The All India Institute of Medical Sciences in New Delhi (AIIMS), the nation’s main medical institution, was severely damaged by a significant cyberattack on November 23 of this year. The majority of its servers as well as the eHospital network run by the National Informatics Center stopped functioning (NIC). It was necessary to switch to manual management for all operations, including those in the emergency, outpatient, inpatient, and laboratory wings. This has been going on for more than a week as the vast majority of servers around the institute were being cleaned up and restored once the impacted servers were found.
The Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police, which on November 25 opened a case of extortion and cyberterrorism, denied that AIIMS had reported to them a demand for Rs 200 crores in cryptocurrency, as is often seen with a ransomware assault. Understanding the reason behind the assault and conducting a review of cyber security readiness across organizations and systems become more important as a result.
As hackers and criminal gangs realized how dependent these institutions were on digital systems to store and manage vast amounts of patient data, including their reports, and to manage medical functioning optimally, cyber attacks on medical institutions are becoming more frequent. The pandemic has been a turning point in this trend. Both the security and privacy issues become apparent in this circumstance. The majority of nations classify the health and medical industries as critical information (CI) infrastructure because of this.
Despite the fact that health is not specifically listed as a CI in India, organizations like AIIMS New Delhi could be considered “strategic and public enterprises” because they care for millions of patients, including the top government officials, and serve about 38 lakh people annually. Additionally, it manages and stores extremely private medical research data. Because the data available here is more valuable than even oil, it is a natural target for cybercriminals and those looking for ransom.
The important question is whether the tens of thousands of servers and other devices that link to the system were managed in accordance with the highest standards of cyber security, and whether disaster recovery plans and solutions were in place. Did the CERTIn-mandated assessments of cyber networks also reveal that everything was in order? Did AIIMS adhere to a standard of cyber cleanliness that was comparable to that which it would expect its patients to uphold in the real world?
Typically, ransomware-seeking entities carry out such cyberattacks to prevent networks from functioning after encrypting data. Organizations are sent demands, which are frequently negotiated and paid without alerting law authorities. In this instance, the outage was reported on the first day by both NIC and AIIMS, bringing it into the public eye. Since then, a number of agencies, including Delhi Police, have joined forces to look into the incident and try to find the offenders, while also attempting to recover and restore the networks.
The Delhi Police’s use of the provisions of section 66 (F) of the Information Technology Amendment Act 2008 labelling this occurrence as a case of cyber terrorism is important and indicates a far greater ambit than a regular ransomware case. Because cyber attacks on CIs have national security implications, it is important not to overlook the fact that AIIMS servers held sensitive health data for multiple individuals at the helm of the country’s leadership, and the attack could have had a much wider motivation than just extortion.
While this event serves as yet another reminder for businesses across industries to strengthen their cyber security protocols, it’s also critical to advance and publicize the national cyber security policy that the prime minister first outlined a few years ago. This strategy will serve as a roadmap to inspire and monitor institutes’ level of cyber readiness and to build their competence in a variety of areas, such as forensics, precise attribution, and cooperation. To make sure that cyber security measures aren’t the last priority, numerous ministries must allocate considerable sums.
To handle the increasingly complex threats and attacks, the National Critical Information Infrastructure Centre (NCIIPC) and CERTIn must be strengthened, and sectoral CERTs must be established for numerous industries, including the health sector. In addition to the meetings of the Group of Governmental Experts (GGE) and the US-led Counter Ransomware Initiative (CRI) comprising 37 nations and the European Union, stronger international collaboration is needed to combat cyberattacks.
