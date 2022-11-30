The All India Institute of Medical Sciences (AIIMS), the country’s premier healthcare institution and the go-to hospital for Prime Ministers, reported a ransomware attack early on the morning of November 23. In the week since, authorities have shared little information, and said virtually nothing about the data encrypted and accessed by the hackers, or disclosed the full extent of the disruption to medical services. Therein lies the problem — a total lack of transparency around the data at stake, and ditto on the cybersecurity environment that existed at the premier centre.

Any entity that gets hit by ransomware deserves sympathy, even more so a hospital. AIIMS is neither the first to be attacked, nor the biggest. Consequently, there is no reason to be embarrassed. A 2018 breach in Singapore’s healthcare system, for example, rocked the island nation not only because of its size — 1.5 million, or nearly a quarter of the country’s population — but also because the suspected nation-state hackers singularly targeted the personal data of Prime Minister Lee Hsien Loong.

More recently, breaches at Australian mobile carrier Optus and health insurer Medibank in October compromised the data of nearly everyone in the country. In terms of cost, a 2021 ransomware attack on the Irish healthcare system — blamed on Russia’s Conti group — might be among the biggest. Critics reckon the state exchequer could need up to $600 million (Rs 4,800 crore), including the cost of rebuilding its IT infrastructure.

Today, nearly every organisation is vulnerable because hackers are all over the place, and enjoy easy access to cheap attack tools, and stolen network credentials. State-backed hackers — known as advanced persistent threat (APT) groups — bring far more sophisticated tools and techniques to the game. Among them, the most prominent include Russia’s Fancy Bear, China’s Winnti, or North Korea’s Lazarus.

A day likely never passes without ransomware striking some corner of the globe, with healthcare a more likely target than any other. In fact, British cybersecurity vendor Sophos concluded in a report last year that healthcare was the industry sector most impacted by ransomware. In 2021, two out of three hospitals suffered a ransomware attack, and over 60 percent of the attacked organisations had their data encrypted. Double-extortion has become the industry standard, with the hackers not only locking up data but also spiriting away a copy and demanding additional ransom. Failure to pay often leads to the hackers either selling the sensitive private data or commercial information, or simply leaking it.

In the circumstances, what we know about the AIIMS attack can be written on the back of a postage stamp. The organisation was quick to deny a PTI report that the venerable institution faced a ransom demand of Rs 200 crore, but has said little else. It has apparently restored some servers and access to health records, but media reports point to widespread disruption of even essential services. Still, doctors and nurses are bravely doing their job with pen and paper, not to mention WhatsApp. AIIMS has also suspended two system analysts, but has provided few details other than citing a cursory “dereliction of duty”.

In contrast, what we don’t know is a lot. Clearly, the lack of a data protection law lets AIIMS choose silence over any disclosure. But a State-run organisation does not necessarily have to do that, especially when so much is at stake. We don’t even know how many people’s data may have been compromised. Media reports suggest up to 40 million. What are the various data points (phone numbers, addresses, medical conditions, etc.) likely compromised? How much data was encrypted by the attackers? Can AIIMS recover all the data from backups, or would some data be lost permanently? What could be the cost of recovering the data and rebuilding IT systems? What could be the consequences of, say, AIIMS data being leaked or being sold in underground hacking forums? Officials have suggested — with or without evidence — that Chinese or North Korean hackers may be involved. In 2018, Singapore ran a parliamentary probe to get to the bottom of the SingHealth breach and beefed up cybersecurity all across government. India’s path toward full transparency — around the data at stake and the cyber readiness of AIIMS — lies in a similar parliamentary probe. With the winter session of Parliament opening on December 7, the onus is on India’s lawmakers to make sure the nation independently investigates the attack on AIIMS, and learns valuable lessons for the future.

