[This piece has been authored by Sean McDonald, a student at the School of Law, NMIMS, Bengaluru.]
ABSTRACT
The blog delves into the present state of India’s poor cyber-security regime and infrastructure through the lens of the recent ransomware attack on its premier government hospital. The attack brings to light multiple perspectives relating to national security, data protection, cyber-security hygiene and cyber response. Through suggestions, the author calls for better cyber-security awareness and measures to be employed along with dedicated budgetary allowances for the same and the focus on legislative changes governing cyber-security. Given the nature of these attacks transcending boundaries, the author further calls for better, more structured cooperation mechanisms amongst States to tackle the growing plague of cyber-attacks.
BACKGROUND
On 23rd November 2022, the All India Institute of Medical Sciences (AIIMS), one of India’s leading government hospitals was hit by a ransomware attack that disrupted its entire digital operations. Since then and for the next two weeks, operations were conducted manually with digital operations only recently slowly beginning to resume. AIIMS and the National Informatics Centre NIC reacted immediately by bringing this ransomware attack to the public domain and recent news does tell us that the attack did allegedly originate from China. The Delhi Police had prior to this revelation invoked Section 66 (F) of the Information Technology Amendment Act, 2008 identifying the incident as one of cyber terrorism. The ransomware theory has been denied by the government and investigative agencies despite evidence to the contrary with nearly 1.3 Terabytes of data being encrypted. While the backup of the data has been recovered and operations are back on track, there are still many questions left to be answered.
Now, what does this attack tell us, what are its ramifications and how do we move forward? Well, firstly, healthcare in India has not been classified explicitly as a Critical Infrastructure but I argue that it might as well be as it is a core strategic and public enterprise and this particular incident must be looked at from that angle as well. Health data can be argued to be the most sensitive form of personal data and right now data of about 4 crore patients at AIIMS has been compromised and this includes data of individuals such as ministers, judges, bureaucrats etc making this a pertinent national security issue, especially given the present tensions with China.
AIIMS CYBER SECURITY LAPSES AND LEGAL MEASURES
India has been quite a hotspot for cyber-attacks on its healthcare sector, second only to the US in 2021. While the presence of cyber-attacks will always persist and even the best-secured infrastructures can be hacked, what is astounding is that several reports highlighted the risk that the Indian healthcare sector faced which would necessitate that better security measures should have been adopted but this incident is an example of India’s poor situational awareness in this aspect.
Preliminary reports on the incident found several lapses in the Institute’s cyber-security. The firewall had not been configured properly and several switches were left unmanaged which allowed the hackers to gain unrestricted access. According to doctors in the institute, there was a lack of cyber security hygiene with little to no training provided to employees and no frequent security audits being conducted. Even the most basic of anti-virus software was not kept up to date. Under such dilapidated circumstances, it is tough not to blame the institute for its negligence which could lead to dangerous repercussions for the patients.
What is of even more concerning nature is the entire incident since initially reported has been shrouded in a veil of confusion and ambiguity. There is confusion in the public if this is truly a ransomware attack and if it is, whether a ransom has been demanded and how much. Multiple investigative bodies ranging from the Delhi Police to CERT-In and National Investigation Agency (NIA) etc are currently probing the incident and it begs the question of whether one too many cooks spoil the broth. The attack has massive implications given India’s lack of a data protection law because of which there is quite literally no redressal if data of such high value is sold on the dark web or manipulated for malicious gain. The previous iteration of the law created a separate category of health data under sensitive personal data which no longer exists under the now-present Digital Data Protection Bill but the exemption afforded to the State to exempt any of its agencies from the provisions of the Bill continues to remain. If this was in force today, what is to stop the government from exempting AIIMS from the provisions of the Act and end escaping all liability?
The government and its agencies must be held to the same level of accountability in protecting the sensitive personal data of its citizens This incident should be a wake-up call for change in India’s proactive cyber security response. It is not enough just to react after an attack has taken place but to protect against such attacks in the first place.
SUGGESTIONS AND CONCLUSION
Speaking from a cyber-security perspective, it is clear that infrastructure must be revamped with significant budgetary allocation towards improving security measures for critical infrastructure systems and also maximizing capacity for bodies such as CERT-In. India would benefit from having a central cyber command comprising of the CERT-In and National Critical Information Infrastructure Centre (NCIIPC) along with support from platforms such as the National Resilience Centre for Cyber, Centralised Malware Analysis Platform, and Centralised Dark Web Monitoring Platform. Next, in the event such an attack does take place in the future, India can adopt a 3-2-1 approach wherein 3 copies of data are stored at all times, 2 online and 1 offline to ensure the functioning of the system does not come to a standstill. Lastly, awareness towards better cyber security protocols and crisis management drills must be undertaken to better understand and be aware of the sophisticated nature of threats and attacks.
Along these lines, on a related note, this incident should also ignite the discussion surrounding a dedicated cyber security law in India (currently only the Information Technology Act, 2000 and Indian Penal Code, 1860 deal tangentially with cyber-crimes but are not sufficient) and also bring back to the forefront the National Cyber Security Strategy. These attacks take place on a global scale transcending jurisdiction, hence vigilance and cooperation amongst states must be more efficient. At present the Counter Ransomware Initiative and the Group of Government Experts (GGE) lack teeth and need to be overhauled in favour of a better, more structured, cross-border cooperation mechanism.