On 23 November 2022, All India Institute of Medical Sciences (AIIMS), a premier public medical research institution and a hospital based in New Delhi, Bharat, reported a sophisticated cyber-incident on its servers (interchangeably ‘systems’). As a result of the incident, several patient care services, including registration, admission, billing, and discharge, were inaccessible due to this severe cyberincident.

By Anurag Sharma

According to several news reports, this cyber incident was Ransomware in nature and disrupted the e-services of the AIIMS (New Delhi) since 0700 hrs. on 23 November. By 06 December 2022, AIIMS’ officials confirmed that the trial runs of the e-Hospital server were successful, and most of the lost data had been retrieved over the last few days. This write-up provides the background and brief analysis of the incident and some cases where the healthcare sector was primarily targeted. Some measures to deal with such cyber incidents in future are also discussed at the end of the write-up.

तावद्भयेषु भेतव्यं यावद्भयमनागतम् ।
आगतं तु भयं वीक्ष्य प्रहर्तव्यमशङ्कया ॥
 

“A thing may be dreaded as long as it has not overtaken you, but once it
has come upon you, try to get rid of it without hesitation.”– Chanakya Neeti 5.3

Ransomware Disrupted AIIMS’ Operations

The All-India Institute of Medical Sciences (AIIMS), located in New Delhi, had a targeted and highly technical cyber-incident on its digital infrastructure over two weeks ago. As a result of the said incident several routine AIIMS procedures, such as OPD (Outpatient Department) registrations and blood sample reports, were not accessible from inside and outside the institute. The ‘e-Hospital,’ application system of the National Informatics Centre (NIC), which was used at the AIIMS, was impacted by this incident. The server mentioned above was responsible for managing inpatient and outpatient operations at the facility. Due to this cyber-incident, the hospital’s activities were converted from computerised to manual.

Reports suggested that the affected server had a backup. However, several factors must be considered when considering data backup to respond to an incident. For instance, if the backup is done daily, it is very likely that the malware has been backed up and will later infect the entire network. Cyber offenders frequently wait a week or more before activating their encryption tool/software. If the backup is mounted after the original data has been encrypted, the backup will also be compromised. The NIC team restored the e-Hospital application and database servers five days after the incident. Fortunately, the data backup was not connected to the network and was not affected by the incident; hence it has been restored. According to an official who requested anonymity, the NIC team continued the sanitisation process on the facility’s other e-Hospital servers, which are required to provide patient care services. By November 28, 2022, approximately 1,200 of 5,000 computers had been sanitised, and 20 of 50 servers were scanned as part of a 24×7 sanitisation procedure.

The event is being thoroughly investigated by the Indian Computer Emergency Response Team (CERT-In), the Delhi Police and its cyber department, and the Ministry of Home Affairs (MHA). According to some news reports, the hospital got the message— “What happened? Your files are encrypted?What is the price to repair? The price depends on how fast you can pay us” from the attackers demanding ₹200 crores in crypto-currencies as ransom. Despite the speculations in the news media about the ransom, officials familiar with the incident, based on anonymity, confirmed thatthe attackers made no such demand. However, on 25 November, Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) unit filed a complaint of extortion and cyber-terrorism. The digital forensic team members at the Forensic Science Laboratory (FSL) have been investigating the incident.

The Ransomware

Ransomware is malware from the crypto-virology field that encrypts the data in computer systems and storage. By encrypting the data, the adversary threatens victims with publishing or broadcasting their data—usually private or sensitive information—or having access to that material permanently blocked until a ransom fee is paid to the attacker(s)/group(s). As a modus-operandi, more sophisticated malware employs crypto-viral extortion, whereas other simple ransomware may lock the system without deleting any files. Files belonging to the victim are encrypted, rendering them unavailable, and a ransom demand is made to unlock them.

Typically, Ransomware incidents are carried out with the help of a Trojan, aka Trojan Horse[9] disguised as a legitimate file, which the user is conned into downloading or opening when it arrives, mainly as an e-mail attachment. However, the WannaCry malware (used in the 2017 Ransomware incident), unlike the Trojan, moved automatically between computers/networks without user intervention.

