AIIMS cyber-attack a wake-up call amid India’s digital push

If the ransomware attack is indeed an international conspiracy, as suspected, there are wider national security implications, and should lend urgency to developing robust safety locks

The cyberattack on the servers at the All India Institute of Medical Sciences (AIIMS)  is a serious jolt and a wake-up call amid the country’s push towards Digital India exposing its vulnerabilities.

That the hack originated from another country and the possible involvement of a foreign state actor should lend urgency to developing robust safety locks.  If the sophisticated ransomware attack is indeed an international conspiracy, as suspected, there are wider national security implications.

On 30 November, just days after the strike on AIIMS, there were reportedly as many as 6,000 attempts to hack the server of the Indian Council of Medical Research (ICMR).

More attempts

On December 2, news came of hackers selling over 150,000 patients’ data records belonging to a Tamil Nadu-based multispecialty hospital — for just $100 per download. Analysts said the IT vendor of the hospital was targeted first and via that vendor’s systems as initial foothold, the hackers got into the hospital system.

Last month, the server of Safdarjung Hospital was also down for a day after a cyberattack. In March, the National Institute of Mental Health and Neuro Sciences (NIMHANS) had faced a cyber- attack.

Major concern is the uptick in cyberattacks on medical institutions in the country post the Covid pandemic. Hackers and criminal syndicates have been targeting large volumes of patient data.

How it happened

The attack on AIIMS came to light on November 23 when users found they could not access a key application that manages appointments, stores medical records and hosts reports from diagnostic tests carried out by the facility.  There are records showing that on November 23 at 7:07 am, the final transaction at the AIIMS server occurred. The server was eventually compromised. Two email addresses used by the hackers to send RANSOMWARE were and

The breach in security particularly affected e-hospital application, stopping the online functioning of OPD, emergency and other patient care services in the AIIMS premises. The massive cyber-attack derailed everyday work, appointments and registration, billing, patient care information and lab reports. The attack corrupted files and data on main and backup servers of the mega-hospital. Everything was moved to manual mode at the AIIMS.  On the mega hospitals’ primary and backup systems, the hack corrupted files and data. At the All India Institute of Medical Science (AIIMS), everything was switched to manual mode, and the giant handling four million patients a year sputtered on paper systems for more than a week.

Doubts over data security

On 19 July 2016, the Delhi AIIMS, India’s biggest tertiary care hospital, completed implementation of the e-Hospital project under the Narendra Modi government’s Digital India Initiative. In doing so, it became the country’s first fully digital public hospital.

Six months after full digitisation, on 9 January, 2017, Dr Deepak Agrawal, from the neurosurgery department, who was then chairperson of the computerisation committee, wrote to the Union Health Ministry. In his letter, he pointed out that the e-hospital installation by the National Informatics Centre (NIC) — the government department responsible for setting up IT infrastructure — had not been bolstered with appropriate systems for upkeep and security. “There is no database administrator, security administrator and system administrator at site for the installation, putting the whole project at risk,” wrote Dr Agrawal.

Four months later, the medical superintendent of AIIMS, Dr D K Sharma, also brought up similar issues in a report about the implementation of the e-Hospital. Writing to the health ministry, he reported that the AIIMS online registration system was seeing more than 6,500 new appointments and over 5,000 follow-ups daily, but he also flagged major concerns. “There is no disaster backup for maintaining continuity of operations in case of primary site failure, despite repeated requests to the NIC for the same,” wrote Dr Sharma.

The minutes of the meeting on the progress of implementation of the e-Hospital application in AIIMS on 16 July 2016 say that the NIC is the driving IT force behind the digital transformation done in AIIMS. But Dr Sharma’s letter to the ministry states that the NIC had no service agreement with the hospital. “There is no service-level agreement with NIC, because of which the vendor (NIC) cannot be held accountable for any lapses in service,” he wrote. “Upkeep time does not meet international standards.”

Probe so far

Police has registered an FIR under IPC Section 385 (putting a person in fear of injury in order to commit extortion), 66 and 66-F IT Act. Initial analysis has found that four servers — two application servers, one database server and one backup server — were found infected.  The encryption was triggered by one of the Windows servers attached in the same network, but files of this server were not encrypted.

The NIA has sent a team to AIIMS.  The Indian Computer Emergency Response Team (CERT-In),  nodal agency to deal with cyber security threats like hacking and phishing has also deputed a team to look into the matter. It works under the Ministry of Electronics and Information Technology. In addition, the Defence Research and Development Organisation (DRDO), the Delhi Police, the Intelligence Bureau, CBI and Home Ministry are also probing the incident. Initial investigation has also revealed that the attacker has two proton mail addresses — “dog2398” and “mouse63209” — which have been identified from the headers of the encrypted files.

The National Informatics Centre (NIC) eHospital at the AIIMS uses 24 servers for various hospital modules and four of these servers — primary and secondary database servers of eHospital, primary application and primary database servers of laboratory information system (LIS) — were infected with ransomware.

The AIIMS administration is not ready to break its silence over the ransomware attack at AIIMS Delhi and still it is not even clear whether the AIIMS servers have been freed from the clutches of hackers or not. However, it is being said that data is being recovered gradually, due to which, an online OPD has been started.

Safety saves

Do we really believe that our data is even safe? Today everything is on the cloud hence it is prone to cyber-attacks/threats and hacktivists don’t lose an opportunity. So the loophole exists even for the strongest of organizations. It has been observed that where important data are stored online, the authorities had perhaps not made provisions of data backup facility including server mirroring.

Tangible hackers could easily access the internal network bypassing easy passwords which is rare in govt networks. The system administrator must ensure they don’t respond to insecure emails containing stealth cipher urls which can be lethal injector for critical malwares, trojan, ransomware(s) and keep changing password frequently.  Last but not the least mismanaged multicast ports are a major threat to data hack which gives full access to the gateway inside despite having multiple secured layers topography. It is time we equip our system to counter phishing attempts.