Key Takeaways
- Healthcare is the highest-targeted Indian sector for ransomware in 2024 and 2025. EHR encryption disrupts patient care directly; the ransom decision is genuinely time-pressured.
- HIPAA applies to Indian entities when they process Protected Health Information of US patients (covered entities and business associates). Indian health-tech serving US providers is in scope.
- DPDP Act 2023 applies to every Indian healthcare entity processing personal data of Indian residents. Section 8 reasonable security safeguards plus breach notification.
- Medical devices are the under-tested surface. Networked imaging, monitors, infusion pumps and PACS are routinely exposed.
- Dual compliance roadmap: a single controls library mapped to both HIPAA Safeguards and DPDP Section 8, saves 30 to 40 percent versus running them separately.
Why Healthcare Is The Top Cyber Target in India
Indian healthcare combines the conditions that attackers optimise for: high-value data (patient records, insurance claim data, payment information), low patience for disruption (operating theatres, A&E, ICU cannot wait for backup restoration), historically under-invested IT (many hospitals run their EHR on Windows Server 2012 R2 or worse), and weak segmentation between clinical, administrative and biomedical networks. Multiple high-profile ransomware incidents at major Indian hospital chains and AIIMS in 2022 to 2024 made this concrete.
The threat actors are commercial ransomware affiliates (Akira, LockBit splinters, BlackSuit, Medusa, Royal) plus opportunistic operators. Initial access patterns mirror other sectors: phishing, exposed RDP and VPN, unpatched internet-facing systems. Lateral movement is faster than in other sectors because healthcare networks are flatter on average. Containment is harder because the customer cannot simply shut down systems while patients are mid-procedure.
EHR, PACS and Hospital Information System Risks
The core clinical systems (Hospital Information System / HIS, Electronic Health Record / EHR, Picture Archiving and Communication System / PACS for imaging, Laboratory Information System / LIS, Pharmacy Information System / PIS) sit at the centre of operations and at the centre of risk. Common findings in our engagements: shared workstation accounts at nursing stations, EHR database servers reachable from the corporate user network, PACS DICOM servers exposed to the internet (often unintentionally, through a misconfigured firewall), default credentials retained on imaging modalities, and HIS application admin consoles with weak or no MFA.
Mitigation priorities: segment clinical networks from corporate and guest, enforce role-based access (clinician, nurse, lab tech, admin) with named accounts, deploy MFA on every EHR and HIS login, patch the underlying platform on a managed cadence (with vendor coordination where the EHR vendor controls the supported OS version), and ensure PACS DICOM ports (104, 11112) are not reachable from outside the clinical zone.
Need a Sector-Specific Cyber Programme?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, compliance and managed security for healthcare, fintech, manufacturing, e-commerce, education, legal and insurance customers across India. Named consultants, fixed-price proposals, free retest within 90 days.
See Industry Services →Ransomware Preparedness for Indian Hospitals
Hospital ransomware response is uniquely constrained. Encrypting patient records mid-shift means clinicians switch to paper, lab and imaging orders are handled manually, and the longer recovery takes the more patient outcomes are at stake. Our recommended hospital preparation focuses on three areas: clinical continuity (paper procedures rehearsed, downtime forms printed and pre-stocked, lab and imaging workflows that work without IT), backup integrity (offline immutable backups of EHR, PACS, LIS, with quarterly tested restoration), and pre-positioned external IR retainer with a defined response SLA.
Most Indian hospitals that suffered ransomware incidents in 2023 to 2025 were back to partial clinical operations within 48 to 72 hours. Full IT restoration took 2 to 6 weeks. The clinical-continuity layer is what kept patient harm low; the technical layer is what determined business cost.
Medical Device Security
Networked medical devices are the under-tested surface in every hospital engagement we run. Imaging modalities (CT, MRI, X-Ray, Ultrasound), patient monitoring, infusion pumps, anaesthesia machines, dialysis machines, lab analysers and increasingly wearable sensors. Many run vendor-locked operating systems that cannot be patched without vendor coordination, many ship with default credentials documented in vendor manuals, and many were never designed to coexist on a hostile network.
Defensive approach: dedicated medical device VLAN with firewall enforcement (no general user network reachability), inventory every networked device including vendor / model / firmware version / patch status, escalate to the vendor for unpatched CVEs, segment patient monitoring from non-monitoring traffic, and run a representative-device pentest per engagement to surface configuration drift. Codesecure runs medical device pentests in coordination with the vendor where required and produces evidence acceptable to HIPAA risk analysis and DPDP Section 8 reasonable security safeguards documentation.
