cyberattack on All India Institute of Medical Sciences, which has paralysed the premier healthcare institution for two weeks now, has raised several concerns about the preparedness of the country to ward off similar or bigger-scale attacks on its critical infrastructure.
More such attacks could happen as India’s data infrastructure gets further integrated and connected, said experts, who asked the country to strengthen its defence against such threats.
India is extremely prone to such attacks, especially on health organisations as there is no law that mandates regular audits for healthcare or a body to oversee the same, unlike with payments where the Reserve Bank of India keeps a hawk eye on the organisations and their security levels, said experts ET spoke to.
According to reports, another top hospital in New Delhi — Safdarjung Hospital — has also been a target of an attack last week even though the severity of the attack has been less compared with the one that hit AIIMS.
Whether it is the country’s economic or market institutions or government organisations, everything is a target and institutions need to be extremely careful in terms of protecting data, said Harshil Doshi, director of sales (India and Saarc) at security information and event management company Securonix.
“AIIMS is a medical institute which holds very sensitive personal health information about the country’s top brass that could actually be used for espionage,” said Doshi.
“Specifically, if it is a nation-state sponsored attack from an adversary nation, they can potentially misuse this information to wage a different kind of cyber warfare in India which is a big risk for a country like us,” Doshi added.
Sources in the IT ministry said after the initial wave of attacks on critical infrastructure following the easing of Covid-19 lockdowns in 2021, all the government departments had been sent an “exhaustive list of dos and don’ts”.
Also read | Cyber attacks triple in last three years, but security funds underutilised
“At that time, several government departments such as health, science and technology, nuclear power plants and the armed forces were placed under critical infrastructure category and were asked to double down on their cyber infrastructure,” a senior government official said.
Sources said that the Indian Computer Emergency Response Team (Cert-In) had completed its “initial investigation” of the cyberattack on AIIMS and found several lapses in following the standard operating procedure prescribed for government departments which handle critical state-run infrastructure.
Some experts have also called for government departments to be held more accountable since they deal with a lot of sensitive personal data.
“The government should mandate independent threat monitoring and response for all government departments. Most government departments are understaffed and under-skilled to monitor and respond to cyber breaches. This will put them at par with private companies and will facilitate early detection and investigation of cyber threats,” said Amit Jaju, senior managing director at Ankura Consulting Group (India), which advises clients on areas such as cybersecurity risk management and finance.
Experts said healthcare data breaches will become more commonplace, especially in India.
Data from cybersecurity from CloudSEK reveals that the number of cyberattacks against the healthcare industry globally increased 95.34% in the first four months of 2022 compared with a year earlier.
The report said India saw the second-highest number of attacks worldwide, with a total of 7.7% of the total attacks on the healthcare industry in 2021. India accounted for 29.7% of all attacks in the Asia and Pacific region while China was the second most targeted country in the region with 21.6% recorded attacks in 2021, as per the report.
“The challenge with healthcare is that there is extremely sensitive data of patients and hardly much of a focus on security,” said Rahul Sasi, cofounder and CEO of CloudSEK.
The danger is not just about the personal data getting compromised.
“Generally, a hacker will ask for money upon accessing data. But suppose the threat actor is not driven by monetary gains but is looking to misuse the data. In that case, it could be a dangerous proposition, especially in the context of espionage and cyber warfare,” Sasi said.
Ishwar Prasad Bhat, CEO and founder of Necurity Solutions, said the number of cyberattacks could increase substantially going forward and may become more sophisticated.
“Proper security audits, monitoring systems and processes need to be in place as the data, reputation and trust are all at stake,” he said.
Healthcare information technology is an IT branch that helps develop, design, create and maintain information systems in hospitals, clinics and other healthcare facilities. In 2021, the global healthcare IT market was valued at $135.6 billion and was predicted to grow at a compound annual rate of 29.3% in ten years through 2030, according to Allied Market Research.
“The exponential growth of the global healthcare IT market brought about due to the outbreak of the 2020 global pandemic has led to a significant rise in cyberattacks targeting the sector globally. Safeguarding the medical and financial information of patients emerged as a new challenge for healthcare companies,” the report said.
The investigation into the AIIMS cyberattack should also focus on the insider angle as many hacking groups offer bribes to an insider to facilitate the hack, said Jaju of Ankura Consulting.