Emergency responders raced to restore the computer network at the All India Institute of Medical Sciences, Delhi (AIIMS) and police on Thursday launched an investigation into “cyber terrorism” as the country’s foremost government hospital was hit by a cyberattack. remained crippled, affecting offline patient services. Such as appointment booking, billing and diagnostics reporting.
Read also: Suspicion of ransomware due to AIIMS server down, delayed trigger Waits
The suspected ransomware attack means patients and doctors are unable to access records or test reports, even as experts flag a potentially huge problem if some of this data is accessed by an attacker as a result of the hack. being done.
“Various government agencies are probing and supporting AIIMS to bring back digital patient care services. We hope to be able to restore affected activities soon,” said an update issued by the administration.
The Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) cell registered the FIR against unknown persons invoking sections of cyber terrorism (IT Act, Section 66F), while the government’s information technology arm, the National Informatics Center (NIC) and the Computer Emergency Response Team (CERT-In) attempted to restore the network.
“This time, [we are] Paraphrasing content related to cyber attacks to identify the source. We are in the initial stages of investigation,” said a senior police officer, who did not wish to be named.
According to the official, preliminary investigation indicates that the cyber attack may have been carried out from outside India. “That is why we have included the cyber terrorism section of the IT Act in the FIR. We are working closely with CERT-In.”
This is the first instance of a major Indian hospital – in this case, the country’s foremost government hospital that also treats high-ranking officials – being hit by ransomware. This type of attack involves a malware that locks access to files, disrupting regular operations.
“The remedial action is on… [systems are] It is likely to be restored today,” said Lt Gen Rajesh Pant, National Cyber Security Coordinator on Thursday.
An AIIMS official aware of the matter and on the condition of anonymity said that there is a danger of VIP and research data being affected.
Ransomware operators usually demand payment – hence, ransom – for providing keys to decrypt files. A common modus operandi for most ransomware operators is to threaten to leak files in order to pressure their targets into paying, which makes the AIIMS attack particularly worrying, experts said, since it involved medical records. is the most private information about an individual.
Doctors at the hospital who had seen some of the infected computers before IT took them over reported demanding payment in cryptocurrency in exchange for a key that decrypted the data.
Officials did not respond to requests to clarify whether there was a data breach or how many patient records were on the servers, but some doctors provided a rough estimate, saying it could be in the millions.
Experts said that once tackled, the extent of the attack should be revealed. Ransomware is a far greater cyber security threat than any other cybercrime because of the operators’ association with nation states. Unlike fee-for-decryption commercial operators, nation states have a number of strategic objectives, including taking advantage of the health records of heads of government for espionage, psychological and health evaluations, or trade negotiations and power projection during low-resolution conflicts. Are included. Venkatanarayanan, cyber security expert and co-founder of think tank DeepStrat.
“The lack of meaningful discussion on state-backed operators, even after successful attacks on payment networks, power plants, nuclear plants and other critical infrastructure, including Aadhaar, is more than a bug in the way the administration thinks about cyber security,” he said. Is.” ,
On 9 November, a ransomware group with links to a Russian-speaking operator known as Revil began leaking medical records of customers of Australian health insurance giant Medibank after the firm refused to pay the ransom. Refused.
A “sample” of Medibank records on the dark web contained details of 9.7 million people, including those in treatment for HIV, alcohol abuse and drug addiction.
According to people familiar with the incident at AIIMS, the servers handling the database – which stores information such as patient files and lab reports – were found to be down on Wednesday morning, and the problem appears to have spread to the primary backup. An incident report sent by AIIMS director Dr M Srinivas to the Union Ministry of Health and Family Welfare said that two technical response teams first analyzed the issue at the site and noted that “the infected server files had changed extensions , indicating a possible ransomware attack.” ,
Srinivas’ update, sent on Wednesday and seen by HT, said a second backup server appeared to be untouched and efforts were being made to recover those files.
Another expert also raised important questions about cyber security at AIIMS. Muktesh Chander, Former Director General of Police (DGP), Goa and Founder Director National Critical Information Infrastructure Protection Center (NCIIPC) said that India needs to take lessons from cyber attacks abroad to strengthen its cyber security. “The fact that even the backup was corrupted means that we were not prepared for such a disaster. We need to implement a national cyber security plan so that we are prepared and not saved from the fire in such a situation,” Chander said. There is a need for proper budgeting, technology enhancement and we need to inculcate a culture of cyber security so that we are not left to deal with such situations.