Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label AIIMS. Show all posts

AIIMS Ransomware Attack Leads to a New Cyber Response Framework


On November 23, 2022, the All India Institute of Medical Science, Delhi (AIIMS), suffered a cyber attack  that was labeled by police as “cyber terrorism.” As a result of the cyberattack, offline patient services like appointment booking, billing, and diagnostic reporting of the country’s principal government hospital were halted. 

Since the attack targeted the hospital’s primary and backup servers, patients and the workforce were left with no access to records or test reports for a brief time. In response to the ransomware attack on AIIMS, the government was prompted to create a cyber response mechanism, according to former cybersecurity chief Lt Gen Rajesh Pant.

National Cybersecurity Response Framework

The ransomware attack impelled the government into establishing a national cybersecurity response framework (NCRF). According to Pant, the attack has shone a spotlight on the need to protect “critical infrastructure.” “It was realized that critical sectors need to have a uniform framework to respond to cybersecurity[…]So, the NCRF was conceptualised. It will be put in the public domain for critical infrastructure, such as those in the power and health sectors to implement,” said Pant.

The framework, according to the former NCRF chief, establishes dependable businesses and supply chain procedures and outlines the design of a cyber defense system.

While the National Informatics Centre and Computer Emergency Response Team (CERT-In) teams began working on an investigation into the incident, the Intelligence Fusion and Strategic Operations (IFSO) cell of the Delhi Police filed an FIR against unidentified individuals alleging violations of the cyber terrorism act.

As per Pant, the AIIMS attacks presented certain loopholes in the present cyber defenses, serving as a lesson to be better prepared with critical information infrastructure and address vulnerabilities. “The manner in which the network was architected, was not done by professionals but by a team of doctors. There were too many loopholes in the network, and it was easy to get into the network[…]A lot of lessons have come out from the incident from a government point of view, and these will, hopefully be implemented,” he said. Moreover, he noted that this framework would address some significant gaps in the response mechanisms. “There is a need for standard operating procedures to handle such incidents to that steps for mitigation are taken with immediate effect.”

Adding to this, he addressed a need for inter-ministerial cooperation and the setting up of a nodal ministry to address cybersecurity threats since cybersecurity is constantly evolving. “According to the business allocation rules, no ministry is solely dedicated to addressing such incidents. The concept of peace has changed today, there is no peace in cyberspace,” he added.

Information Technology Systems at AIIMS Has Not Been Updated in 30 Years

 


A ransomware attack was carried out on AIIMS, which impacted all the data in its system. This attack took place for ten days, during which millions of patient records were compromised, including those of VIPs. 

Before the attack, medical records were accessed using an outdated combination of computer hardware and software and an out-of-date version of the Windows operating system. According to the officials mentioned above, in the past, there have been multiple discussions about the need to upgrade the IT system with top authorities. However, nothing has been done about it. 

Furthermore, the identities of the officials have been withheld. As part of their confidentiality agreement, they did not want to be identified. 

It has been at least 30-40 years since the institute upgraded its computers and technology in the lab. Several outdated machines in the institute did not contain the latest version of Windows. The top administration was notified multiple times of our concerns regarding this issue, but no improvement has been made. Until now, the computer and information technology office was headed by a doctor who was unfamiliar with IT work. Consequently, there are several flaws in this department, a senior official at AIIMS explained. 
The hospital had been operating manually for the past 12 days as the servers have been down. To ensure that hospital and patient data are protected, the hospital administration is now in the process of developing a cybersecurity policy. 

AIIMS plans to recruit a cybersecurity officer and several senior IT professionals for IT-related tasks under this enhanced cybersecurity framework and is preparing to delegate them to AIIMS. For e-hospital and e-office-related work, a separate network will be set up. Another network will be set up for doctors to handle official mail and other work related to their profession. Another point mentioned in the new security plan is that all faculty members, heads of departments, and scientists have been instructed to ensure that the software they use is thoroughly audited by CERT-IN-certified auditing agencies to prevent malware from spreading on their servers and connected endpoints said a member of AIIMS's security department who was aware of these developments. 

An IT vendor meeting has been called by the hospital's computer and IT facility in hopes of getting such solutions from vendors by 31 December. This will prevent unauthorized access to the AIIMS network and central servers from applications that are not classified as security audits. 

Faculty and doctors around the AIIMS have been instructed that no routers, hubs, and other devices should be connected to the institution's network ports as a safety precaution. There were reports last week that the institute, in a statement, had restored the e-office to the hospital, but that due to the enormous volume of data that was involved, the department was still operating manually. 

A spokesperson for the health ministry and AIIMS did not respond to questions sent to them. To help AIIMS resolve the crisis, the central government has delegated experts from the National Investigation Agency, the Defence Research and Development Organization, the India Computer Emergency Response Team, the Delhi Police, the Intelligence Bureau, the Central Bureau of Investigation, and the Ministry of Home Affairs.

AIIMS Server Shut Down for 7th Day, Two System Analysts Suspended


AIIMS Servers Compromised

The server of All India Institute of Medical Sciences is still out of service consecutively for the seventh day. The network is currently being inspected before restoring the services like hospital services which include outpatient, in-patient, and laboratories, as they continue to operate in manual mode. 

The restoration process takes some time due to the enormous volume of data and a large number of computers/servers for hospital services. AIIMS is taking cybersecurity measures to deal with the issue. 

Investigation Launched

The Intelligence Fusion and Strategic Operations (IFSO) unit of Delhi police registered a case of extortion and cyber terrorism on November 25. In the process, AIIMS suspended two system analysts on Monday after serving show-cause notices for alleged dereliction of duty. 

As per the official sources, internet services in the hospital are blocked as per the recommendations of the investigating authorities. 

News18 reports, "the CERT-In, the Delhi cybercrime special cell, the Indian Cybercrime Coordination Centre, the Intelligence Bureau, the Central Bureau of Investigation, National Investigation Agency, among others, are investigating the ransomware incident."

According to official sources, the NIC e-Hospital at AIIMS uses 24 servers for various hospital modules and four of these servers were hit with ransomware- primary and secondary database servers of the e-Hospital, and primary application and primary database servers of Laboratory Information System (LIS). 

Current state

Afterward, ransomware was also discovered in the elastic search virtual server 1.4. All compromised servers were separated, as per the sources. Four new servers were brought in, which includes two from external agencies, for restoring e-Hospital apps. 

The databases were restored on these four servers (now scanned) and the data can be accessed. Besides this, four servers of NIC applications were also scanned. Out of these, viruses were discovered in two servers. 

"AIIMS has around 40 physical and 100 virtual servers. Five have shown signs of the virus. These servers are also being set up for scanning and new servers with updated configurations are being purchased as most servers at AIIMS where the end of life/end of support," said a source to News18. 

The antivirus has been installed manually in around 2400 computers.