- Shefali Malhotra, global journalism fellow and health policy researcher
In November 2022, one of India’s leading hospitals, the 3000 bed All-India Institute of Medical Sciences (AIIMS) in New Delhi, had its computer servers knocked out by a ransomware attack.
Ransomware is a type of malicious software designed to prevent an organisation from accessing its computer systems until it pays a large amount of money to the hackers. The AIIMS attack crippled a wide range of services, including patient registration, online appointments, diagnostic report generation, and billing, as well as administrative systems such as salary disbursal and drug procurement. Indian media reported that the hackers demanded a ransom of Rs2bn (£2m; €2.2m; $2.4m) in cryptocurrency,1 a claim denied by the government.2
For almost two weeks, these services had to be managed manually, leading to long queues and adding to patient waiting times. But while online services have now resumed, with data restored from a backup server, the personal data of more than 30 million patients and healthcare workers, including several cabinet ministers and senior bureaucrats, may have been compromised.3 Contrary to media reports, the Indian government has denied that any ransom was demanded, and Delhi police are still investigating.
Hospital officials have refused to comment. However, the incident has prompted much soul searching and inevitable questions about whether a country which is a world leader in information technology has enough safeguards for its desired digital revolution in healthcare.
“AIIMS is one of our premier hospitals,” says Mahesh Verma, professor emeritus and former director of the Maulana Azad Institute of Dental Sciences, another public hospital in Delhi, “If cyberattacks can happen there, they can happen anywhere in the country. It can just paralyse the entire system.”
According to CloudSEK, a cyber intelligence company based in Bengaluru, India’s health sector is the second most targeted for cyberattacks in the world, accounting for 7.7% of all attacks on healthcare institutions in 2021 (only the United States, with 28%, has more).4
And the attack came just as AIIMS was preparing to go completely paperless in 2023—something the Indian government is pushing hard in an attempt to modernise a healthcare system serving over 1.4 billion people, not all of whom have electronic medical records.
In 2021, the US Federal Bureau of Investigation classified healthcare and public health as one of 16 sectors essential for the functioning of a society and economy.5 “Healthcare data is important first from the point of view of individual privacy,” says Subimal Bhattacharjee, a cybersecurity expert who once headed the Indian unit of General Dynamics, the US defence equipment supplier.
What are the key dangers of a cyberattack? When put together and run through various artificial intelligence and modelling software, data of individuals from a particular geographical location, community, interest group, or political inclination can give patterns and predictions that could have security implications much larger than privacy, he says. For instance, concerns have been raised about the safety of politicians treated at AIIMS, including several prime ministers. “That’s before we even get to the possibility of death and damage to health if anything happens to healthcare data in healthcare facilities,” Bhattacharjee says.
Unfortunately, where such danger exists, so do those seeking to exploit it. The Delhi ransomware attack was one of several involving prominent healthcare institutions around the world in 2022. In October, Australia’s top health insurer, Medibank Private Limited, lost the medical information of 9.8 million customers to a cyberattack.6 In the US, CommonSpirit Health, a large non-profit hospital chain, reported “an IT security issue” that forced it to take down some of its systems. And the UK’s National Health Service had its latest attack in August,7 when Advanced, a company that provides software for 140 different NHS trusts,8 had its platforms taken offline.
It’s not just high income countries that are targeted either. In 2021, the Brazilian health ministry had two cyberattacks within a week of each other,9 compromising the platform that holds covid-19 vaccination data. In early 2022, a South African pharmacy chain, Dis-Chem, confirmed an investigation into the data breach of 3.6 million people.10
In India, the Delhi incident has put a spotlight on the Indian government’s ambitious push to digitise patient records and hospital services, through a programme known as the Ayushman Bharat Digital Mission. Launched by Prime Minister Narendra Modi in 2021, the government has committed Rs16bn to the programme over five years.11 For 2023-24, the government has committed Rs3.41bn.12
So far, more than 320 million Indians have been allotted a digital identity and over 173 million health records have been digitised and linked to these IDs.13 Similar versions are being implemented in other low and middle income countries, such as South Africa and Brazil.
“The government is pushing very hard on digitization,” says Verma. “It is certainly needed, not only to streamline hospital processes but also to improve treatment outcomes for patients. Patients move between hospitals and cities. Now, patient information will be easily accessible for any physician in any part of the country.”
Local digital health applications, healthcare facilities, and professionals have also joined the Ayushman Bharat programme. From this year, the Indian government is providing financial incentives to encourage more to sign up for the programme.14 It is now building an online network, the Unified Health Interface,15 where all the different stakeholders can seamlessly interact with each other to make available health services such as booking doctors’ appointments and finding critical care beds, laboratories, and diagnostic services. Indians will no longer be limited by the website or mobile app they are using.
