On November 23, AIIMS Delhi reported a cyberattack on its e-hospital server which handled inpatient and outpatient digital hospital services, appointment system, smart lab, billing, and report generation. All these services had to be shifted to manual mode which led to long delays and caused a lot of discomfort to patients who visit AIIMS from all over the country for their treatment.
The data of 3-4 crore patients and sensitive medical records of VIPs are believed to have been compromised as part of the attack which is suspected to have been caused by “ransomware” (malicious software that threatens to lock the victim’s files on a device and demands ransom payment to restore access to those files).
PSYCHOLOGY OF RANSOMWARE ATTACKERS
Most ransomware actors are interested in extorting money, usually in the form of cryptocurrency (like bitcoins) because it provides them anonymity and they can move it across international borders easily. If they are unable to get the ransom, they sell the stolen data on dark web (part of the web which is not indexed by search engines and can only be accessed through specialized browsers) where there are many buyers.
This is what seems to be happening in the case of AIIMS cyberattack, with reports of queries for sale of stolen data records on the dark web. As the AIIMS authorities have not confirmed or denied the reports of the Rs 200-crore ransom, it is possible that they would have not accepted the ransom demands of attackers and therefore, the attackers could have tried selling the stolen data on the dark web instead.
SUSPECTED RECONSTRUCTION OF THE AIIMS ATTACK
As per the CERT-In (Indian Computer Emergency Response Team) probe, the AIIMS IT network had no security measures in place, with no policies defined on the firewall (initial line of defence in an organization’s network) and the use of unmanaged switches. Switches, which are used to connect multiple devices to a network, can be managed or unmanaged, with the former offering a greater degree of control over the network settings making them a better choice from a security perspective.
According to what a senior official told News18, it seems that one of the staff working at AIIMS clicked on a link embedded in a gaming or similar website a few months ago. On clicking the link, the website would have downloaded a dropper (trojan/malware) on the staff’s machine. As there were no protective firewall policies in place, there was nothing stopping the AIIMS staff from accessing dangerous websites or the website from downloading the dropper. The dropper would have compromised the machine itself or downloaded a secondary malware.
After that machine’s compromise, the attackers would most likely have connected back to a command-and-control server to send back important data and for attackers to send commands. They would then have scanned for more machines connected to the point-of-entry machine and their associated vulnerabilities. By exploiting those vulnerabilities, simply brute force guessing their login passwords or through other attack techniques, the attackers would have compromised more machines and scanned the connected networks.
Sometimes the machines don’t really have to be directly connected for attackers to move from one machine to another. Attackers can use certain vulnerabilities to “jump” across machines which are not directly connected. By repeating this process, the attackers would have created sort of a map of the AIIMS internal network. As the AIIMS IT equipment, software and operating systems had not been upgraded for 30-40 years, the attackers would not have had difficulty in finding older vulnerabilities to compromise the machines. They would have scanned the files of each compromised machine to see if they were important.
Once the AIIMS servers were breached, the ransomware would have been deployed to encrypt (conceal data using secret keys) the server files. The movement of attackers across the AIIMS network to finally reach the servers is supported by reports of the CERT-In team finding that the encryption of server files was triggered by one of the Windows servers connected to the server network.
HOW DO OTHER HOSPITALS IN INDIA FARE WITH RESPECT TO CYBERATTACKS?
AIIMS is the not the first Indian healthcare institution to be targeted by hackers. And it won’t be the last one. Cyberattacks on the healthcare sector in India have been on the rise. Around 1.9 million attack events have been recorded on healthcare systems in India till November 28 this year, according to a research report by CyberPeace Foundation (CPF) and Autobot Infosec Private Limited.
As recent as November 14 this year, the Safdarjung hospital in Delhi had suffered a cyberattack although the damage was not as severe as the AIIMS attack. The attack was purportedly not linked to ransomware and the affected systems were revived. Back in 2018, MGM hospital in Vashi, Mumbai had fallen victim to a ransomware attack where ‘15 days worth of data related to patients’ and billing history was lost.
Those hospitals which are yet to bring their services online might be protected against cyberattacks to an extent. However, even those hospitals and healthcare facilities are prone to insider attacks, where malicious software is transferred to the machines connected to internal hospital network through external peripherals such as USB drives. Going forward, digitisation of healthcare services is inevitable and with many Indian hospitals already facing shortage of staff and equipment and a burgeoning patient load, such cyberattacks can have disastrous consequences.
India is not alone in facing such cyberattacks on its healthcare infrastructure. Perhaps one of the most well-known ransomware in the world, WannaCry, crippled National Health Service (NHS) hospitals in England and Scotland in May 2017, with thousands of appointment cancellations, rerouting of ambulances and GP surgeries badly affected. NHS was using systems running unpatched Microsoft Windows 7 operating system which was prone to the EternalBlue vulnerability. The attack cost NHS a total of £92m in terms of lost output and IT recovery efforts.
