The Incident
The Delhi AIIMS statement released on November 23 stated that a ransomware attack may have caused its servers to go down. The National Informatics Centre (NIC) notified AIIMS of the downtime. The operating system for AIIMS servers was Zimbra, a programme that specializes in email services. Zimbra, owned by American software and services company Synacor, was found to have vulnerabilities as early as February of this year. One week after the attack, Minister of State for Electronics and IT, Rajeev Chandrasekhar said that the attack on the servers of AIIMS Delhi was a conspiracy and was organized by powerful forces.
Following the incident, Delhi Police filed a First Information Report under Sections 66/66F of the Information Technology Act, which deals with cyberterrorism and computer-related offences against unidentified people, and Section 385 of the Indian Penal Code, which deals with inducing fear of bodily harm in order to commit extortion. Three attachments were received from email users using the names “dog” and “mouse,” demanding an undisclosed ransom. For the AIIMS’ IT department to decrypt the data, the users asked for the program and private key and warned the administrators not to use external software to fix the system, as this could lead to irreversible data loss. In the aftermath of the cyber attack, the institute’s online management system was temporarily down, and millions of patient records, including those of senior politicians, were compromised.
Additionally, the hospital contacted E&Y to investigate the cybersecurity systems as they were engaged prior this year. In light of the already compromised AIIMS servers, cybercriminals have intensified their attacks on the websites and patient information systems of other Indian health and research institutions. Over a 24-hour period on November 30, more than 6000 attempts were made to hack the Indian Council of Medical Research (ICMR) website. Healthcare organizations’ patient information systems have been among the top targets for hackers. In the past few years, hackers have targeted the World Health Organization website more frequently.
The Dilemma of Cybersecurity Failure
“What happened? Your files are encrypted?”, “What is the price to repair? The price depends on how fast you can pay to us” — this was the message delivered by the hackers that damaged the servers of AIIMS that dissipated the confidential health information. The chief investigator believes that Chinese invaders may have been involved and cannot be completely ruled out. Furthermore, he claimed the hackers offered to decode three files for free before a payment was made. It was also noted that the files were protected by “RSA-2048” encryption and that any attempts to decrypt them with outside software could result in irreversible data loss.
Being a ransomware attack, it can be seen that the systems of AIIMS are disruptive enough to cause a massive data breach with a tinge of espionage being tied to it. Ransomware encrypts a computer, system, or server with encryption keys. Data and information stored in all system files are encrypted, preventing system users from accessing them. For the information and data to be unlocked, the attackers demand a ransom in cryptocurrency.
As part of standard security processes against cyberattacks, operating systems are regularly updated, antivirus software is installed, and offline backups of vital data are performed. The computer and IT infrastructure at the All India Institute of Medical Sciences (AIIMS) has not been improved or rather upgraded for 30 years as cited by the officials. To maintain the medical records before the attack, outdated hardware, outdated software, and outdated versions of the Windows operating system were deployed by AIIMS.
AIIMS’ computer and IT facility has summoned a conference of IT suppliers to obtain solutions by December 31st and prevent non-security audit applications from accessing the AIIMS network and central servers. Several intermediate points were missing security measures, and a poorly configured firewall defended the AIIMS’ network. The majority of the switches in the network were not managed thus proving to be defenseless.
The ransomware infection might not have spread if the switch had been managed. An unmanaged switch does not have any security features. Additionally, firewall policies define what traffic should be allowed or blocked, which could have restricted the hacker’s ability to access the network. Moreover, an IP address based in Hong Kong appeared to be used to transmit the information which could have been monitored by the cybercrime unit of the Delhi police, and previous to the attack the firewall could have protected the information.
Way Ahead
ProtonMail has been notified of these two email addresses by India’s Computer Emergency Response Team Cert-IN and Interpol, whose Indian nodal agency is the CBI, to identify the user or users. Additionally, firewall logs were gathered for analysis. Using the Forensic Science Laboratory’s (FSL’s) imager and hashing technology, Delhi’s Forensic Science Laboratory (FSL) imaged each infected system.
In the wake of the cyberattack, AIIMS Delhi switched from automated to manual operations. Patient admissions and discharges were difficult to manage, as well as serving individuals without health identification numbers. Several organizations have already joined the investigation into the suspected malware attack, including the India Computer Emergency Response Team (CERT-IN), Delhi Police, Intelligence Bureau, Central Bureau of Investigation (CBI), and Ministry of Home Affairs (MHA).
A ransomware attacker often releases a small amount of personal information to exert pressure on their victim. This is not the case in this instance, although it is still possible that a data breach might occur. A cybersecurity policy has been drafted by the hospital’s management in an effort to protect patient and hospital data. It is encouraging that AIIMS plans to assign a cyber security officer and senior IT professionals to deal with IT-related tasks ending a jinx of 30 years. In the healthcare industry, protecting patient medical and financial information has become a new challenge to conquer and poses an eye-opener to all hospitals to safeguard their systems with adequate safety protocols.
Written by: Aathira Pillai
Edited by: Labdhi Shah