The cyber attack on AIIMS raises many questions | Daily News Byte

The cyber attack on AIIMS raises many questions

 | Daily News Byte


Things are slowly returning to normal at the All India Institute of Medical Sciences (AIIMS). However, much damage has already been done. This has affected hundreds of patients who visit the central government-run hospital every day.

On November 23, a breach of the internal online information system of AIIMS was discovered. This led the hospital to shut down most digital patient care systems and switch to manual means.

Soon, AIIMS confirmed the attack in a media statement. Data recovery and server cleaning are said to be time-consuming due to the sheer volume and number of servers required by hospital services.

From the scheduling system to billing and sharing reports with patients and between departments, almost all online services at the institute were affected. Additional staff were deployed as AIIMS switched to manual mode. It went offline during testing, although not all servers were affected.

The biggest concern was the theft of patient data, which was at its most vulnerable. Every year, around 38 million patients, including top political leaders, bureaucrats and judges, receive medical treatment at AIIMS. Top intelligence and counter-terrorism agencies, alongside IT emergency teams, worked on the case as all around 5,000 computers and servers were scanned.

According to many experts, the attack is also a consequence of the lack of vulnerability of the digital infrastructure in healthcare institutions. Speaking more on this, Dr. Malini Saba, human rights activist and founder and president of the Anannke Foundation, said, “Cyber ​​attacks have been able to enter hospital systems for a long time because they did not have regular cyber security maintenance or training of their employees. about good online hygiene.

“According to the original orders, bookings, appointments and other services were shifted to the online system only after poor digitization. Cyber ​​security measures were not implemented.”

Ransomware is malware that encrypts data on a system, blocking user access to that data. The hackers are demanding a ransom to regain access to that data, which in this case is said to be £200m. However, the ransomware theory has been denied by both AIIMS and the Delhi Police.

When AIIMS was still battling the hack, reports that the Delhi government-run Safdarjung Hospital, located opposite AIIMS, also witnessed a cyber attack.

While AIIMS has been crippled and is struggling to cope with the rush of patients, the cyber attack on Safdarjung Hospital was not that serious. Unlike AIIMS where there is a risk of medical records of thousands of patients being leaked, the Safdarjung attack is unlikely to have the same concerns as much of the hospital still operates in manual mode.

“Hackers broke into the hospital system a few days ago and the server was down for a day,” Safdarjung Hospital Director Dr BL Sherwal told the media at the time. He also informed that only some parts of the hospital were affected and that the cyber attack was not “of a high degree”.

“People have talked a lot about how India is generally unprepared for cyber attacks, but the AIIMS trail of documents also shows the glaring ineptitude that goes with the government’s push to digitize healthcare,” Dr Saba added.

Meanwhile, at AIIMS, the hack was so severe that its effects are still being felt. The head nurse at AIIMS, when asked about the situation in the hospital, said on condition of anonymity, “There are still some functional problems that we are facing even now.

According to reports, security professionals working at AIIMS had to scan the entire system, making sure that every system on the network was malware-free. That was the main reason why it took so long to get things back to normal.

“Despite multiple attacks on vital government installations over the past few months, it remains to be seen whether the number of events can be brought under control.” In the absence of a robust firewall surrounding data, websites remain vulnerable and can be exploited by unscrupulous actors,” Dr Saba added.

Meanwhile, the National Investigation Agency (NIA) is investigating a “deliberate and targeted” ransomware attack on AIIMS Delhi’s servers, Minister of State for IT Rajeev Chandrasekhar said.

“I cannot comment on it as it is a subject of NIA investigation… It is quite clear that it is a deliberate and targeted attempt… a ransomware attack on AIIMS’s system… and NIA is investigating it,” Chandrasekhar said.

According to what is known, after the massive disruption, a multi-agency investigation comprising the Indian Emergency Response Team under the Ministry of Electronics and Information Technology, the Delhi Cyber ​​Crime Special Cell, India’s Cyber ​​Crime Coordination Centre, the Intelligence Bureau, the Central Bureau of Investigation (CBI ) ), initiated by, among others, the National University of Forensic Sciences, the National Center for Critical Information Infrastructure Protection, and the NIA.

Meanwhile, a report published by The Print said that the hospital administration had raised serious concerns about the security of data and systems soon after AIIMS switched to a fully digitized setup in 2016, and indicated that the lag could “have serious consequences for patient care”.

