News & Analysis

AIIMS CyberAttack Raises Questionsaiims, cyberattack

At a time when the government is piloting new data privacy and protection laws, the attack on India's premier medical institution has set alarm bells ringing

The timing couldn’t have been worse. At a time when the union government is bringing new data privacy laws and massive fines for data breaches, the cyberattack on the All India Institute of Medical Sciences (AIIMS) continues to paralyze India’s premier healthcare institution. This has caused a few alarm bells to ring and left a few others red-faced. 

 

The cyberattack on AIIMS is now two weeks old, but over this period the concerns are growing around the level of preparedness that India has achieved on warding off similar or even bigger cyber attacks on critical infrastructure such as hospitals, especially the ones run by government agencies in the country. 

 

Who is to blame for government breaches?

Security experts that we spoke to felt that the government should first set its house in order before asking private infrastructure providers to cough up massive fines for data breach as proposed under the new Data Protection Bill, likely to be tabled in the current session of the Parliament. 

 

In fact, there is a real danger in the months and years ahead of more such attacks and how they could impact when the country’s data infrastructure gets integrated and more connected. “Imagine the impact on our medical services, energy supply and the much more critical defense sector data,” says an official working with a Bangalore-based cybersecurity company. 

 

The officials believe that in the absence of regulations around conducting audits for healthcare, such instances could potentially mushroom in the future. What is required is a statutory body such as the RBI (which keeps a close watch on payments) to monitor hospitals and related organizations to ensure that data security is always protected. 

 

In fact, there were reports that another large hospital in the national capital – Safdarjung Hospital – that resides across the road from AIIMS – was also a target of cybercrime last week though on this occasion, the severity wasn’t as much as the earlier one. 

 

Need for more accountability 

Industry experts say that the government agencies should come forth and be held accountable for data across key sectors of the country’s economic institutions as well as organizations within the administration that store citizens’ data. “What’s the point talking about Rs.200 crore fines for the private sector while the government official could go scot free for such breaches,” says an official of a Chennai-based security services provider who sought anonymity.  

 

In fact, some even pointed out that the security breach at the AIIMS could have ramifications far beyond what is being conceived just now. For example, the country’s premier healthcare institutions house personal health data of the who’s who in the top echelons of India’s administrative framework. 

 

Such data could easily find use in case of a state-sponsored cyber attack whereby information around the health data records of senior government functionaries could easily fall into the hands of espionage agents. Of course, merely sharing a list of dos and don’ts with government departments isn’t going to do the trick, as the critical element is accountability and supervision. 

 

Was cybersecurity threat levels reduced?

Post the 2021 Covid-19 outbreak, the government had put several key sectors in the infrastructure category under critical watch from a cyber security perspective. However, the latest data breach suggests that things have gone lax following the removal of Covid restrictions in the country. 

 

On its part, the Indian Computer Emergency Response Team (Cert-In) has already completed the initial probe into the cyberattack at the AIIMS. Officials that we spoke to suggest that the probe team found several lapses around the SoPs for government departments. 

 

The only way ahead, feel the security experts, is to create an independent body to monitor threat perceptions and response for all government departments, both at the national and the state level. The under-skilled staff hardly have the capabilities to do this job that is best left to the experts, given the nature of importance of such data. 

 

And just to put the matter in perspective, a report from CloudSEK suggests that cyberattacks on the healthcare industry globally grew by 95% in January-April of 2022 compared to a year ago. And India accounted for 7.7% of these attacks making it the second largest country bearing the brunt of cybercrime activity in the healthcare industry during 2021. 

Leave a Response