Seven days after the All India Institute of Medical Sciences in Delhi was crippled by a cyberattack that disabled its computer systems and forced the administration to process patients’ records manually, only some of the data had been restored by Wednesday, said a hospital spokesperson.

The corrupted servers stored the health profiles and treatment records of 2 crore-4 crore patients, officials said. Among them are the records of politicians who have been treated at AIIMS.

The spokesperson said that the hospital by Wednesday was able to restore e-Hospital data relating to online appointment booking, access to lab reports and blood availability status. However, the facility continues to manually operate out-patient and in-patient services, as well as its tts laboratory report activities.

The AIIMS out-patient department usually sees 12,000 patients a day. It has been functioning much slower than usual since digital files can no longer be filled or accessed.

“The network is being sanitised before the services can be restored,” the spokesperson said. “The process is taking some time due to the volume of data and the large number of servers/computers for the hospital service.”

The last major attack on a public health system occured in 2017, when hackers disrupted services to 80 hospitals of the United Kingdom’s National Health Service for over a week. The attack cost the UK government 92 million pounds to fix.

Officials at AIIMS refused to confirm if they had been hit by a ransomware attack, which involved the hackers demanding a payment to restore the data. But officials did not rule out the possibility. “The team noted that the infected files had changed extensions [extension names], indicating possible ransomware attack,” a hospital spokesperson said.

Rahul Sasi, co-founder and CEO of CloudSEK, a company protects entities from digital risks, said that in a ransomware attack, “the cyber criminal hacks the system, deletes data and asks for ransom in exchange of restoring data. In a normal cyber attack, a hacker only tries to showcase his skills or to point to a security lapse in the system.”

The Delhi Police have registered a case under Section 385 of the Indian Penal Code, which relates with extortion, in addition to section 66F of Information Technology Act, which relates with cyber terrorism.

The National Investigation Agency also sent a team to AIIMS on November 25 to investigate the cyberattack.

The attack

According to AIIMS director M Srinivas, the first hint of a cyber attack came at 6.45 am on November 23 when the emergency laboratory department complained it could not view reports in the National Informatics Centre’s laboratory information system. Soon the billing counter and out-patient department faced similar problems.

The National Informatics Centre found that files on the main server had been corrupted. This server stores the AIIMS e-Hospital database and another two servers that store the laboratory information system’s database and applications. The e-Hospital database contains information on billing, appointments, prescriptions and consultations. It acts as a facilitator between departments, providing information on a patient’s diagnostic reports online. This eliminates the need to physically move files from one place to another.

The database containing patients’ Unique Health Identification records was also compromised. The Unique Health Identification programme was launched in September 2021 by the government to create digital health records of all patients who visit both public and private hospitals.

Two other servers that had a secondary database of the e-Hospital and laboratory information systems were not corrupted and were immediately detached from the network. AIIMS began to back up this data on November 23. It also made provisions for a server to store the data recovered from the backup. The infected system was removed and sent for forensic analysis.

AIIMS officials said they called in the Computer Emergency Response Team (known as CERT-IN), the government’s agency that investigates computer security threats.

Hospital forced to operate manually

Due to the digital shutdown, the already crowded hospital took even longer to attend to its patients. The hospital had to draw on its researchers and doctors to help handle services as forms had to be filled out manually.

In 2020-’21, AIIMS admitted 1.40 lakh patients and operated on 72,737 patients, the hospital’s annual report says. More than 15.4 lakh patients visited its out-patient department that year.

With the shutdown of the servers, doctors are giving patients who need consultations with specialists in other departments physical copies of reports or sharing documents with their colleagues on the WhatsApp social media platform.