Editorial: Wake-up call

Findings from AIIMS breach investigation must be used to craft a robust and transparent cybersecurity policy.

Hyderabad: The cyberattack on the All India Institute of Medical Sciences (AIIMS) server, a trove of sensitive health data of millions of patients, poses a major national security challenge. Given that the hackers gained control not just on the hospital network, but also on the backup systems, there is simply no guarantee that health records were not tampered with even in the secondary backup systems.

AIIMS, the country’s largest health facility where doctors attend to more than 35,000 patients a day including senior members of the government, not only lost access to the main servers but also the backups. Despite the best efforts by security experts, access to hospital data has not been fully restored till now. If it gets into the hands of any hostile foreign intelligence agency, there is a danger of the health data records of Cabinet ministers and high-level bureaucrats being misused. This is a serious instance of a ransomware attack that highlights the need for putting in place a robust cybersecurity framework in the country.

---

The AIIMS breach was not an isolated event but the latest in a series of similar incidents that occurred in the past. Unfortunately, they were ignored. For instance, the 2017 Hitachi data breach became a trailer for the 2019 attack on the Kudankulam nuclear reactor, which was then followed by the detection of Cobalt Strike malware. The lack of response may have signalled to hostile agents that they would suffer little consequences for such acts.

There were no efforts on the part of the government to create a national cybersecurity doctrine or even a workable policy. Instead, existing institutions were engaged in turf wars over budgetary allocations. This must be urgently reversed, and findings from the AIIMS breach investigation must be used to craft a robust and transparent cybersecurity policy. As India’s internet base continues to grow exponentially, a parallel rise in cyberthreats has raised concerns. The sophistication of cybercrimes is also increasing with the advancement of digital technology.

In 2020, nearly 82% of Indian companies suffered ransomware attacks. Last year, a high-profile India-based payment company, Juspay, suffered a data breach impacting 35 million customers. This was significant because Juspay handles payments for online marketplaces, including Amazon and other big players. In February this year, Air India experienced a major cyberattack that compromised nearly 4.5 million customer records. Passport, ticket and some credit card information was compromised. While India’s digital economy has flourished because of citizens’ digital integration, it has also created a vulnerability to data theft.

The country’s dependence on foreign hardware, particularly Chinese, is an additional vulnerability. There is a need for the Centre and the States to commit adequate funds to augment cyberinfrastructure. Government and private agencies dealing with personal data should be required to adhere to mandatory data protection norms.