The report said that on July 19, 2016, Delhi AIIMS completed the implementation of the e-hospital project under the Narendra Modi government’s Digital India Initiative. It became the first fully digital public hospital in the country.

However, six months after the full digitization, on January 9, 2017, Dr. Deepak Agrawal, from the department of neurosurgery, who was then the chairman of the computerization committee, wrote to the Union Health Ministry.

In his letter, he pointed out that the installation of the e-hospital by the National Informatics Center (NIC) — the government department responsible for setting up the IT infrastructure — was not backed up with proper maintenance and security systems.

“The largest e-hospital installation done by NIC is at AIIMS, New Delhi. However, there is no database administrator, security administrator, and system administrator at the installation site, which puts the entire project at risk,” Dr. Agrawal wrote. He added that NIC did not have the expertise to provide any support in this regard and asked AIIMS to engage these experts.

Urging the health ministry to take up the issue with the NIC and the Department of Electronics and Information Technology, Agrawal wrote, “[W]Without these experts, there is a high risk for installing an e-hospital at AIIMS, Delhi.”

However, the incident at the hospital has only sparked a debate over India’s IT law.

The Information Technology Act of 2000 (hereinafter referred to as the Information Technology Act) is the only law that deals extensively with technology and related issues. There are other laws like Indian Penal Code, 1860, Indian Evidence, 1872, Bank Books Records Act, 1891, Prevention of Money Laundering Act, E-Record Maintenance Policy by Banks, 2002.

These laws do not deal in a sound manner with the laws related to technology, but touch upon some important aspects which are covered by the subject of the legislation.

According to reports, India experienced 18 million cyber attacks and 2 million threats every day during the first quarter of 2022.

Speaking about the legislation, Dr Saba said: “To realize the vision of a digital health ecosystem, it is necessary to rethink our existing approach to cyber security, particularly with regard to health data.”

“The expansion of the digital infrastructure at a leading healthcare facility since 1988 indicated that, given the obvious vulnerabilities, incidents similar to these cyber-attacks may have occurred long ago.” There are difficulties such as reliance on outdated versions of systems and applications. software, inadequate cleanliness, lack of clear ownership and skills required to properly manage the system, connectivity of key utilities and absence of cyber security measures, to name a few,” she added.

Meanwhile, social media giant Meta said it has removed over 40 accounts managed by Indian company CyberRoot Risk Advisors due to identity theft. The accounts were allegedly involved in hacking-for-hire services, the Meta said in a report. The tech giant also took down a network of around 900 fake Instagram and Facebook accounts operated from China by an unknown entity.

These accounts were focused on collecting data on people in Myanmar, India, Taiwan, the US and China, including military personnel, pro-democracy activists, government officials, politicians and journalists, according to a Threat Report by the for-hire surveillance company Industry published on 15. December.

“We took down a network of more than 40 Facebook and Instagram accounts operated by an Indian firm called CyberRoot Risk Advisors Private. “Rather than directly distributing malware to our applications, this group’s activity has manifested itself primarily in social engineering and phishing, often designed to trick people into giving up their credentials to various online accounts across the Internet,” the report said.

According to the Met, CyberRoot used fake accounts to create fictitious personas tailored to gain the trust of its targets around the world and appear more credible, impersonating journalists, business executives and media personalities.

In some cases, CyberRoot also created accounts that were very similar to accounts associated with their targets such as their friends and family members, with only slightly altered usernames, possibly in an attempt to trick people into engaging, the report said.

Meta said it continues to investigate and take action against spyware vendors around the world, including China, Russia, Israel, the US and India, who have targeted people in about 200 countries and territories.

The social media company found in its research that the global surveillance-for-hire industry continues to grow and indiscriminately targets people, including journalists, activists, litigants and political opposition, to gather intelligence, manipulate and compromise their devices and accounts across the internet.

Interestingly, the government will release the draft Digital India Bill for public consultation by the end of this month. It is expected to replace the IT Act 2020, the Digital India Act, and the government plans to introduce a data protection law in the upcoming budget session.

Speaking at the CII Global Economic Policy Summit, Chandrasekhar said, “we expect both the Bills (the Digital Personal Data Protection Bill and the Digital India Bill) to be tabled in Parliament together.”


Source link