The preliminary investigation into the cyberattack on some of the servers at the All India Institute of Medical Sciences (AIIMS) in Delhi has found that the hack originated from another country, and could possibly have involved “a foreign state actor”, The Indian Express has learnt.
The cyber incident that took place last month had brought the online management system of the institute to a halt, and raised concerns over the data of crores of patients being compromised, including that of high-profile political personalities.
The Indian Computer Emergency Response Team (Cert-In), the country’s premier cybersecurity agency, is learnt to have concluded its initial investigation into the cyberattack, including the diagnosis of the hack and a preliminary identification of the actors involved in it.
Investigators are also learnt to have found that AIIMS was using the services of a private company to design and run its servers, which is expected to trigger a policy change by the Centre that could lead to all bodies affiliated to the Government facing periodic safety audits.
“The origin of the cyberattack is from outside of India, and the initial investigation by Cert-In points to the possibility of the involvement of a foreign state actor,” a senior Government official told The Indian Express.
The official said the cyberattack happened at 2.43 pm on November 23, when hackers gained access to around five servers of AIIMS and the encrypted data residing in them. “Once they encrypted the data on the infected servers, it meant that AIIMS no longer had access to it,” the official said.
The incident marked one of the most high-profile data breaches targeting a Government-backed entity in the country. The exploited databases contained personally identifiable information of patients and healthcare workers — and administrative records on blood donors, ambulances, vaccination and caregivers, and employee log-in credentials. The records of nearly 3-4 crore patients are suspected to have been compromised.
The Indian Express has learnt that AIIMS had done the system administration and design of its servers on its own, outside of Government platforms like the National Informatics Centre (NIC). The institute had subcontracted this work to a private company, sources said. “Whether this private company had a substantive track record of handling such large systems is a question that will certainly be asked going forward,” the sources said.
The AIIMS-Delhi did not respond to queries from The Indian Express seeking comment.
The preliminary findings of the probe has prompted the Centre to consider a policy change for cybersecurity-related incidents, with a directive mandating periodic audits likely to be issued soon by the Ministry of Electronics and IT (MeitY).
“MeitY has been, for the last two months, taking an ‘all of government’ approach to cybersecurity. NIC is on the job with MeitY in making sure that all Government systems are audited and secure. In the coming weeks, this would be expanded to Government-linked institutions like AIIMS where they have to get their systems audited regularly,” the senior Government official said.
As per CERT-In’s preliminary diagnosis, the cyberattack was the result of an “unorganised ICT (information and communications technology) network without centralised monitoring or system administration”. This means the infected devices were connected to each other and the data on all of them could be accessed from every connected device — and no team was monitoring who was accessing these systems.
While AIIMS had earlier said the data has been restored, a number of its systems continue to be offline. “The e-Hospital data has been restored on the servers. The network is being sanitised before the services can be restored. The process is taking some time due to the volume of data and the large number of servers and computers for the hospital services. Measures are being taken for cyber security,” the institute had said in a statement Wednesday.
The Indian Express had reported that AIIMS had decided to purchase four servers from the Defence Research and Development Organisation (DRDO) to resume its e-hospital facility for patients.
According to data published Thursday by cybersecurity think tank CyberPeace Foundation and Autobot Infosec, the healthcare industry in India has faced 1.9 million cyber attacks this year till November 2. The attacks came from more than 40,000 unique IP addresses, which were traced back to Vietnam, Pakistan and China, the report said.