Cyberattack on top Indian hospital highlights security risk

The attack on AIIMS crippled operations because patients could not register for appointments and doctors could not access medical records.

India’s capital city’s leading hospital limped back to normal on Wednesday after a cyberattack paralyzed its operations for nearly two weeks.

Online patient registration resumed on Tuesday after the hospital was able to access the server and recover lost data. The hospital worked with federal authorities to restore the system and strengthen defenses.

It is unclear who carried out the November 23 attack on the All India Institute of Medical Sciences or where it came from. The hospital authorities did not respond to requests for comment.

The attack was followed by a series of failed attempts to hack into India’s premier medical research organisation, the Indian Council of Medical Research. This led to further concerns about the vulnerability of India’s health system to attacks at a time when the government is pressuring hospitals to digitize their records.

Since its launch in September 2021, more than 173,000 hospitals have signed up to a federal program to digitize medical records. The program assigns patient numbers that are linked to medical information stored by hospitals on their own servers or in cloud-based storage. Experts fear that hospitals may not have the expertise to ensure digital security.

“Digitizing an entire healthcare system without actually protecting it could pretty much spell the end of an entire hospital. It suddenly stopped working,” said Srinivas Kodali, a researcher with the Free Software Movement of India.

That is what happened to the hospital in New Delhi. Healthcare workers could not access patient reports because the servers that store lab data and patient records had been hacked and damaged.

The hospital normally treats thousands of people a day, many of whom travel from faraway places to access affordable care. Always busy, queues at the hospital got even longer and more chaotic.

“The whole system is not working because of the hack,” said Deep Ranjan, who came to New Delhi from the northeastern state of Assam. He said he waited in line for five days and still hadn’t seen a doctor.

Sandeep Kumar, who accompanied his ailing father, said the digital attack meant appointments could not be booked online and there was little doctors could do when they saw patients because they could not access their medical histories.

“We are digitizing [everything]but then there is an attack on the country’s most important medical institution,” he said.

On Nov. 30, there were repeated but ultimately unsuccessful attempts to breach the Indian Council of Medical Research website, the Press Trust of India news agency reported.

The attack on the hospital raised “serious questions about the country’s cybersecurity,” said KC Venugopal, a member of parliament from the main opposition Congress party.

India drafted a bill last month to regulate data privacy, but critics said it offers few safeguards to people. It has not yet been approved by parliament.