NHS has since come out with cyber incident response protocols, conducted onsite cyber assessments of NHS trusts, and reprioritised millions of pounds in investment for securing networks by upgrading firewalls, improving network resilience, implementing segmentation and automating patch management on devices.
Closer home, SingHealth, which is the largest group of health institutions in Singapore, was hit by a data breach in 2018 where personal records of 15 lakh patients and outpatient dispensed medicine history for 1.6 lakh patients were stolen from its database. Subsequent investigation revealed use of unpatched versions of Microsoft Outlook on workstations and lack of monitoring of unusual queries on the database. The IT admin staff had been unable to identify multiple failed login attempts. Further, they had failed to respond, or their responses were delayed on several occasions even when the cyberattack had been discovered. Insufficient training on post attack response, lack of due diligence, judgement lapses and failure of organizational processes were also found to have contributed to the data breach.
IHiS, the public healthcare IT services provider which manages the SingHeath database, has since taken steps to report suspicious IT incidents within 24 hours, implement two-factor authentication for all administrators, proactive threat hunting and intelligence at security operations centre, enhanced access control allowing only computers with latest security updates to join hospital networks, and a new database activity monitoring system for detecting suspicious bulk queries.
PROVISIONS IN INDIAN CYBER SECURITY LAWS
India doesn’t have a dedicated cyber security law. What we have is the Information Technology Act 2000, which was revised once in 2008. Section 66B (punishment for dishonestly receiving stolen computer resource or communication device), Section 66C (punishment for identity theft)- fraudulent use of electronic signature, password or unique identification feature of any other person, Section 66D (punishment for cheating by personation by using computer resource) and Section 66F (punishment for cyber terrorism)- intent to strike terror in the people or any section of the people by denying access to any person authorized to access computer resource, or attempt to access a computer resource without authorization, or introducing any computer contaminant which may cause death or injuries to persons, disrupt supplies or services essential to the community or adversely affect critical information infrastructure — are some of the sections of ITA 2008 which can be invoked in case of ransomware attacks on critical healthcare institutions such as AIIMS.
THE WAY FORWARD
While AIIMS is already taking short-term steps to mitigate the damage caused due to the ransomware attack (restoring the e-hospital data, directives to staff to not connect any devices to internal network) and has planned further steps to improve the cyber security posture of its IT systems (deputing cyber security officer, separate network for e-hospital and e-office work, security audit of any software before deployment), they will not stop attacks in the future completely.
Hopefully, the AIIMS incident will lead to a much-needed review of cyber security practices in healthcare institutions across India. Indian authorities should also take a cue from the initiatives taken by healthcare institutions across the world which have been victims of past cyberattacks. The technical resources are already there. What we need is strong political will, sufficient funding, and a permanent change in the attitude towards cybersecurity at all levels right from the healthcare services staff to the management, state and central governments.
We also need an overhaul of the Indian cyber security laws with clear, consolidated, and deterrent provisions to deal with ransomware, Advanced Persistent Threats (APT) and other modern cyber threats. The proposed Digital India Act and associated Cyber Security Acts would hopefully address these gaps. A good step taken in this direction are the new cyber security directives issued by CERT-In in late April this year, which require cyber security incidents to be reported within six hours of being brought to notice.
Since ransomware attacks are on the rise in recent years and can cause a lot of damage, there need to be dedicated directives for such attacks from the Indian cyber security agencies until the requisite legislation is in place. The Cyber Incident Reporting Act passed in the U.S. in March this year requires ransomware payments made by critical infrastructure operators to be reported within 24 hours.
It would also be beneficial to have a dedicated task force on the lines of Inter-Agency Counter Ransomware Task Force set up by the Cyber Security Agency of Singapore (CSA). The taskforce tackles the ransomware threat from multiple angles, including strengthening the defences of important potential targets, disrupting the ransomware business model by discouraging ransom payments and tracing the illicit flows of ransom payments, supporting the recovery of ransomware attack victims by providing data restoration resources and encouraging cyber insurance, and cooperating with international agencies and governments to coordinate efforts for countering ransomware.
The next cyberattack may not stop at one hospital only. The next time it may not just be ransomware actors behind such attacks, it may be cyber terrorists. The next cyberattack may even lead to loss of patient lives.
The stakes are high, and we need to respond quickly and decisively.
Ayush Kumar is currently a Cyber Security Scientist with ST Engineering, Singapore, working on IoT/IIoT and 5G security. Views expressed are personal.
Read all the Latest Opinions here