The All India Institute of Medical Sciences (AIIMS), Delhi, suffered hacking of its servers on November 23. Over 50 of these servers that store patient data and run hospital management software were out of order. It resulted in a complete shutdown of computers at this premier hospital that receives on an average 12,000 new patients every day. After the initial efforts to bring the systems back to work failed, the hospital management deployed additional staff and tried to run the routine healthcare services manually. From new patient registrations to managing the labs, everything was being done manually. On November 30, the hospital management informed in a statement that the servers have been restored but they are being sanitized and the hospital functions are still being managed manually.
For seven consecutive days, AIIMS functioned without the support of computers and the internet is beyond reasoning. After the servers were exploited, a bevy of investigating agencies dawned on the scene. It included cyber experts from Delhi Police, which operates under the Union Ministry of Home, the National Intelligence Agency (NIA), which specializes in terror investigation, and the Indian Computer Emergency Response Team (CERT-IN), the national-level nodal agency to deal with cyber security incidents. They worked day and night for seven consecutive days to bring the 50-odd servers at AIIMS back to life after sanitizing the malware. Media reports suggested that it was a ransomware attack and there were reports that hackers demanded Rs 200 crore ($25 million) in cryptocurrencies to help bring the system back to life. However, Delhi Police denied that AIIMS authorities brought the demand for ransom to their notice.
A ransomware attack is one of the social engineering attacks, where the hackers exploit human errors rather than the system’s safeguards to launch an attack. This kind of attack is possible when basic data security measures such as the use of anti-viruses are not followed strictly. Other human errors can include revealing or exposing passwords or such credentials by falling prey to other social engineering attacks such as phishing, spear-phishing, pretexting, baiting, or scareware.
Last month, in Brazil, the government-run Bank of Brasilia suffered a similar ransomware attack and hackers stole away important but protected data that even they could not breach into. They asked for 50 bitcoin (BTC) from the bank to return the data. While the bank did not say anything on the matter, it’s believed that it did pay 50 BTC to the hackers to secure the stolen data back from the hackers. Cyber attacks such as ransomware attacks are very common as the hackers are experts in IT and software. They use the weaknesses in the cyber security system to steal data and sometimes money as in the case of cryptocurrencies, which are essentially blockchain-encrypted data.
Given this, the ransomware attack on AIIMS servers was not exactly a highly advanced technical coup on India’s IT and cyber security capabilities. It was plain negligence and lack of professionalism of those who were supposed to ensure strict adherence to the standard operating procedure while dealing with critical IT components at this premier hospital. Reports suggest that the breach has exposed the hospital data of 30-40 million patients including VIPs such as former prime ministers and ministers. This data can be sold on the dark net and may come to haunt big targets including government agencies.
Two days ago, media reports said that WhatsApp data including phone numbers of 500 million users were available for sale on the dark net. While WhatsApp said the reports are false, news platform CyberNews claimed that the dataset for the US (33 million users), UK (11 million users), and Germany (6 million users) was available for $7000, $2500, and $2000, respectively. The data of 6.1 million Indian users was available to the highest bidder.
These incidents of data breaches come at a time when India, a significant market for both data generation and consumption, is considering a new bill to ensure the protection and privacy of personal data. While adequate law is a great protection against the illegal use of data, learning from the AIIMS incident, India also needs to develop a responsible and sincere work culture that accords top priority to data protection. It includes adequate cyber security and data safety measures. (IPA Service)