The cyberattack that crippled the servers of the All India Institute of Medical Sciences, or AIIMS, in Delhi has sparked concern across India’s hospitals since it comes at a time when the government has been pushing them to transition to online and paperless operations under the Ayushman Bharat Digital Mission.

On November 23, several departments at AIIMS were unable to log onto the e-hospital server to view patient reports. An inquiry by the National Informatics Centre found that the server which hosts the e-hospital database and the two servers which store laboratory data had been hacked and corrupted.

The cyberattack on the country’s premier healthcare institute not only compromised its patient database, which includes the health records of India’s top politicians, but also blocked access to its e-hospital server. The server, used for the inter-departmental exchange of patient records, is still down.

Following this incident, several hospitals across the country have been reviewing their cybersecurity systems.

In Chandigarh, Dr Vivek Lal, director of the Post Graduate Institute of Medical Education and Research, held a meeting with the institute’s technical team. “I was told we have an impregnable firewall,” said Lal. The institute is one of the biggest government hospitals in north India.

Gaurav Kumar, deputy director in charge of the institute’s technology department, said they are taking a daily backup of their data and storing it on physical drives instead of relying on online servers. “So that if data is hacked and deleted, we still have backup,” he said.

In Varanasi, the Banaras Hindu University’s Sir Sunderlal hospital has decided to temporarily postpone its plan to switch to a cloud-based server to store hospital data.

Digital mission

Security concerns are heightened since the Indian government has recently launched the Ayushman Bharat Digital Mission, in which the health records of each person will be linked to a unique 14-digit health account number, similar to an Aadhaar number. The idea is to enable paperless records, so that a patient can visit different hospitals without carrying all their medical files. By providing their account number and granting access, a patient can enable a doctor to view their records.

Currently, many government hospitals operate on a hybrid model of manual paperwork and digital records. The new system is expected to gradually do away with the need to store medical reports in physical copies. Each hospital that registers for the Ayushman Bharat Digital Mission will store its patient information, such as prescriptions, diagnostics reports, treatment administered, on its own server or a cloud-based storage. They will link relevant reports to the patient’s health account number.

Other hospitals can view this information, provided the patient grants them access to their records. As an official of the National Health Authority told in August, “The medical files are essentially stored on hospital A’s server. The patient is only giving access to hospital B to see that particular file from hospital A’s server.”

Screenshot from the website of the National Health Authority explaining the health ID.

Experts say that while the idea to create digital health records is well-intentioned, there is a heightened risk of data breach. “If you look at the architecture, the entire system is decentralised,” said Srinivas Kodali, technology expert and a researcher with Free Software Movement of India. “It is not like Aadhaar, where all data is stored centrally.”

In a decentralised system, all hospitals, clinics, nursing homes, private practitioners and diagnostic laboratories that register under the Ayushman Bharat Digital Mission will be responsible for storing and protecting patient data gathered at their end.

Kodali said that while the Ayushman Bharat Digital Mission will not store patient data on its central database, it will create a larger ecosystem where “hospitals can network over the internet”.

“The National Health Authority will keep checks and balances for hospitals to maintain layers of security when they enter the ecosystem,” said Kodali. “But the government is not providing the software, each hospital will have to appoint a software provider to maintain their database.”

Kodali said this is where a breach may occur if a hospital is unable to ensure high-level security. “The challenge here is that there is no law, even if there is a breach,” he said, pointing out that there is no redressal for patients whose data may get leaked.

The large quantum of health data makes it lucrative for cyber criminals. A security lapse by a hospital or doctor may compromise that hospital’s system and its entire Ayushman Bharat data.

But Kodali said it is unlikely that a breach in one hospital will compromise other hospitals’ databases. “The present design of the system suggests that if one hospital’s server is hacked, only they get impacted,” said Kodali. “But there is no way for us to be sure.” Kodali said the National Health Authority has not made its software code, which will power this system, public.

It is for these reasons that private hospitals seem reluctant to register for the Ayushman Bharat Digital Mission – of the 1.73 lakh who have signed up, only 27,986 are privately run. For government hospitals, registration is mandatory.

At the Post Graduate Institute of Medical Education and Research, IT in-charge Naveen Bindra said the institute is in the process of integrating its system with the Ayushman Bharat Digital Mission. Bindra said a server is yet to be assigned to link with the scheme’s network and the institute has not yet started to upload patient data. “The threat will increase when we start uploading data,” said Bindra. “We will look at all possible security solutions then.”

Screenshot from the National Health Authority on the registration of healthcare facilities.

Rising attacks

In 2020, an article published in the scientific journal, BioMed Central, had highlighted the vulnerability of the healthcare industry to cyberattacks. “Healthcare faces even larger cyber risks than other sectors because of inherent weaknesses in its security posture,” the report said.