In recent years, Bharat has been addressing cyber security and related issues with great attention; however, the rising counts of cyber incidents, including Ransomware, raised the concerns of Bharat’s cyber defence institutions. According to “India Ransomware Report:H1-2022”, prepared by CERT-In, there has been a 51 per cent increase in Ransomware incidents in the first half (H1) of 2022 compared to H1 of 2021. The report also highlighted that in H1-2022, most incidents targeted Data-Centres, the IT/ITeS, andthe manufacturing and finance sectors. The Ransomware groups have targeted Critical National Infrastructure (CNI), including Oil & Gas, Transport, and Power. Another report on Ransomware painted a similar canvas. According to a report prepared by Sophos Inc highlighting observations in 2021, even though the organisations based in Bharat had backups and other methods of data recovery in place, almost 78% of them whose data the ransomware encrypted paid the ransom to get their data back. Cyber-criminals may easily access malware toolkits from the Dark Web that identify security flaws and give them access to everything from e-mail servers to complete network systems, including websites housed on public servers.

Healthcare Services: An Easy & Lucrative Target for Cyber-Criminals

An infamous and severe Ransomware incident was on 12 May 2017, in which the United Kingdom’s National Health Services (NHS) were crippled for several days by the ‘WannaCry’ crypto-worm. According to Europol, around 200,000 computers in 150 countries were severely infected in the unprecedented cyberincident. The ‘WannaCry’ incident had paralysed hospitals, disrupted transportation networks, and rendered businesses immobile worldwide. According to a report prepared by Kaspersky Lab on the same incident, Bharat, Russia, Ukraine, and Taiwan were the most severely affected countries in the WannaCry incident.

Despite several measures and legislations adopted against cybercrime, cyber incidents against healthcare services and hospitals are prominent and much of grave concern. Why healthcare sector is a lucrative target for cyber-criminals? The health sector institutions, including hospitals, and pharmacies, handle a massive amount of sensitive personal data. Such data can be highly valuable for cyber-criminals and terrorist groups. The stolen data can be marketed on Dark Web for a considerable amount, facilitating other illicit activities by Organised Crime Groups (OCGs) and terrorist organisations. During the Wuhan virus, aka COVID-19 pandemic, cyber-incidents against the healthcare sector rose 42 per cent in 2020. According to an estimate by the US Department of Health and Human Services (HHS), almost every month in 2020, over one million people were affected by data breaches at healthcare institutions. According to the report Ransomware Trends 2021 prepared by the DHHS, of the total Ransomware incidents reported in the US in 2020, 60 per cent had impacted the US health sector.

Ransomware hit Mumbai’s Mahatma Gandhi Memorial (MGM) Hospital in June 2018. Administrators at the hospital discovered computer systems that were “locked” and encrypted, and they also discovered a note from the perpetrators demanding a ransom in Bitcoins to unlock the systems and reclaim access to them. The MGM hospital reportedly lost data from 15 days worth of billing and patients’ medical records; however, there were no reported financial losses for the facility.

In March 2021, a cyber-intelligence company named Cyfirma reported that during the Wuhan virus pandemic, a China-backed hacking group known as APT10, aka StonePanda, targeted the systems of two Bharat-based vaccine companies— Serum Institute of India (SII) and Bharat Biotech, whose vaccines largely contributed to Bharat’s successful immunisation drive. The APT10 group intended to steal intellectual property and enable China to gain an advantage over the pharmaceutical firms of Bharat.

Apart from the AIIMS incident, the Medical Superintendent (MS) of the Safdarjung Hospital, located in New Delhi, Dr B L Sherwal, reported that for a day in November 2022 (date undisclosed), the server at the hospital was down, but the data was secured. The Safdarjung Hospital’s system’s IP (Internet Protocol) was blocked, but later it was revived by the IT team of the NIC.

On 27 November 2022, the “RansomHouse” ransomware affected Colombia’s Keralty global healthcare organisation. The incident caused the organisation’s website and business operations to be disrupted. An international network of almost 12 hospitals and 371 medical facilities, including those in the US, Spain, Asia, and Latin America, is operated by Colombia’s Keralty healthcare.[20] Similar to a physical incident, a cyber incident in healthcare facilities or hospitals can easily create a sense of fear and anxiety among patients, visitors, and staff members.

