The All India Institute of Medical Sciences (AIIMS), Delhi, suffered hacking of its servers on November 23. Over 50 of these servers that store patient data and run hospital management software were out of order. It resulted in a complete shutdown of computers at this premier hospital that receives an average of 12,000 new patients every day. After the initial efforts to bring the systems back to work failed, the hospital management deployed additional staff and tried to run the routine healthcare services manually. From new patient registrations to managing the labs, everything was being done manually. On November 30, the hospital management informed in a statement that the servers have been restored but they are being sanitised and the hospital functions are still being managed manually. For seven consecutive days, AIIMS functioned without the support of computers and the internet is beyond reasoning.
After the servers were exploited, a bevy of investigating agencies dawned on the scene. It included cyber experts from Delhi Police, which operates under the Union Ministry of Home, the National Intelligence Agency (NIA), which specialises in a terror investigation, and the Indian Computer Emergency Response Team (CERT-IN), the national-level nodal agency to deal with cyber security incidents. They worked day and night for seven consecutive days to bring the 50-odd servers at AIIMS back to life after sanitising the malware. Media reports suggested that it was a ransomware attack and there were reports that hackers demanded Rs 200 crore (USD 25 million) in cryptocurrencies to help bring the system back to life. However, Delhi Police denied that AIIMS authorities brought the demand for ransom to their notice. The ransomware attack on AIIMS servers was not exactly a highly advanced technical coup on India’s IT and cyber security capabilities. It was plain negligence and lack of professionalism of those who were supposed to ensure strict adherence to the standard operating procedure while dealing with critical IT components at this premier hospital.
A ransomware attack is one of the social engineering attacks, where the hackers exploit human errors rather than the system’s safeguards to launch an attack. This kind of attack is possible when basic data security measures such as the use of anti-viruses are not followed strictly. Other human errors can include revealing or exposing passwords or such credentials by falling prey to other social engineering attacks such as phishing, spear-phishing, pretexting, baiting, or scareware. Two days ago, media reports said that WhatsApp data including phone numbers of 500 million users were available for sale on the darknet. While WhatsApp said the reports are false, news platform CyberNews claimed that the dataset for the US (33 million users), UK (11 million users), and Germany (6 million users) was available for USD 7000, USD 2500, and USD 2000, respectively. The data of 6.1 million Indian users was available to the highest bidder. These incidents of data breaches come at a time when India, a significant market for both data generation and consumption, is considering a new bill to ensure the protection and privacy of personal data. While adequate law is a great protection against the illegal use of data, learning from the AIIMS incident, India also needs to develop a responsible and sincere work culture that accords top priority to data protection. It includes adequate cyber security and data safety measures.