On November 23 this year, the premier medical institute in the country, the All India Institute of Medical Sciences New Delhi (AIIMS) was crippled by a major cyberattack. Most of its servers stopped working as also the eHospital network managed by the National Informatics Centre (NIC). All functions including the emergency, out-patient, in-patient and laboratory wings had to be shifted to manual management. This has continued for more than a week as the huge number of servers across the institute were being sanitised and restored after the identification of the impacted servers. While a case of extortion and cyber terrorism was registered by the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police on November 25, it denied that AIIMS had reported to them a demand for Rs 200 crores in cryptocurrency, as typically witnessed with a ransomware attack. So it becomes more critical to understand the motive behind the attack and do a review of cyber security preparedness across organisations and systems.
Cyber attacks on medical institutes are getting common and the pandemic has been a turning point as hackers and criminal syndicates realised the dependence of these institutes on digital systems to optimally manage medical functioning as well as store and handle large volumes of patient data, including their reports. In such a situation, both the aspects of security and privacy surface. This is why most countries define the health and medical sector as critical information (CI) infrastructure.
In India, while health is not specified directly as a CI, an organisation like AIIMS New Delhi could be counted as a “strategic and public enterprise” as it deals with crores of patients, including the top leadership of the country, and treats around 38 lakhs patients every year. It also handles and stores very sensitive medical research data. It is a natural target for cyber attackers and ransom seekers because the data available here is more precious than even oil. The pertinent point that arises is whether the thousands of servers and devices that connect to the system were handled with the highest cyber security standards and whether solutions and disaster recovery plans were in place. Also did the audits of cyber networks that are mandated by CERTIn show that everything was in order? Did AIIMS follow a cyber hygiene ecosystem similar to what it would want its patients to follow in the real world?
Typically such forms of attacks to keep networks from functioning after encrypting data, are carried out by ransomware-seeking entities and organisations are sent demands which are often negotiated and paid without informing law enforcement. In this case, both AIIMS and NIC have brought this outage to the public domain, reporting it on the first day. Since then, along with Delhi Police, multiple agencies are trying to investigate and identify the perpetrators and at the same time recovery and restoration efforts of the networks are on. The Delhi Police’s use of the provisions of section 66 (F) of the Information Technology Amendment Act 2008 identifying this incident as a case of cyber terrorism is significant and indicates a much larger ambit than a typical ransomware case. As cyber attacks on CIs have national security connotations also, one cannot lose sight of the fact that AIIMS servers had the critical health data of several individuals at the helm of the country’s government and the attack might have had a much larger motive than just garnering ransom.
While this incident is another wake-up call for organisations across sectors to shore up cyber security measures, it is also important to push and announce the national cyber security strategy that the prime minister mentioned a couple of years back. That strategy will be a guiding document to motivate and monitor the preparedness of cyber readiness of institutes and also enhance capacity on many fronts including forensics, accurate attribution and cooperation. Significant budgets have to be allocated by various ministries to ensure that cyber security measures don’t remain the last priority. Likewise, the capacity enhancement for the National Critical Information Infrastructure Centre (NCIIPC) and CERTIn has to be undertaken to address the emerging sophisticated nature of threats and attacks and sectoral CERTs have to be set up for many areas including health. At the same time, international cooperation on countering cyber attacks has to gain more teeth beyond the Group of Governmental Experts (GGE) meetings and the US-led Counter Ransomware Initiative (CRI) of 37 countries and the European Union.
The writer is a defence and cyber security analyst