AIIMS cyberattack: Three months on, key questions remain unanswered

What happened to the compromised patient and hospital data? Did it make its way to the dark web? Could non-state actors have accessed it? No one has answers

On November 23, 2022, AIIMS Delhi faced a cyberattack that crippled its entire digital infrastructure

Almost three months after a massive cyberattack crippled the digital infrastructure at the All India Institute of Medical Sciences (AIIMS), Delhi, the government is yet to come up with a satisfactory answer on what happened to the patient data that was encrypted and may have been exfiltrated by the hackers. Sensitive data of 4 crore patients, including political leaders and other VIPs, was potentially compromised in the hacking.

The government has maintained that the services have been restored and the patient data has been repopulated into the system. But the most important question is what happened to the compromised data. Did it make its way to the dark web? Could non-state actors have accessed it? These answers have not been answered satisfactorily. The lack of a detailed explanation raises further questions on the extent of damage the data leak may have caused.

Also read: How hackers can access potential ‘gold mine’: AIIMS cyberattack a case in point

On the quantum of data that was impacted, the government said “five servers of AIIMS were affected and approximately 1.3 terabytes of data was encrypted.”


Improper network segmentation

In a written reply to the Rajya Sabha, Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, said the Computer Emergency Response Team revealed after a probe into the AIIMS cyberattack that it happened due to improper network segmentation and resulted in operational disruption due to non-functionality of critical applications.

Breaking down the issue, Ritesh Bhatia, a cybersecurity expert, said: “Segmenting important computers from the same network is an essential prerequisite and forms the cornerstone of cyber safety. It is like forming different groups and segregating important computers that may carry essential data from the other less essential data.”

It is still unclear if a ransom was paid to decrypt the 1.3 TB of patient data that was encrypted and whether the patient data was exfiltrated and is now available for sale on the dark web, emphasised Bhatia.

Potential actors

So far, two Proton Mail addresses belonging to the attackers have been mentioned. Two IP addresses have been traced to Hong Kong and Henan province in China. Commenting on these preliminary information pieces, Bhatia observed that these are not enough to pinpoint the exact source of the attackers.

Also read: Cyber attack on AIIMS Delhi servers originated in China: Report

Attackers often route their attacks through different countries. Even if the attacks are carried out from a specific region, it is hard to link it to a particular state. Therefore, in terms of attribution, careful technical analysis spanning over months may be needed before anything can be claimed with a reasonable level of certainty.

How red flags were ignored

Requesting confidentiality, an analyst from the premier institute said the technical team had raised major concerns about data and systems safety on multiple occasions, as the servers were running on a legacy network that could have had serious repercussions on patient care.

The analyst further alleged that the hospital’s systems had always been vulnerable to attacks since there was neither a rigorous cybersecurity upkeep regimen nor any training given to staff on online hygiene.

Also read: AIIMS resumes online registration, other services in phased manner

“Allowing doctors and other staff to use the network from outside the hospital premises also presented a challenge. This made the already porous network more vulnerable to attacks. The network should have been updated with latest checks and security features,” observed the analyst. However, all the data for e-Hospital has been retrieved from a backup server, which was unaffected and restored on new servers, he added.

What kind of data is at stake?

The targeted data may include patients’ protected health information (PHI), financial information like credit card and bank account numbers, Personally Identifiable Information (PII) such as social security numbers, administrative records of blood donors, ambulances, vaccination, caregivers, employee login credentials, and intellectual property related to medical research and innovation.

Considering the increasing number of cyber-attacks on healthcare institutions, setting up a credible, strong, and responsive cyber-security framework is the need of the hour. As government’s digital initiatives take off across domains, a robust framework will not only help thwart such future attacks, but also enable all concerned to firmly deal with the situation arising after an attack.