act require hospitals to report data breaches?

Yes. Under the DPDP Act and Rules a hospital is a Data Fiduciary and must notify the Data Protection Board and affected patients of a personal data breach. Treat it as time-critical rather than something you file at leisure, and have a runbook that names who makes the call and what evidence you attach.

What is the CERT-In 6-hour rule and does it apply to us?

The CERT-In Directions of 2022 require any body corporate, including hospitals, to report specified cyber incidents such as ransomware, unauthorised access, and data breaches within 6 hours of noticing them. You must also keep logs for 180 days within India and sync clocks to NIC or NPL NTP servers.

We connect to ABDM. What extra security do we owe?

As an HIP or HIU under ABDM you must follow the Health Data Management Policy: encryption in transit and at rest, sharing only against a valid consent artefact through the Consent Manager, full audit logging of every access to a health record, and clearing the ABDM sandbox and empanelment before production.

How much should a mid-size hospital budget for cybersecurity?

As a rough guide, expect annual VAPT of Rs 1.5 to 6 lakh, EDR at roughly Rs 300 to 900 per endpoint per year, network segmentation of Rs 5 to 20 lakh one-time, and DPDP readiness of Rs 3 to 10 lakh. Against a ransomware event and a DPDP penalty of up to Rs 250 crore, prevention is far cheaper.

Why are medical devices such a big risk?

Devices like MRI consoles, infusion pumps, and lab analysers run embedded, often unpatchable operating systems that vendors forbid you from modifying. If they sit on the same flat network as billing, one compromised desktop can reach them. The fix is isolation on a segmented VLAN with no direct internet access, not patching.

Our EMR is on the vendor's cloud. Are they responsible for a breach?

Under DPDP your cloud EMR vendor is a Data Processor, but you remain the Data Fiduciary and stay accountable to your patients and the regulator. You need a signed data-processing agreement that binds the vendor to equivalent safeguards, plus your own controls for access, monitoring, and breach handling.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205