“What I preach to our executives is that it is not about the data; it is about the people. Behind every line of data and medical record number, there is a person. We do what we do because of the person, not the data. That’s what makes us passionate. When you get on the phone with patient whose information has been breached, and hear them cry, or how they feel violated, that is not a piece of data, that is a person.” - Meredith Phillips, Chief Information privacy and security officer, Henry Ford Health System
The All India Institute of Medical Sciences (AIIMS), New Delhi - which is one of the country’s premier medical research institutes was targeted by a cyberattack on November 23, 2022 which resulted in massive disruptions to hospital services as online booking of appointments was stalled resulting in long queues at the hospital. The scale of the attack was so huge that AIIMS shifted its operations to manual and canceled leaves of staff to deal with the rush at the hospital. AIIMS was unable to restart operations quickly and it had a huge impact on the services provided.
This attack raises many questions about cybersecurity vulnerabilities across sectors in India. Considering this attack was on a hospital, there is a serious risk to life due to delays at the hospital.
We all can understand the high level of information and cyber security infrastructure AIIMS would have in place already, but the fact is that organizations need to be on their toes every moment and ensure mitigation of even a small vulnerability today that has the potential to be the reason for a major damage tomorrow.
WHAT EXACTLY HAPPENED AT AIIMS?
“Medical devices and Electronic Health Record (EHR) systems are notoriously vulnerable to remote compromise” - James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
Reports indicate that at least 5 servers were infected due to the cyberattack resulting in the unavailability of online services at the hospital for a week. These 5 servers had data of approximately 3 to 4 crore patients; however, there is no confirmation on reports of data being stolen. Read about the news here.
Extent of Impact
Following an investigation by the Computer Emergency Response Team (CERT-In) team, a total of 4 servers were found to be infected. Read about the news here.
It has been 2 weeks since the attack, and the server facilities resumed partially on December 6.
The online registration of new patients visiting the OPD resumed, while the online appointment system is still not working and laboratory services are operating in manual mode as of now. Read more here.
WHY ARE CYBERCRIMINALS TARGETING THE HEALTHCARE SECTOR?
“Data is a precious thing and will last longer than the systems themselves.” - Tim Berners-Lee, inventor of the World Wide Web.
An alarming statistic published by Cybersecurity think tank Cyberpeace foundation and Autobot Infosec Private limited shows that this year alone the healthcare sector in India faced 1.9 million cyberattacks. Read about the news here.
Personal Health Information (PHI) is more valuable in the black market than Personally Identifiable Information (PII). As a result, cybercriminals have higher incentives to target the healthcare sector.
According to the Infosec institute, PHI information sells on the black market for about $363 as compared to PII which sells for only $1 - $2. This is because it is not possible to change someone’s medical history however you still have the option of changing the financial data even if it is stolen. Source info here.
CRITICAL INFORMATION INFRASTRUCTURE DESIGNATION
“Cyber-attacks are a security issue, from our perspective. And it's a security issue of particular concern with respect to the nation's core critical infrastructure, the infrastructure everyone relies on, the energy sector, the telecommunications sector, the banking sector.” - Janet Napolitano, Former United States Secretary for Homeland Security
As seen above, the healthcare sector is critical and needs immediate protection. However, despite the risks, India’s healthcare sector does not come under critical information infrastructure.
India’s IT Act 2008, defines critical information infrastructure as a computer resource whose incapacitation or destruction shall have a deep impact on national security, economy, public health, or safety. As the act specifies public health, it is important to designate the healthcare sector so that government agencies can tackle it on a war footing in case of a cyberattack.
WHAT CAN HOSPITALS DO TO PREVENT CYBERATTACKS?
“Security program design must start with a risk assessment: enterprise risk, business risk, regulatory risk, technology risk, industry risk. And you must keep looking at what's happening in the world right now that could heighten these.” - Tim Callahan, SVP & Global CISO, Aflac
1. Organizational Leadership
Every hospital must understand that cyberattacks on its system is an enterprise risk issue which could bring financial, legal, regulatory, and most important of them all - health risks. It is important that the top leadership of the hospital is absolutely sensitive about those risks so that they can act accordingly.
2. Staff awareness
As a hospital is generally composed of medical staff, it is important that they practice medical hygiene when dealing with their patients. It is also important that they practice cyber hygiene. Staff needs to be trained to prevent, identify, report and stop attacks. In case the attack happens, they should be trained to be able to protect the data and records, thereby containing the extent of damage.
3. Segmentation of systems
It is absolutely essential that firewalls are in place to separate the medical devices from the broader network, thereby preventing the spread of cybersecurity attack.
4. Cybersecurity audits
Hospitals should ensure that regular cybersecurity audits of their systems are conducted so as to ensure immediate addressing of any identified vulnerabilities.
The cyberattack on AIIMS was indeed an attack that disturbed the smooth functioning of the hospital resulting in not only delays in securing treatment for patients but also reputational loss for the organization as a whole. This serves as a wake-up call for those who don’t take cybersecurity risks seriously.
Can we imagine what would have happened if the attack impacted the medical equipment and infrastructure in the Hospital’s ICU and Operation Theatres? Think about this.
Are your cyber systems secure from such attacks and do you have cybersecurity policies in your organization to protect your data? Image source: Kulbhushan Jhadav, Public domain, via Wikimedia Commons
Gorisco has wide range of experts who are experienced in defining and designing various solutions to help organizations mitigate their risks and resolve their problems.
At Gorisco, our motto is 'Embedding Resilience' and we are committed to making the organizations and their workforce resilient. Reach out to us if you have any queries, clarifications, or need any support on your initiatives.
To read our other blogs, click here. More importantly, let us know if you liked them or not through your comments.