In the realm of cybersecurity, the All India Institute of Medical Sciences (AIIMS) in Delhi, a premier medical institution and hospital, faced two significant cyberattacks within a span of seven months, highlighting the critical need for robust cybersecurity measures in healthcare institutions. This blog delves into the details of these attacks, the vulnerabilities exploited, and the essential lessons learned for enhancing cybersecurity.
On November 23,2022, All India Institute of Medical Sciences (AIIMS), a premier public medical research institution and hospital situated in New Delhi, India, reported a cyber-incident on its servers (interchangeably ‘systems’). As a result of the incident, several patient care services, including registration, admission, billing, and discharge, were inaccessible due to this severe cyber incident. According to several news reports, this cyber incident was Ransomware in nature and disrupted the e-services of the AIIMS (New Delhi) since 0700 hrs. on November 23. By 06 December 2022, AIIMS officials confirmed that the trial runs of the e-Hospital server were successful, and most of the lost data had been retrieved over the last few days.
The cyber attack had a profound impact on AIIMS’s operations:
Service Disruption: The attack went on for ten days following to a 15-day outage of critical digital services, including smart laboratories, billing, patient enrollment, report generation, appointment systems and discharge.
Shift to Manual Operations: AIIMS was forced to revert to manual operations, causing delays and inefficiencies in patient care and administrative functions.
Wider Impact: The disruption had a ripple effect, impacting not just the institution but also the patients, especially those from remote areas who suffered the most due to delayed services.
Financial Consequences: AIIMS faced significant expenses in addressing the aftermath of the attack, which encompassed hiring cybersecurity professionals, implementing additional security measures, and potential ransom payments. The financial impacts of the incident, such as recovery costs, were substantial.
Reputational Damage: A data breach has the potential to erode the trust and confidence of patients in AIIMS Delhi and the healthcare sector at large. Patients depend on healthcare institutions to uphold the security and confidentiality of their information while delivering safe and top-tier care. Such breaches may cast doubt on the institution's ability to protect patient data, undermining patients' trust in the organization and possibly prompting them to seek healthcare services elsewhere.
Response to the first Cyber Attack
AIIMS promptly took several measures to address the cyber attack:
Isolation of impacted systems: AIIMS swiftly isolated the affected systems and deactivated them to prevent the spread of the ransomware.
Collaboration with cybersecurity professionals: The institution partnered with cybersecurity experts to probe the attack, pinpoint the perpetrators, and commence efforts to restore the compromised systems.
Notification of relevant authorities: AIIMS promptly informed law enforcement agencies and the Indian Computer Emergency Response Team (CERT-In) about the incident, facilitating a coordinated response to mitigate the impact.
Crisis communication: AIIMS established a dedicated communication channel to keep affected patients, staff, and stakeholders informed about developments, offering updates and addressing concerns as they arose.
Recovery measures: AIIMS initiated recovery measures, including the decision to acquire four new servers from the Defence Research and Development Organisation (DRDO) on November 30, 2022, to aid in the restoration of its systems and services.
The first cyberattack on AIIMS Delhi in November 2022 was a significant ransomware attack that disrupted the hospital's digital operations and exposed critical data vulnerabilities. This attack highlighted the need for enhanced cybersecurity measures in healthcare institutions. Key aspects of the attack include:
Server Compromise: Out of AIIMS’s 100 servers (40 physical and 60 virtual), 5 physical servers were successfully compromised (two application servers, one database server and one backup server). This indicates a targeted approach towards the institution’s hardware infrastructure.
Data Encryption: Approximately 1.3 terabytes of data were encrypted during the attack. Encryption of such a vast amount of data suggests the use of sophisticated ransomware. PCs infected, in which all records were locked by encrypting them into .bak9 extension documents.
Exposure of Sensitive Data: Reports indicated that the data of around 3-4 crore patients, including high-profile individuals, was potentially exposed. This breach of privacy had far-reaching implications, especially considering the sensitive nature of medical data.
Ransom Demand: The attackers demanded a hefty ransom of ₹200 Crore (30 bitcoins), reflecting the attack’s severity and the value the hackers placed on the encrypted data.
CERT-In Findings: CERT-In, the country’s premier cybersecurity agency, has found that the hackers had two Protonmail addresses – “dog2398” and “mouse63209”. They also found that ‘dog2398’ and ‘mouse63209’ were generated in the first week of November 2022 in Hong Kong. They also found that another encrypted file was sent from China’s Henan.
Technical Insights: The hackers used two Protonmail addresses and targeted servers with ransomware like Wannacry, Mimikatz, and Trojan. The attack was linked to servers in China, suggesting potential state-sponsored cyber warfare.
A closer examination of AIIMS’s cybersecurity infrastructure revealed several critical vulnerabilities:
Outdated Systems: AIIMS had not undergone significant system upgrades for over thirty years. Operating with obsolete software and outdated versions of Windows left the systems vulnerable to modern cyber threats.
Network Segmentation Issues: As per CERT-In’s preliminary diagnosis, the cyberattack was the result of an “unorganised ICT (information and communications technology) network without centralised monitoring or system administration”. This means the infected devices were connected to each other and the data on all of them could be accessed from every connected device — and no team was monitoring who was accessing these systems.
Firewall Policies: Firewall policies are meant to define what sort of traffic to allow or stop, which could have restricted the hacker’s ability to breach the network.
Legacy Network Failures: The cyberattack highlighted the failure of AIIMS’s legacy networks. Despite some digital solutions being outsourced, older networks remained unprotected and susceptible to attacks.
