Cyberattacks on hospitals thwart India's push to digitize health care

In late November, as a thick layer of smog settled on the All India Institute of Medical Sciences in New Delhi, patients began to experience extended wait times. Long lines snaked along the vast building and backed up for several yards.

Computers at the hospital had stopped working, so medical reports could not be generated. Though patients were still being treated, paper bills were being handed out. After a few days, people who feared that traveling back home would be too expensive began to sleep under a nearby overpass to wait it out.

A massive cyberattack had compromised the health data of millions of patients, from those who live in extreme poverty to high-profile politicians, bureaucrats and judges.

The Delhi Police had a bigger problem at hand. They were in possession of an email that read, "What happened? Your files are encrypted? What is the price to repair? The price depends on how fast you can pay to us," reported news sources.

The Delhi police initially denied reports of a ransom demand. But they later confirmed that the servers at AIIMS were attacked and data was being held for ransom. Police sources were quoted as saying the attack originated from China and Hong Kong.

Two weeks later, servers at AIIMS are just now limping back to normal.

A digital health ID for every Indian

Cybersecurity experts express larger concerns.

Because India does not have robust cybersecurity systems or strong data protection laws, the breach has made observers uneasy about Prime Minister Narendra Modi's ambitious plan to digitize the health records of all Indians.

In 2020, most people around the world were just hearing about COVID-19. Indians were forced into a sudden lockdown, and no one knew when vaccines or a semblance of normal life would return.

Against that backdrop, Modi announced that every Indian would get a health ID under the National Digital Health Mission: "Your every test, every illness, what doctors prescribed and when, your reports will be on a single health ID."

These health records can be accessed by health-care professionals only after the informed consent of the ID holder, Modi clarified.

Cybersecurity experts are doubtful about getting informed consent as that concept is relatively new in the country. "Citizens being forced to get a health ID and digitize their health records without the right safeguards is making them vulnerable," says Srinivas Kodali, a technology expert and researcher with Free Software Movement of India. "With plans for ubiquitous sharing of health records across hospitals, doctors, insurance agencies and health tech firms, Indians' health data is expected to be more prone to leaks, data breaches and exploitation," he adds.

More than 170,000 hospitals across the country have signed up for the National Digital Health Mission already. Registration is mandatory for government-run hospitals.

Right across from AIIMS is another massive government-run hospital, where thousands of people line up for treatment. Around the same time that AIIMS reported the ransomware attack, Safdarjung Hospital also reported a cyberattack that incapacitated its servers for a day. Data was not breached and the servers were restored quickly.

Currently, the safety of a patient's data will depend on how safe the hospital servers are. Under the National Digital Health Mission, all hospitals will be responsible for storing and protecting the patient data they collect. Patients at Safdarjung were merely lucky that their data was not breached.

Kodali says if there is a plan to have one unique national health ID, then the cybersecurity of the such massive amounts of data should be the responsibility of the government. "To expect hospitals to deal with their own cybersecurity is like asking an IT professional to medically operate on himself," he says.

In a 2022 white paper, the artificial intelligence company CloudSEK said that cyberattacks on the global health care industry rose by more than 95% compared to last year. Attacks mostly occurred on systems in the U.S., followed by India.

Cyberthreats loom

Observers warn against large-scale digitization before necessary checks are in place. "In large systems, digitalization can bring in efficiencies, but it also creates the possibility of disruption to information flows with cascading impacts for society," says Anita Gurumurthy, director of the non-profit IT for Change, which works on tech policy and human rights.

Indian authorities agree that the country is facing increasing cyberthreats. The Indian Computer Emergency Response Team (CERT-IN), the national cybersecurity watchdog, noted a 51% increase in the number of ransomware attacks, including on critical infrastructure, from the year before.

In the absence of a personal data protection bill, as well as a law governing the digital health ecosystem, Gurumurthy says, the regulatory system is not conducive to maintaining large data sets.

In addition, users' lack of awareness about cyber risks and the use of old, legacy technologies contribute to vulnerability, according to Rajeswari Pillai Rajagopalan, director of the Centre for Security, Strategy and Technology (CSST) at the think tank Observer Research Foundation. "India also needs to study the evolving tactics, techniques and procedures [TTPs] of hackers and criminals to be able to prevent these attacks. India will pay a serious price if it is seen as an easy target."