India must learn from the AIIMS cyberattack
Sunday was the fifth straight day that the All India Institute of Medical Sciences (AIIMS) in Delhi was offline after a cyberattack. For a facility that processes 6,000 patients a day on average, registrations, test reporting and billings are now being done on paper. Visitors speak of confusion, queues and long delays. Behind closed doors, the government’s top agencies — Delhi Police’s cyber cell, the Computer Emergency Response Team, National Informatics Centre — struggle to restore the network. Causing this havoc is ransomware that has locked away AIIMS’ data with an impossible-tocrack cryptographic key. This key is held by an attacker whose identity and motives are unknown. But if convention is any indicator, the objective is to extort a hefty ransom from AIIMS.
Signs of the worst that could happen now may have been portended by developments in Australia this month: Ransomware operators began releasing in tranches 9.7 million medical records hacked from Medibank, the country’s largest health insurer, after the ransom demand was not met. Targets such as Medibank and AIIMS are not just valuable for the money they can cough up; they also have medical records of millions of people. Leaks of such nature have espionage value, and are thus a national security risk. It is no surprise then that the incident at AIIMS is being probed for cyberterrorism. For years, experts have called on India to roll out a national strategy that would force organisations to arm themselves against the sort of attack that AIIMS has fallen victim to. The developments of last week are a disconcerting reminder of how costly red tape can be when it comes to cybersecurity.