AIIMS Delhi: Held to ransom by cyber attack
The perpetrators held around 4 crore patient profiles at ransom – including sensitive data and medical records of VIPs.
In the modern world, data has become a new asset. It runs companies, state and nations.
Data is the new oil.
Five days ago, India’s top public health institute – AIIMS Delhi – came under attack by cybercriminals, crippling routine health services which the institute provides of tens of thousands of patients.
The cyberattack has frozen AIIMS’ e-hospital system – including appointments and registration at outpatient departments (OPD), billing at inpatient departments (IPD), laboratory report generation, and smart lab, among others.
The outages have resulted in long queues and errors in handling emergency cases. According to the institute, a ransomware attack has corrupted all the files stored on the main and backup servers of the hospital.
The perpetrators held around 4 crore patient profiles at ransom – including sensitive data and medical records of VIPs. The exploited databases contain Personally Identifiable Information (PII) of patients and healthcare workers, and administrative records kept on blood donors, ambulances, vaccination, caregivers and employee login credentials.
The extent and threat of the attack is so much that multiple agencies like Delhi Police, the Centre’s Computer Emergency Response Team (CERT), the Ministry of Home Affairs, and even the National Investigation Agency have joined the probe. However, they haven’t been able to fully crack the case.
The attack, believed to be a major one, comes within a month after AIIMS announced that it would go paperless from January 1, 2023, and be fully digitised by April 2023.
However, AIIMS is no stand-alone case. Cyber threat watchdog CloudSEK said the Indian healthcare sector was the second most targeted by cybercriminals worldwide. Research by the company showed that health organisations witnessed a massive spike in cyber attacks during the pandemic. “In the first four months of 2022, the number of cyber attacks on the sector rose by 95.34 per cent compared to the same period in 2021,” its study said.
According to Indusface, a software security company, there were more than 1 million cyber attacks of various types across Indusface’s global healthcare clientele. Of these, 278,000 attacks were reported in India alone.
What is a cyberattack?
For the unversed, a cyber-attack is any attempt to gain unauthorised access to a computer, computing system or computer network with the intent to cause damage. Cyber attacks aim to disable, disrupt, destroy or control computer systems or to alter, block, delete, manipulate or steal the data held within these systems. Any individual or group can launch a cyber attack from anywhere by using one or more various attack strategies.
In AIIMS, cybercriminals have unleashed Ransomware, malware designed to deny a user or organisation access to files. A user or organisation’s critical data is encrypted so that they cannot access files, databases, or applications. By encrypting these files and demanding a ransom payment for the decryption key, cyberattackers place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files Those behind the cyber attack in AIIMS have warned the institute to prepare for a negotiation. “A protonmail address has been left for the institute for communication. An undisclosed demand has been sought in cryptocurrency in exchange for a key that would decrypt the data,” sources informed.
Experts suggest that with everything going online, the extent of cyberattacks and their strategies would evolve, however, to neutralise that threat, entities would also have to progress in cyber safety. “Sectors which are critical to a nation will remain on target. Sooner or later, things will go online and whatever service is online is becoming a target. We saw something happening in the power and IT sectors. Now the health sector is at the fore,” said Muktesh Chander IPS, former DGP Goa and Chevening Cyber Security Fellow, UK He has done his PhD in information security from IIT Delhi.
“For the ease of doing business, entities shift to online and roll out service digitally in a hurry. However, not enough attention is drawn to creating and adopting mandatory cyber security measures to secure data,” he said. Experts have drawn the comparison of AIIMS cyber attack with NHS England where a similar ransomware attack had crippled the medical service in the country for 15 days.
On May 12, the “WannaCry” ransomware began affecting dozens of facilities under the UK’s National Health Service (NHS). More than 60 NHS trusts were hit. Many facilities could not access patient records, leading to delays of non-urgent surgeries and cancelled patient appointments.
“But did we learn a lesson?’ asked Chander.
“The pitfall of cybersecurity is that measures are never enough. And we claim that we took all the measures then they were not adequate. Otherwise, such incidents would not have happened,” he said.
Officials involved in the AIIMS case said on the condition of anonymity that firewalls raised in the network to prevent servers from cyberattack were outdated.
Threat analysis and timely safety audit should be norm
In the aftermath of the AIIMS incident, experts have said that organisations are supposed to take precautions to avoid incidents of cyberattack. “For all the networks which are currently running is being build-up, a vulnerability report should be generated followed by an audit which will highlight the loopholes. Besides, an annual review of the software should also be conducted, as and when the software is changed/updated, whichever is earlier. CERT-empanelled independent agencies are empowered for this task and every entity is supposed to carry this out. Though it’s not mandatory but a provision for this is already in the Digital Personal Data Protection Bill, 2022,” Chander highlighted.
For better understanding, the retired IPS drew a parallel of cyber safety to road safety. “It is similar to road construction. A road safety audit is done before its construction to avoid any accident which design and quality of the road could cause” Chander said.
He also said that a written down documented cybersecurity policy should be in place. “When did the last audit happen and what were the recommendations? Did we address all the concerns and modified the network safety as per the recommendations? All departments carry out audits anyway to check their functioning. The same should be followed in cyber safety. These are the pertinent questions every organisation must ask in the aftermath of the AIIMS incident,” he said.
Awareness is key
The awareness on cyber safety among general public is almost negligible. The majority have no idea what value their personal data holds or what vulnerabilities it could generate if accessed by rouge agents.
“One can say how Aadhaar or voter ID card number getting into public domain can affect an individual. It’s anyway in the hands of many entities like banks to verify ID or address of its customers.
However, little do they know that unregulated access can lead to identity theft which helps fraudsters in doing financial frauds, imposing a person to commit a crime and many other illegal activities. Sensitive records can also be used to demand ransom which is what being reported in AIIMS’ case,” Chander said.
Meanwhile, other hospitals which are planning to adopt a totally digital system for functioning are now more alert post-incident. “What happened at AIIMS raises big concerns on data safety of patients as well as hospital’s operations. We will call a meeting with the National Informatics Centre and our computer staff to discuss what preventive steps we could take to avert such a situation. We will discuss how to manage server outages,’ said B L Sherwal, Medical Superintendent, Safdarjung Hospital
Hospital which too has mooted to integrate its system to the e-hospital manual.
On the challenge of securing online data, Dr Subhash Giri said, “The attack on AIIMS has brought the vulnerability of online data to the fore. Keeping data safe is a challenge. We need high-protection passwords and other updated security measures to minimise the risks of hacking. We strictly follow cyber security guidelines and would give impetus to secure practices at our Hospital Information Management System.”
Dr Giri is Medical Director, Guru Tegh Bahadur Hospital and Rajiv Gandhi Super Speciality Hospital.
When UK hosps shut down for 15 days
After hackers hit AIIMS, experts drew a comparison to the ransomware attack that hit UK’s National Health Service (NHS)
15 days the outage crippled medical services for 15 days in the island nation
On May 12
“WannaCry” ransomware began affecting dozens of NHS facilities
60+ NHS trusts were hit
The WannaCry ransomware
- Many facilities could not access patient records
- Delays ensued with non-urgent surgeries and
- Patient appointments were cancelled
- Hospitals had to divert ambulances to other facilities
A major data breach at AIIMS plays up the vulnerability and challenges of safekeeping data online. The top institute’s database, 4 crore patient profiles included, are held to ransom less than months after it announced a major digital push. As the govt is reminded that India needs to gain ground on cyber security, experts tell Ashish Srivastava that the pitfall of cyber security is that measures are never enough