11 December,2022 11:10 AM IST | Mumbai | Yusra Husain
Patients wait outside the OPD at All India Institute Of Medical Sciences (AIIMS) Delhi, on August 2, 2019. In its annual report of 2020-2021, the hospital reported over 15 lakh patients in its OPD, over 1.4 lakh admissions and more than 72,000 surgeries. This data was compromised during a ransomware attack on November 23. Pic/Getty Images
On November 23, AIIMS (All India Institute of Medical Sciences) Delhi suffered a massive ransomware attack, which prevented the super-specialty hospital from accessing its own systems. The attack went on for almost two weeks with reports of hackers, allegedly from China, demanding Rs 200 crore in cryptocurrency to give AIIMS Delhi a hold of its data again. The attack came to the fore when patients were unable to use a key application of the hospital to take doctor appointments, access their diagnostic test reports or register on the system for treatment.
Ransomware is one of the biggest challenges in cyber security today, but it can be potentially damaging when it hits hospital chains that store medical records, diagnostic test reports and health data of individuals on their servers.
AIIMS Delhi, for instance, has sensitive medical data of politicians and celebrities. In its annual report of 2020-2021, the hospital reported over 15 lakh patients in its outpatients department (OPD), over 1.4 lakh admissions and more than 72,000 surgeries. When such a vast pool of data is hacked, it can severely affect patient care and delay health services.
Over the last few weeks, many health institutions have been grappling with the problem. After AIIMS Delhi, Sarfdarjung Hospital's server was also compromised. There were reports that hackers had also made more than 6,000 attempts to crack through web data of the Indian Council of Medical Research (ICMR), and had failed.
Tamil Nadu's Sree Saran Medical Centre (SSMC) was worst hit. Data of close to 1.5 lakh patients, of which at least 50,000 was said to be from SSMC, was put on sale on the dark web for as low as $100. CloudSEK, a Bengaluru-based contextual AI company that predicts cyber threats, had first found SSMC data on sale on the dark web during one of its monitoring exercises on November 22. "We could read names, numbers and illnesses of SSMC patients. The data was not encrypted," Rahul Sasi, co-founder and CEO of CloudSEK tells us over a phone call from London. "Putting out patients' medical records is deplorable. Not a lot of people want others to know their diseases or why they went to a hospital. It may be a hindrance in a job or any other life event."
According to him, several major pharmaceutical companies are "interested in knowing what kinds of drugs are being used in the market and which among them are producing results". "Such leaks can help them. Corporate giants can also buy this sort of medical data not directly, but through third party agencies and hackers can also ransom your data causing financial loss," Sasi adds.
A former faculty at the biostatistics and health informatics department of Sanjay Gandhi Postgraduate Institute of Medical Sciences (SGPGIMS), Lucknow, who wished to remain anonymous, explains how pharmaceutical companies could benefit from fudging leaked medical records. "Imagine a pharma company is trying to launch a new product - if they get their hands on such data, they can fudge it to show evidence to support their own product, without actually spending a dime on real research and clinical trials. This may especially be harmful if that drug comes out in the market, and there are major issues and side-effects to it. You never know which company is real about their data, which one is fudging, and both have data to present." In 2019, hackers reportedly stole data of 68 lakh patients from an Indian healthcare website allegedly for cancer research.
For Dr Sudeshna Ray, senior consultant of gynaecology at Jaslok, Sir HN Reliance Foundation and Breach Candy hospitals, "the eerie feeling of being tracked online" and the "breach of privacy" cannot be ignored when healthcare data is made available digitally. "On a larger level, it is convenient for both patients and doctors to keep an electronic health record. But the feeling of being followed because of pop-up advertisements that are based on AI systems reading through your data, or prompts when using search engines, or seeing products related to a diagnostic test you have taken, is disturbing. Someone is constantly watching you."
