Cyberattacks on hospitals thwart India’s push to digitize healthcare
In late November, as a thick layer of smog settled over the All India Institute of Medical Sciences in New Delhi, patients began experiencing long wait times. Long lines snaked along the length of the massive building and back several yards.
The hospital computers had stopped working, so medical reports could not be generated. Although patients were still being treated, paper bills were handed out. After a few days, people who feared that traveling back home would be too expensive began sleeping under a nearby flyover to wait.
A massive cyberattack had compromised the health data of millions of patients, from those living in extreme poverty to high-profile politicians, bureaucrats and judges.
The Delhi police had a bigger problem on their hands. They were in possession of an email that said: “What happened? Are your files encrypted? What is the price of the repair? The price depends on how fast you can pay us.” reported news sources
The Delhi Police initially denied reports of a ransom demand. But then they confirmed that the AIIMS servers were hacked and the data was being held for ransom. Police sources were quoted as saying the attack originated from China and Hong Kong.
Two weeks later, the AIIMS servers are now limping back to normal.
A digital health ID for every Indian
Cybersecurity experts express broader concerns.
Because India does not have robust cybersecurity systems or robust data protection laws, the breach has unnerved observers about Prime Minister Narendra Modi’s ambitious plan to digitize all Indians’ health records.
In 2020, most people around the world were only hearing about COVID-19. The Indians were forced into a sudden lockdown, and no one knew when vaccinations or a semblance of normal life would return.
In that context, Modi announced that all Indians would get a health ID under the National Digital Health Mission: “All your tests, every illness, what the doctors prescribed and when, your reports will be in one health ID.”
Health professionals can access these health records only after the informed consent of the ID holder, Modi clarified.
Cybersecurity experts are hesitant to obtain informed consent, as that concept is relatively new in the country. “Citizens who are forced to obtain a health ID and digitize their health records without proper safeguards leave them vulnerable,” says Srinivas Kodali, a technology expert and researcher at Indian Free Software Movement. “With plans for ubiquitous sharing of health records between hospitals, doctors, insurance agencies and health technology companies, Indian health data is expected to be more prone to leaks, data breaches and exploitation” , add.
More than 170,000 hospitals across the country have already signed up for the National Digital Health Mission. Registration is mandatory for government-run hospitals.
Right across from AIIMSit is another huge government-run hospital, where thousands of people line up for treatment. Around the same time that AIIMS reported the ransomware attack, Safdarjung Hospital also reported a cyberattack that disabled their servers for a day. Data was not breached and servers were restored quickly.
Currently, the security of a patient’s data will depend on how secure the hospital’s servers are. Under the National Digital Health Mission, all hospitals will be responsible for storing and protecting the patient data they collect. Safdarjung’s patients were simply lucky their data was not breached.
Kodali says that if there is a plan to have a unique national health ID, then the cybersecurity of such massive amounts of data should be the responsibility of the government. “Expecting hospitals to take care of their own cybersecurity is like asking an IT professional to medically operate on himself,” he says.
in a 2022 White paper, the artificial intelligence company CloudSEK said that cyberattacks in the global healthcare industry increased by more than 95% compared to last year. The attacks occurred primarily on systems in the US, followed by India.
Cyber threats are coming
Observers caution against large-scale digitization before the necessary checks are in place. “In large systems, digitization can create efficiencies, but it also creates the potential to disrupt information flows with cascading impacts to society,” says Anita Gurumurthy, director of the nonprofit organization IT for changewho works on technology policy and human rights.
Indian authorities agree that the country faces increasing cyber threats. The Indian Computer Emergency Response Team (CERT-IN), the national cybersecurity watchdog, noted a 51% increase in the number of ransomware attacks, including on critical infrastructure, over the previous year.
In the absence of a personal data protection bill, as well as a law governing the digital health ecosystem, Gurumurthy says, the regulatory system is not conducive to maintaining large data sets.
In addition, the lack of awareness of users about cyber risks and the use of old legacy technologies contribute to vulnerability, according to Rajeswari Pillai Rajagopalan, director of the Center for Security, Strategy and Technology (CSST) in the think tank Observer Research Foundation. “India also needs to study the evolving tactics, techniques and procedures [TTPs] hackers and criminals to prevent these attacks. India will pay a heavy price if it is seen as an easy target.”
Copyright 2022 NPR. To see more, visit https://www.npr.org.