Context
- Recently, India’s top public health institute, the All India Institute of Medical Sciences (AIIMS) in Delhi, was hit by a ransomware attack that crippled routine health care for thousands of patients.
- The cyber-attack comes just a month after AIIMS announced that it would go paperless on January 1, 2023, and would be fully digitised by April 2023.
Relevance
GS Paper 3: Internal Security
Mains Question
How would you rate India’s preparedness for potential cyber-attacks? Suggest a few measures that should be implemented to combat this threat. (150 words)
Cyberattack
- Definition: A cyber-attack is any unauthorised access to a computer, computing system, or computer network with the intent to cause harm.
- Motivation: Its goal is to disable, disrupt, destroy, or control computer systems, as well as to change, block, delete, manipulate, or steal the data contained within these systems.
- Ransomware attack: This is a type of malicious software that encrypts the victim’s files, disables access to a computer system, and demands a ransom to decrypt the files. WannaCry, Petya, and other examples
- It is frequently designed to spread across a network and target database and file servers, paralysing an entire organisation.
- Unlike other types of cyber-attacks, this one alerts the user to the attack.
More on the AIIMS cyberattack
- Restricting access: The organization’s critical data is encrypted, so they cannot access files, databases, or applications stored on the hospital’s main and backup servers.
- Ransom demand: The attackers have made an undisclosed demand in cryptocurrency for a key that will decrypt the data.
- Multi-agency investigation: Because of the scope and gravity of the attack, multiple agencies, including Delhi Police, the Centre’s Computer Emergency Response Team (CERT-In), the Ministry of Home Affairs, and even the National Investigation Agency, have joined the investigation.
- Plan B: In the meantime, AIIMS Delhi has decided to obtain four new servers from the Defence Research and Development Organization (DRDO) to be used immediately to provide e-hospital services to patients.
The attack’s ramifications
- Hackers compromised the data of nearly 4 crore patients, including sensitive data and medical records of VIPs such as former prime ministers, ministers, bureaucrats, and judges, among others, which could be sold on the dark web.
- Cyber-terrorism threat: The Delhi Police has classified the attack as a case of cyber terrorism under Section 66 (F) of the Information Technology Amendment Act 2008. This indicates a much broader scope than a typical ransomware attack.
Vulnerability of India’s Healthcare Sector
- According to the cyber threat watchdog CloudSEK, the Indian healthcare sector is the second most targeted by cybercriminals worldwide.
- Its research also revealed that during the pandemic, health organisations experienced a massive increase in cyber-attacks. For example, the number of cyber-attacks on the sector increased by 95.34% in the first four months of 2022 compared to the same period in 2021. According to Indusface, a software security company, over 1 million cyber-attacks of various types occurred across its global healthcare clientele. In India alone, 278,000 attacks were reported.
- According to Google, India experienced 18 million cyberattacks and 2 lakh threats per day in the first quarter of 2022.
Reasons for an increase in healthcare infrastructure cyber-attacks
- Increased reliance on digital systems following Covid: Hackers and criminal syndicates recognised medical institutes’ reliance on digital systems to optimally manage medical functions as well as store and handle large volumes of patient data.
- The health and medical sectors are not classified as critical information infrastructure (CII): While most countries have declared health to be a CI, it is not explicitly stated in India.
- According to the National Critical Information Infrastructure Protection Centre (NCIIPC), critical sectors include power and energy, banking, financial services, and insurance, telecommunications, transportation, government, strategic, and public enterprises.
Cybersecurity safeguards are available in India.
- Information Technology Act, 2000 (Amended in 2008): This is India’s primary law governing cybercrime and digital commerce.
- National Critical Information Infrastructure Protection Centre (NCIIPC): It was established under Section 70A of the Information Technology Act of 2000 to safeguard the nation’s critical information infrastructure.
- CERT-In (Cyber Emergency Response Team): It is the National Cyber Security Nodal Agency and has been in operation since 2004.
- National Cyber Security Policy, 2013: This policy establishes a vision and strategic direction for protecting the nation’s cyberspace.
- Cyber Swachhta Kendra: It assists users in analysing and keeping their systems free of various viruses, bots/malware, Trojans, and other threats.
- Cyber Surakshit Bharat: This initiative was launched in 2018 to raise awareness about cybercrime and build capacity for safety measures among Chief Information Security Officers and frontline IT staff across all government departments.
Steps to take to reduce cyber threats
- Make threat analysis a standard practise: A vulnerability report should be generated, followed by an audit that will highlight any gaps in the organization’s cyber-attack preparedness.
- Timely safety audit: An annual review of the software should also be performed, or as soon as the software is changed/updated, whichever comes first.
- Capacity development: To address the emerging sophisticated nature of threats and attacks, capacity enhancement for the NCIIPC and CERT-In is required in areas such as AI/ML, Blockchain, IoT, Cloud, and Automation.
- Sectoral CERTs must also be established in many areas, including health.
- Use the ‘3-2-1 backup’ strategy: Healthcare organisations must save three copies of each type of data in two different formats, including one offline. This is an industry best practise for ensuring the cyber security of healthcare institutions.
- National cyber security strategy: The strategy will serve as a guiding document for monitoring institutes’ cyber readiness and enhancing capacity on a variety of fronts, including forensics, accurate attribution, and cooperation, among others.
- Increased budgetary allocation: As recommended by the National Cyber Security Strategy, a minimum allocation of 0.25% of the annual budget, which can be increased to 1%, should be set aside for cyber security.
- Declaring strategic enterprise: An organisation such as AIIMS New Delhi could be considered a “strategic and public enterprise” because it serves crores of patients, including the country’s top leadership.
- Crisis Management: To adequately prepare for a crisis, cybersecurity drills that include real-life scenarios with their ramifications can be conducted.
- Safety protocols: A National Gold Standard should be established to ensure that Indian hardware and software companies follow the most stringent safety protocols.
- Cyber Diplomacy: To counter cyber-attacks, key regional blocs such as BIMSTEC and the Shanghai Cooperation Organization (SCO) must ensure cyber security preparedness through programmes, exchanges, and industrial support.
- Raising awareness: The general public needs to be made aware of the value of their personal data and the vulnerabilities it could create if accessed illegally.