Delhi AIIMS Cyber Attack: A Comprehensive Overview

The All India Institute of Medical Sciences (AIIMS) in Delhi has faced significant cybersecurity challenges, most notably a major ransomware attack in November 2022, and a smaller, successfully thwarted malware incident in June 2023.

The Major Cyber Attack (November 2022)

This incident marked a critical moment in India's cybersecurity landscape, exposing vulnerabilities in crucial national infrastructure.

When: The attack commenced on November 23, 2022.
What Happened: It was identified as a sophisticated ransomware attack. This crippled AIIMS's e-Hospital services, including vital functions like patient registration, appointments, billing, and discharge. The hospital was forced to revert to manual operations for an extended period.
Impact:
- Five physical servers at AIIMS were compromised, leading to the encryption of approximately 1.3 TB of data.
- Critical data belonging to patients, doctors, and official records were potentially breached. While official statements did not confirm a specific ransom demand, some reports suggested that the attackers, believed to be the LockBit ransomware gang, demanded a substantial sum in cryptocurrency.
- Services were severely disrupted for about two weeks, with gradual restoration efforts extending beyond this period.
Perpetrators: Investigations indicated that the servers used in the attack might have originated from China and Hong Kong. Although no specific group was officially named by the government, the incident was treated as a case of cyber terrorism, leading to an FIR being registered by the Delhi Police's Special Cell.
Lessons Learned: This attack underscored significant vulnerabilities in critical infrastructure. Experts noted that the network architecture was not adequately designed by cybersecurity professionals, exposing systemic loopholes.

Subsequent Malware Attack (June 2023)

A more recent, but less impactful, incident occurred showcasing improved defensive capabilities.

When: A malware attack was detected on June 6, 2023.
Outcome: Fortunately, AIIMS Delhi's cyber-security systems successfully detected and thwarted this attempt. The threat was neutralized in time, ensuring that e-Hospital services remained secure and functional, with no significant disruption or data breach.

Measures Taken After the 2022 Attack

The major cyberattack prompted AIIMS and the Indian government to implement a series of crucial cybersecurity enhancements:

FIR and Investigation: An FIR was registered by Delhi Police's Special Cell. Various agencies, including CERT-In, NIC, NIA, and CBI, were involved in the extensive investigation and recovery operations.
Data Recovery: All data for the e-Hospital was successfully retrieved from an unaffected backup server and subsequently restored on new, secured servers.
Enhanced Security Protocols at AIIMS:
- Network Segmentation: AIIMS implemented measures to isolate its networks. The intranet is now dedicated solely to e-hospital software, completely separated from the open internet.
- Endpoint Hardening: Stricter security configurations were applied to all devices connected to the network.
- Stronger Firewall Policies: More robust firewall rules were put in place to tightly control network traffic.
- No Personal Devices: Personal internet devices, computers, and Wi-Fi routers are strictly prohibited from connecting to the AIIMS intranet.
- Software Updates and Antivirus: Significant efforts were made to ensure all software is updated, firewalls are strengthened, and proper antivirus installations are maintained across the system.
- Staff Training: The incident emphasized the critical importance of consistent training and awareness programs for all employees to effectively recognize and respond to potential cyber threats.
National Cybersecurity Response Framework (NCRF): The AIIMS attack served as a catalyst for the government to formulate a comprehensive national cybersecurity response framework, aiming to ensure critical sectors adopt a uniform approach to handling cybersecurity incidents.
Auditing and Assessment: CERT-In initiated regular vulnerability assessments and penetration testing of computer systems, networks, and applications involved in public service delivery, including those under the Ayushman Bharat Digital Mission (ABDM).

The AIIMS cyberattacks serve as a stark reminder of the evolving and sophisticated cyber threats faced by critical infrastructure globally. They highlight the continuous need for vigilance, proactive investment in robust cybersecurity defenses, and a comprehensive national strategy to protect essential services.