A ransomware attack was carried out on AIIMS, which impacted all the data in its system. This attack took place for ten days, during which millions of patient records were compromised, including those of VIPs.
Before the attack, medical records were accessed using an outdated combination of computer hardware and software and an out-of-date version of the Windows operating system. According to the officials mentioned above, in the past, there have been multiple discussions about the need to upgrade the IT system with top authorities. However, nothing has been done about it.
Furthermore, the identities of the officials have been withheld. As part of their confidentiality agreement, they did not want to be identified.
It has been at least 30-40 years since the institute upgraded its computers and technology in the lab. Several outdated machines in the institute did not contain the latest version of Windows. The top administration was notified multiple times of our concerns regarding this issue, but no improvement has been made. Until now, the computer and information technology office was headed by a doctor who was unfamiliar with IT work. Consequently, there are several flaws in this department, a senior official at AIIMS explained.
The hospital had been operating manually for the past 12 days as the servers have been down. To ensure that hospital and patient data are protected, the hospital administration is now in the process of developing a cybersecurity policy.
AIIMS plans to recruit a cybersecurity officer and several senior IT professionals for IT-related tasks under this enhanced cybersecurity framework and is preparing to delegate them to AIIMS. For e-hospital and e-office-related work, a separate network will be set up. Another network will be set up for doctors to handle official mail and other work related to their profession. Another point mentioned in the new security plan is that all faculty members, heads of departments, and scientists have been instructed to ensure that the software they use is thoroughly audited by CERT-IN-certified auditing agencies to prevent malware from spreading on their servers and connected endpoints said a member of AIIMS's security department who was aware of these developments.
An IT vendor meeting has been called by the hospital's computer and IT facility in hopes of getting such solutions from vendors by 31 December. This will prevent unauthorized access to the AIIMS network and central servers from applications that are not classified as security audits.
Faculty and doctors around the AIIMS have been instructed that no routers, hubs, and other devices should be connected to the institution's network ports as a safety precaution.
There were reports last week that the institute, in a statement, had restored the e-office to the hospital, but that due to the enormous volume of data that was involved, the department was still operating manually.
A spokesperson for the health ministry and AIIMS did not respond to questions sent to them.
To help AIIMS resolve the crisis, the central government has delegated experts from the National Investigation Agency, the Defence Research and Development Organization, the India Computer Emergency Response Team, the Delhi Police, the Intelligence Bureau, the Central Bureau of Investigation, and the Ministry of Home Affairs.