On November 23, a ransomware assault on the servers of All India Institute of Medical Sciences (AIIMS) in Delhi wreaked havoc on their methods, and all their processes needed to go guide. It took over two weeks to get the contaminated methods on-line once more. However what’s extra noteworthy is that an assault on India’s most prestigious hospital is simply the tip of the iceberg of a a lot bigger drawback.
Give it some thought. A hospital, or any medical establishment, has an enormous trove of personally identifiable info on individuals – extra delicate than every other type of knowledge which will get stolen in a breach. A 2019 report pegged the worth of a single healthcare report at $250 – miles forward of the subsequent Most worthy knowledge report, a cost card, which might fetch a foul actor $5.40.
The AIIMS ransomware assault reportedly entails 40 million data, together with some belonging to essentially the most highly effective individuals within the nation. The worth of this knowledge, due to this fact, goes past financial phrases.
A ransomware assault will typically not expose knowledge to the general public initially. The entity that faces the assault, reminiscent of AIIMS, can get locked out of its personal methods and knowledge, and there’s all the time the specter of their knowledge getting leaked publicly or on the darkish net.
Within the case of AIIMS, the attackers encrypted the present knowledge, and allegedly demanded Rs 200 crore as ransom. Whereas there isn’t any official affirmation of such a requirement, it’s clear that the medical establishment won’t be paying the attackers. It’s at the moment within the technique of restoring knowledge from backups – which can or will not be up to date with the latest knowledge.
Some servers have been partially restored, however what’s extra worrying is that the federal government didn’t take steps to bolster cybersecurity even after it was delivered to the eye of the authorities. Defences are being tightened to forestall any additional untoward incidents, however it could be a case of too little, too late.
In a ransomware incident, the loss to the entity beneath assault is usually not tangible. Consider the nightmarish situation of a guide entry course of at a hospital as busy as AIIMS, which treats over 12,000 sufferers in simply its outpatient division. The quantity of misery, delays in therapy and even threat to the lifetime of a affected person brought on by all processes going guide might by no means be identified.
What’s extra worrying is that there’s little to no legal responsibility, even in case of an assault as huge as this. Within the US, the Well being Insurance coverage Portability and Accountability Act (HIPAA) requires regulated entities to adjust to its breach notification rule. The UK and Australia even have detailed situations set out for easy methods to cope with an information breach that features the lack of protected well being info. The UAE additionally has a clearly outlined Well being Knowledge Regulation. The European Union additionally has a regulation particularly protecting well being knowledge.
In India, legal guidelines are obscure sufficient that there isn’t any readability on whether or not AIIMS is a sufferer or can really be held responsible for compromising vital knowledge. The lately revised Private Knowledge Safety Invoice specifies the obligations of the info fiduciary and knowledge processor in case of an information breach or ransomware assault. Failure to forestall a private knowledge breach carries a penalty of as much as Rs 250 crore.
The primary info report filed for the case refers to sections of the Data Know-how (IT) Act, certainly one of which offers with cyber terrorism. The Indian Penal Code’s part coping with extortion can also be invoked. Contemplating the probe factors to China being concerned, it appears affordable.
Given the wealth of knowledge it has, AIIMS can simply be categorized as a nationwide database. However what recourse does a mean individual have if tomorrow the hackers resolve to promote components of this knowledge and it ends in blackmail or misuse of their private well being knowledge? If that sounds far-fetched, what’s the worth of reputational harm if the hackers or unhealthy actors make the well being data of eminent personalities, or previous Prime Ministers public?
This incident must be a wake-up name for our authorities. Privateness is non-negotiable.
[This contributory article is authored by KK Mookhey, CEO & Founder of Network Intelligence. The views expressed are solely of the author]