Way Forward for Bharat

The World Economic Forum (WEF)’s Global Cybersecurity Outlook 2022 report emphasises how the sophistication and frequency of ransomware incidents continue to rise. In 2021, around 14,02,809 types of cyber-incidents were addressed by the CERT-In, an increase of more than 21 per cent from the previous year. In 2021, Bharat reported 52,974 cases of cybercrime, a rise of over 05 per cent from the previous year. The advanced multistage Ransomware is also a result of the threat actors’ rapid technological advancement. Furthermore, the speed at which new security flaws are found makes it difficult for cyber-defenders to compete with cyber-attackers. According to Bruce Schneier,

“We need to get Ransomware under control. Poor cybersecurity makes too many of us easy targets. We need to secure our networks better so we are not so easily victimised by this crime. Along with aggressive lawenforcement, we need global partnerships to eliminate the safe havens where these criminals can operate. Ransomware is a crime well-optimised to the Internet age; we need to defence to up their game as well.”

According to the AIIMS officials (based on anonymity), the hospital catered to around 15 lakh outpatient and 80,000 inpatient cases per year. The data, which is sensitive, includes the personal credentials of patients— names, ages, gender, addresses, phone numbers, and medical history. The personal and medical data of millions of patients at AIIMS has been at risk. It would have been a nightmare if the digital health records of the VVIPs, politicians and other key personalities were compromised in the Ransomware incident at AIIMS.

In Bharat, Personal data, including health/medical information, is sensitive personal information per the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules”, 2011, enforced by the MeitY. CERT-In handles cyber security incidents in Bharat and does analyses of the incidents, later to be released as advisories, guidelines, vulnerability notes, and white papers. In 2018, the Ministry of Health and Family Welfare issued a draft to introduce a healthcare security law— “Digital Information Security in Healthcare Act” (“DISHA”). Reliability, data privacy, confidentiality, and securing digital health records are the key pillars of the DISHA.

As one of the measures implemented to ensure the coverage of data loss, Cyber (liability) Insurance, aka Cyber Risk Insurance/Cyber Security Insurance, can be used in the event of a cyber incident. Cyber Insurance is a policy that provides a variety of coverage options to businesses in order to help protect them from data breaches and other cyber security incidents, such as malware, Ransomware, and Distributed Denial-of-Service (DDoS) incidents. In addition to covering virtual assets, some cyber insurance policies cover physical damage to hardware or business income loss. Before issuing any such policies, cyber risk insurers evaluate the effectiveness of an organisation’s cyber security framework. Better coverage is made possible by robust cybersecurity frameworks. It may be challenging for insurers to fully understand the cyber security position of an organisation due to fragmented enterprise security approaches, which may cause organisations to purchase improperly targeted insurance.

The AIIMS administration is considering developing a cyber security policy to protect the hospital and patient data in light of the lessons learned from the incident. According to the draft plan, the AIIMS will assign a Cyber Security Officer (CSO) and senior-level IT specialists to the job. For e-Hospital and e-office-related duties, separate networks will be put up, and a network specifically for doctors’ e-mails and other official business will also be established. To prevent malware from spreading from their software in the servers and associated endpoints, all department faculties, Heads of Departments (HoDs), and scientists have been instructed to ensure security audits of the software they are employing from CERT-In certified auditing agencies.[26]

Bharat’s cyber security framework has been strengthened over time with the establishment of CERT-In, the National Critical Information Infrastructure Protection Centre (NCIIPC), the Indian Cyber Crime Coordination Centre (IC4), and the necessary appointment of the National Cyber Security Coordinator (NCSC) at the National Security Council Secretariat (NSCS). For the protection of CNIs, which includes healthcare and financial services, the Ostrich-like approach of burying one’s head in the sand when danger approaches, not goingafter the offenders, and hoping no one notices the incident will not work. The need of the hour requires a thorough assessment of the impact of such incidents and strengthening the cyber eco-system to ensure the overall security of our digital Bharat. As emphasised by Dr Muktesh Chander, former Special Commissioner of Delhi Police, the forthcoming “National Cyber Security Strategy” must be equipped with conditions for sufficient financial commitment to achieve measurable outputs and objectives. The cyber security strategy must include protecting cyberspace, discouraging cyber adversaries, and creating cyber security goods for domestic and international use.

This article first appeared in www.vifindia.org and it belongs to them.