There is growing concern in the cyber-security establishment over the ransomware attack on servers of AIIMS-Delhi on November 23 with top Government sources telling The Indian Express that the breach, “in all likelihood”, could have a cascading effect on AIIMS facilities in other cities and more hospitals connected on the network.
Multiple cyber-security agencies, led by the Computer Emergency Response Team (CERT-IN), are scouring over network logs to analyse in which AIIMS units or hospitals the contagion could possibly spread. Senior officials said there was “likely” to be a spread, but there were no reports as yet of any impact on systems in other cities.
The exercise is a logistical nightmare since the AIIMS network has 15,000 “endpoints”, which connect and exchange information with the network that includes desktops, laptops and even diagnostic machines.
AIIMS-Delhi has a huge network of about 100 servers and it is now known that it was a Windows server that was first breached and encrypted by hackers on November 23, bringing computerised services in the country’s premier medical institute to a grinding halt.
Early in the ongoing “incident response”, officials said, it was discovered that AIIMS-Delhi was using a 2007 Windows version of “poor configuration” with its architecture handled and expanded by an in-house team.
The National Informatics Center (NIC) has now been called in to create a “model” computer architecture for AIIMS and other hospitals, especially since there has been an uptick in cyberattacks on medical infrastructure in the country, including Covid-vaccine research centres.
The other worrisome admission made by top officials is that though the AIIMS cyber strike was now over two weeks old, there was a “predictable scenario” of it being categorised as a “double extortion” ransomware attack.
A “double extortion” ransomware attack is one in which high-value data is first encrypted by the attacker and later, either a ransom is demanded or the data is sold or put out in parcels on other networks.
The Indian Express had reported on December 3 that a preliminary investigation by CERT-IN found that the cyberattack originated from another country, and could possibly have involved “a foreign state actor”.
The incident marked one of the most high-profile data breaches targeting a Government-backed entity in the country, compromising the records of nearly 3-4 crore patients including high-profile political personalities.