Dr Ray follows manual record-keeping where she tells her patients to bring back the records, her notes or test reports with them on the follow-up visit. "If I don't tell them about this in the beginning itself, 60 per cent of the patients do not get the records along. They assume I will have them on the system. But I prefer not to keep such private records on a cloud. I do keep some records in my personal folder, but it is not always practically possible to instantly sift through them." Dr Ray says she attends to over 30 different patients in a week, which makes it impossible to bank on memory entirely. "My anxiety with cloud servers is the breach of privacy. Patients come to me with private issues and I don't want the information to be leaked from my end. Any data falling into the wrong hands, can be used and misused," she believes.
A report by CloudSEK released in August this year revealed that the number of cyber attacks against the healthcare industry globally have increased by 95.34 per cent in the first four months of 2022 as compared to the number of cyber attacks in 2021, during the same period. India was second after the US, among the top five countries targeted by cyber attacks, getting 7.7 per cent of the total attacks on the healthcare industry in 2021, the report further stated. The most targeted data types were vaccination records, personal identifiable information (PII) of healthcare workers, PII of patients, administrative login credentials and financial records.
In August 2021, a hacker published a post on a Telegram channel advertising compromised user information from an Indian e-commerce pharma platform. In two separate incidents, hackers published a post on a cyber crime forum and a Telegram channel advertising the records of 150 million Indians who had received the COVID-19 vaccination, selling it for $800 and $1,000 respectively, which was also believed to be a scam, the report claimed.
"We are sitting on vulnerable health technology infrastructure. Organisations implement what they perceive is required at that time, but prevention and security is not a priority," says cyber security researcher and ethical hacker, Ehraz Ahmed. "All data is useful. With medical records, insurance companies can be sold the data for cold calling, or hackers can use the PII to blackmail people, extort money and impersonate hospital staff to cause financial loss," he adds.
Dr Muffazal Lakdawala, director, Minimal Access to Surgical Science and General Surgery, Sir HN Reliance Foundation Hospital says, "Protected health information (PHI) is known to be one of the most valuable types of information that hackers look for."
This PHI, he says, contains sensitive information not just about the patient, but also about the treating doctor, diagnostic labs and pharmacies. "It can be used to generate fake prescriptions, receive treatment or make fake medical claims. These actions can cause long-term and widespread chaos for those whose information has been stolen."
He points to a 2018 Trustwave Global Security Report that investigated the price values of different types of stolen data sold on the dark web. "The report published that the average health case record for one person is sold at a price 50 times more than the details of payment cards."
PHI also has a longer shelf life when compared to other forms of information that can be stolen. "When a person's credit card information is stolen, they typically realise it quickly and then are able to cancel the card, saving themselves from any other risk. However, with PHI, especially a medical record that may contain a few different forms of personal information, the information can be used over different periods of time without the victim knowing about the breach," says Lakdawala.
The spurt of AI models in healthcare, which require access to large quantities of patient data, has also posed a novel challenge. "The hacked health records can be used for generation of these models and can cause further monetary incentives for such cyber-crime attacks. It is imperative that these AI models declare the source and consented access of patient data, with few exceptions," he feels.
The Indian Computer Emergency Response Team (CERT-IN) during its investigation of the AIIMS Delhi attack found major holes in its cyber security. CERT-IN in its India Ransomware Report 2022 stated an overall 51 per cent increase in ransomware attacks across various sectors compared to 2021. India had spent R809 crore between 2019 and 2020 on cyber security and has allocated a budget of Rs 515 crore for 2022-23.
With healthcare data going the digital way due to Ayushman Bharat and Digital India, proper protection measures are the need of the hour. "A majority of the breaches in healthcare are the result of employee error and unauthorised disclosure. Human resources is an already overstretched area in healthcare, so security is hardly a priority, but training healthcare staff to use and secure data is one of the ways to prevent cyber attacks," says Somnath Banerjee, chief information security officer, at cyber security firm, WhizHack Technologies.
"No system is 100 per cent foolproof. If humans have built it, humans can enter it, but there are checks and balances to secure the systems," says cyber security researcher Ehraz Ahmed. He suggests regular backing up of data, training of healthcare staff, use of two-step verification process and blocking internet and pen drive access to data systems. "No matter how many locks you put on your system, the key it to regularly check it and research your own system for any break-in possibilities. Rectify them on time and get some cover," adds Sasi.