HIPAA Safeguards for Indian Health-Tech Serving US
Indian health-tech companies (revenue cycle management, medical transcription, telemedicine platforms, AI diagnostic services) frequently serve US covered entities as business associates. The Business Associate Agreement (BAA) makes the Indian company directly liable for HIPAA compliance for the data it processes.
HIPAA Security Rule prescribes three categories of safeguards. Administrative: security management process, workforce security, training, contingency plan, security incident procedures. Physical: facility access controls, workstation security, device and media controls. Technical: access control, audit controls, integrity, transmission security. Codesecure delivers BAA-readiness engagements that map each Required and Addressable specification to a concrete control implemented in the Indian operations, with evidence the covered-entity client can verify.
Regulator Pressure or Customer Audit?
Whether you need RBI, IRDAI, DPDP, HIPAA, PCI DSS or NCIIPC evidence, our compliance and VAPT lead is available for a 30-minute free scoping call. Audit-ready, board-ready, no slideware.
Talk to a Specialist →DPDP Act 2023 Health Data Obligations
DPDP Act 2023 applies to every Indian healthcare entity processing personal data of Indian residents. Section 8 reasonable security safeguards is the operational requirement, breach notification to the Data Protection Board and affected data principals is the response requirement, and the Significant Data Fiduciary designation may apply to large hospital chains or major health-tech platforms.
Practical implications: explicit consent for data processing including the lawful purposes, data minimisation in clinical workflows (do not capture more than is required), data principal rights operationalised (access, correction, erasure where lawful), retention schedule per data class, breach response workflow that satisfies both DPDP and any sector regulator (NMC, MoHFW guidance), and (likely) DPO appointment if SDF designated.
Dual compliance with HIPAA and DPDP is achievable through a single controls library. Roughly 60 to 70 percent of controls overlap. Codesecure delivers integrated dual-compliance programmes for Indian health-tech.
Staff Awareness and Third-Party Vendor Risk
Clinical staff are not security professionals. Phishing simulations show clinical and reception staff click rates of 15 to 30 percent in baseline assessments, dropping to 3 to 8 percent after 12 months of structured awareness. Awareness is the highest-ROI hospital control after segmentation.
Third-party vendor risk is broad: EHR vendor, PACS vendor, satcom for remote sites, telemedicine platform, lab integration partner, insurance TPA, payment gateway, biomedical equipment vendor. Each is a potential pivot. The vendor register, signed BAAs (HIPAA) and DPDP-aligned data processing agreements, annual vendor attestation, and vendor cyber incident notification clauses are the operational controls. Many hospital engagements reveal that the vendor register is incomplete by 30 to 50 percent at first scan.
Frequently Asked Questions
Does HIPAA apply to my hospital in India?
Directly, only if you handle Protected Health Information of US patients (typically as a business associate to a US covered entity, or as a US-licensed telemedicine operator). For Indian patient data, DPDP Act 2023 is the primary obligation, with sector-specific NMC and MoHFW expectations also applying.
Can we do HIPAA and DPDP together?
Yes, and we recommend it. A unified controls library mapped to HIPAA Administrative, Physical and Technical Safeguards plus DPDP Section 8 reasonable security safeguards saves 30 to 40 percent in effort versus running the two programmes separately. Codesecure delivers integrated engagements with named consultants.
How do we secure networked medical devices we cannot patch?
Compensating controls: dedicated VLAN with firewall enforcement, no user-network reachability, no internet egress except to the vendor's documented endpoints, regular vendor patch advisories tracked, and quarterly device-network monitoring for anomalous behaviour. Escalate to the vendor for any unpatched critical CVE and consider replacement if the vendor is unresponsive.
What is the realistic ransomware recovery time for a hospital?
Partial clinical operations restored on paper procedures within 24 to 48 hours where staff are drilled. Full IT recovery typically 1 to 4 weeks depending on backup integrity and EHR vendor coordination. Codesecure delivers hospital-specific ransomware tabletop exercises and IR retainers.
Do you do hospital pentest including medical devices?
Yes. Engagements cover the EHR, HIS, PACS, network segmentation, internet-facing infrastructure, clinical user devices and a representative medical device class (in coordination with the device vendor where required). Reports map to HIPAA and DPDP and serve customer audit, regulator and insurer expectations.
How much does healthcare cybersecurity cost?
Annual cybersecurity spend for Indian hospitals typically lands at 1 to 3 percent of IT budget, often less. Mature health-tech serving US covered entities typically run 4 to 7 percent. The cost of one ransomware incident exceeds five years of this investment easily.
Make Patient Data Safe Without Disrupting Care
Codesecure delivers healthcare cybersecurity, HIPAA BAA readiness, DPDP compliance and hospital VAPT across India and the Middle East. ISO/IEC 27001:2022 certified delivery, named consultants, medical device coverage, fixed-price proposals.