In the first four months of 2022, cyberattacks against the global healthcare industry rose by 95.3% compared to the same period in 2021, according to CloudSEK, an artificial intelligence company that deals in cyber threats. The Indian healthcare sector ranked second after the United States when it came to such attacks, said the report.

Within a week of the cyberattack at AIIMS, there were breaches in two more Indian hospitals. On December 3, Delhi’s Safdarjung Hospital said it had faced a cyberattack for a day on November 14 that prevented some staffers from logging onto their devices. The National Informatics Centre was able to revive hospital servers and secure the data. The effect was diffused since Safdarjung Hospital, unlike AIIMS, does not completely rely on digital operations.

The second breach was reported by CloudSEK, which said that data of 1.5 lakh patients of the Sree Saran Medical Centre, a multi-specialty private hospital in Tiruppur, Tamil Nadu, had been put up for sale on the dark web. The “dark web” refers to websites that cannot be accessed easily by commonly used search engines or law enforcement authorities – essentially the internet’s “underground” – making it apt for online criminal activities.

CloudSEK founder Rahul Sasi said his company’s artificial intelligence risk platform had discovered the post on November 22. It advertised patient data, which had been sourced from Three Cube IT Lab, an application development provider. Sasi said it is unclear if Three Cube IT Lab had been hired by Sree Saran Hospital to manage its software.

The leaked data contained patient names, their addresses, health information and doctor details from 2007 till 2011. CloudSEK alerted the Indian Computer Emergency Response Team, or CERT-In, the national cybersecurity watchdog. CloudSEK emailed the hospital as well as the application developer. “We have received no response from the hospital,” Sasi said.

When contacted by last week, Sree Saran Hospital’s spokesperson said he would check with the management and respond. But the hospital did not respond to follow up calls.

Hospitals still upgrading

Anita Gurumurthy, director of the non-profit IT for Change, which works at the intersection of digital technology and human rights, said there is low awareness among healthcare providers on the need to safeguard health data. Sasi of CloudSEK agreed. “I have over 170 clients from banking, agriculture, and the commercial sector,” he said. “But not a single hospital is my client.”

The cyberattack on AIIMS may have served as a wake-up call for hospitals to beef up their cybersecurity and data protection systems. But Gurumurthy said it will take time for things to change. “Institutional capacity to make this transition requires a plan,” she said.

According to Gurumurthy, there needs to be a defined protocol for hospitals to follow, only then they will invest in data security. Currently, a hospital invests what it deems fit when it comes to cyber security. “It may or may not be enough,” said Sasi.

At AIIMS-Guwahati, for instance, director Dr Ashok Puranik said the hospital has multiple layers of security and basic firewalls. “We are following government protocol,” said Puranik. “If the government advises [us] to improve existing measures, we will do so.”

The Post Graduate Institute of Medical Education and Research has approached the government to upgrade its Health Management Information System, or HMIS – the portal on which hospitals store the health data of patients.

“We currently have the first version of HMIS,” said Kumar, the deputy director of the institute’s technology department. “In the next six months, we will upgrade to HMIS.2, which is more efficient and secure.”

Sir Sunderlal Hospital in Varanasi currently functions through a local area network. Hospital superintendent Dr KK Gupta said chances of hacking are limited since “the computers that have internet access are not attached with the local area network.” He said that even the computers which store data under the Ayushman Bharat Digital Mission are not connected to the internet.

Gupta added that they plan to devise a secure plan to connect the entire system online once the exchange of data under health accounts becomes fully active.

The out-patient department waiting hall at Sir Sunderlal Hospital. Credit: User4edits, CC BY-SA 4.0, via Wikimedia Commons.

Integration with Ayushman Bharat

Cybersecurity expert Vandana Verma said that when hospitals start uploading patient data and linking it to Ayushman Bharat health account numbers, a lot of critical information will become vulnerable.

Tejasi Panjiar, associate policy counsel at Internet Freedom Foundation that works on fundamental rights in the digital space, said that an individual may give their health account number at a hospital and undergo multiple tests.

“If there is an HIV test that comes positive, or if she seeks abortion, she may not want that information to be disclosed digitally,” said Panjiar. “But the hospital already has her account number and she may not have an option to withhold selected health records.” Panjiar said a patient may choose to not share this record with another hospital, but it still exists in a digital form.

Cybersecurity expert Verma said that if big institutes, like AIIMS, can be targeted, hacking into a smaller hospital will prove much easier. “Individual doctors are also not safeguarding their data at all, and if we are trying to unify all health information under one identification number then we need to fix our cyber system,” Verma said.

This reporting was supported by a grant from the Thakur Family Foundation. Thakur Family Foundation has not exercised any editorial control over the contents of this article.