Other Vulnerabilities: It was found that some subdomains at AIIMS have these two vulnerabilities- Windows RDP and SQL Brute forcing. A senior authority at AIIMS said that the software at AIIMS is Zimbra, for email purposes, which is found to have loopholes by the February 2022 review at AIIMS. It isn't obvious how much these defects were amended yet is to be overlooked which could be one more reason for the cyberattack.
The incidents at AIIMS Delhi highlight several critical lessons. This includes:
Regular Threat Analysis: Organizations should conduct frequent vulnerability assessments and audits to identify and address security gaps. This should also involve routine software reviews, particularly following updates or changes.
Capacity Building: Enhancing the capabilities of central cybersecurity agencies like NCIIPC and CERT-In is crucial. This should focus on emerging technologies such as AI, ML, Blockchain, IoT, and automation. Additionally, sector-specific CERTs need to be established, particularly in healthcare.
Data Backup Strategy: Healthcare institutions should adopt the '3-2-1 backup' method, storing three copies of data in two different formats, with one copy kept offline. This is a key practice for maintaining cybersecurity in healthcare.
Allocating Sufficient Budget: A dedicated portion of the annual budget, suggested at a minimum of 0.25% and up to 1%, should be earmarked for cybersecurity, in line with the National Cyber Security Strategy recommendations. Significant institutions like AIIMS New Delhi, serving a large patient base, should be prioritized as strategic entities.
Crisis Management: Regular cybersecurity drills simulating real-life attack scenarios are essential. Establishing a 'National Gold Standard' for Indian hardware and software companies would ensure adherence to top-tier safety protocols.
Significance of staff training: Consistent training sessions and awareness programs for employees play a crucial role in enhancing their ability to recognize and address potential cyber threats, consequently minimizing the risk of human error. It is imperative that healthcare personnel, comprising physicians, nurses, administrators, and support staff, receive comprehensive knowledge about cybersecurity importance and are equipped with best practices for risk mitigation.
Enhancing email security: Deploying sophisticated email filtering solutions and educating staff about the dangers of phishing emails, which can substantially decrease the likelihood of ransomware attacks stemming from email campaigns. This will enable healthcare professionals to actively participate in safeguarding patient data and upholding patient trust and confidence.
In June 2023, the All India Institute of Medical Sciences (AIIMS) in Delhi successfully averted a cyber threat that could have had severe repercussions. Unlike the incident in November 2022, this attempt was efficiently identified and neutralized before any significant harm could be inflicted. This incident is indicative of AIIMS's enhanced cybersecurity posture, having learned from the previous attack. The efforts to bolster defenses, including addressing vulnerabilities and reinforcing network security, proved effective. The proactive response not only prevented potential data loss and operational disruptions but also showcased the importance of continuous vigilance and improvement in cybersecurity strategies for critical institutions like AIIMS Delhi.
An image of a computer system during the cyber attack in June 2023
According to an official source within AIIMS, significant structural changes were made in the wake of the initial cyber attack incident in November, 2022. These changes included updating the hospital's software, update in the firewall's rules, enhancing cybersecurity measures, and strengthening the IT infrastructure. The efforts to fortify AIIMS cyber defenses evidently paid off, as they successfully prevented the malware attack (second cyber attack) on 6th of June.
A tweet from AIIMS Delhi's official X account confirming the successful prevention of the second cyber attack
Despite India's increasing focus on cybersecurity, the surge in cyberattacks, particularly in the healthcare sector, is alarming. The Indian healthcare industry, increasingly digitalized, especially post-COVID-19, has become a prime target for cyber threats. In 2021, India's healthcare sector accounted for 7.7% of global healthcare industry attacks and 29.7% in the Asia-Pacific region, as reported by Cloud SEK. The first four months of 2022 saw a 95.34% increase in attacks compared to the same period in 2021. The rise in data breaches and digital banking threats across various sectors highlights the vulnerabilities in India's cybersecurity domain. The frequency and scale of these attacks, including at least seven major incidents in critical infrastructure in the last two years, underline the urgent need for enhanced protection measures. According to CERT-IN's India Ransomware Report 2022, there has been a 51% increase in ransomware attacks, emphasizing the criticality of bolstering cybersecurity defenses across sectors.
The cyberattacks on AIIMS Delhi serve as a critical reminder of the ever-increasing cybersecurity threats in today's digital landscape, particularly for healthcare institutions. These incidents underscore the vital need for ongoing vigilance, regular security audits, and the implementation of robust cybersecurity protocols. Healthcare providers, in particular, must prioritize the security of their digital infrastructure to protect sensitive patient data and ensure continuous medical services. These events at AIIMS Delhi emphasize that cybersecurity is not a one-off task but an ongoing process that demands constant updates and improvements. In a time where digital data holds unprecedented value, the significance of conducting thorough security assessments, adhering to stringent security protocols, and taking proactive measures against cyber threats is more crucial than ever. These attacks also remind us that cybersecurity is a shared responsibility essential for preserving the integrity of our digital spaces. They further highlight that even well-defended institutions are vulnerable to cyber threats, stressing the importance of continuous monitoring and updating of cybersecurity measures. These incidents should motivate organizations to educate their staff about recognizing and proactively responding to potential cyber threats. The AIIMS Delhi cyber attacks act as an alarm for all organizations to prioritize cybersecurity, continuously assess vulnerabilities, and adopt a proactive approach to safeguard their digital infrastructures. Lastly, these attacks reflect the current inadequacies in protecting India's critical information infrastructure. Moving ahead, it's crucial to internalize the insights gained from these experiences, reinforcing our digital defenses and staying vigilant against the ever-evolving landscape of cyber threats. In doing so, we can ensure the safety and integrity of our digital spaces, protecting them against the unforeseen challenges of tomorrow.