By July 2022, about 919 digital health apps, developed by the government and private entities, had joined the Ayushman Bharat programme.16 The eHospital app, a health information system developed by the Indian government for its public hospitals, is one of them. Launched in 2015, the app runs hospital functions, such as patient registration, admission, discharge, billing, and clinical records. To date, 1128 public hospitals—including AIIMS New Delhi—are using the platform.17
The responsibility for storing and protecting all the data collected through eHospital is with hospitals. In the attack, AIIMS lost access to five of its servers that were being used for eHospital. Indian media reported on a “preliminary fact-finding report” that flagged several cybersecurity lapses at AIIMS, including the absence of “managed switches” (a hardware device used to protect computers from unauthorised access) and the firewall not being configured properly.18
The haves and the have nots
The cost of cybersecurity varies according to the size of the organisation and type of data. According to Proven Data, a US computer security company, common cybersecurity expenses include firewall protection ($1500-15 000), endpoint security and antivirus software ($100-2000 a month), email protection ($3-6 per user a month), two factor authentication ($0-10 per user a month), hardware security keys ($30-60), and periodic vulnerability assessments ($1500-10 000).19 In addition, organisations train their staff in cybersecurity and undertake web application assessments, security architecture reviews, and threat monitoring regularly.
Most public hospitals in India, already facing severe shortages in infrastructure, staff, and essential supplies,20 are likely to struggle to invest in cybersecurity. Greg Austin, senior fellow for cyber power and future conflict in the Singapore office of the International Institute of Strategic Studies, says: “The really big question is at what point will the hospital decide they have to invest x percent of their operating budget in cybersecurity, when they know they don’t have enough money for anaesthesia services or a fifth operating theatre.”
India’s privately run hospitals—comprising over 62% of India’s health infrastructure—are not immune to cyberattacks. Not long after the AIIMS attack, the personal information of 150 000 patients who visited the Sree Saran Medical Centre, a 100 bed private hospital in the southern state of Tamil Nadu, between 2007 and 2011 were found on sale on several cybercrime forums.21 The year before, 200 000 patient records from another private hospital in Kochi, in the southern state of Kerala, had reportedly been leaked on the internet.22
Some private hospitals can afford to invest in, and improve, cybersecurity. For instance, Arun Goyal, chief information officer at Sir Ganga Ram Hospital, a 675 bed private facility in Delhi, told The BMJ that they had “purchased and implemented a globally-identified health information system, InterSystems TrakCare, which is managing all our services starting from appointments to billing, admissions, discharges, purchases, stores, pharmacy, everything.”
Likewise, the 80 bed Dr A Ramachandran’s Diabetes Hospital in Tamil Nadu has been digitising its services since 2007. The hospital is working with a local developer to build its health information system, DiaHome, and storing patient data on the Google Cloud Platform. “Our developer tells us that the system is following all HIPAA [Health Insurance Portability and Accountability Act] compliance norms. We use a credential-based system where no one can see the data unless granted access,” says Satheesh Krishnamurthy, the hospital’s senior research officer. “Our developer maintains all log details. When there is an issue, we look at the logs. We now plan to audit them more frequently.”
Goyal is confident his hospital is less vulnerable to cyberattacks than the AIIMS because it is not exposed to a public network like eHospital. “We are working in a closed environment and have no exposure outside.”
That said, both Sir Ganga Ram and Dr A Ramachandran Hospitals told The BMJ that they plan to join the government’s Ayushman Bharat programme. How that will work or affect these hospitals’ security remains to be seen.
“The whole point of the program is to democratise access to healthcare in the country,” says Arjun Kang Joseph, senior research analyst at the Carnegie Endowment for International Peace India. “The incentive for large hospitals, who have already established systems to provide healthcare services digitally, is extra business. The smaller players have costs to absorb, not only in terms of money but also the man hours needed to go digital, which is why they are less incentivised to participate.”
Conscious that there may be an increased risk of cyberattacks, Krishnamurthy expects the Indian government to support the hospital in building cybersecurity capacity. “Ideally speaking, we need to invest more. It has become more costly than before. Earlier, most of our expenses were related to hospital services, now it is totally on data security. If the cost goes up at this rate, we won’t be able to keep spending.”
Both the National Health Authority, responsible for implementing the digital health programme, and the Ministry of Electronics and Information Technology, responsible for overall cybersecurity, declined to comment on the wider issue of health data security in India.
However, some experts think India might be moving too fast for its security to keep up. “The general state of cybersecurity in India is not where the government would want it to be,” says Austin.
Disappointed that the Indian government has still not published its promised cybersecurity policy, Austin wonders how it will support specific sectors against vulnerabilities. “Building strong cybersecurity capability in healthcare facilities means training the people at the keyboards. There aren’t too many hospitals in the world who feel they can afford the luxury of diverting their staff from hospital duties to training them in cybersecurity.”
A 2016 study, published in Healthcare Informatics Research, revealed that most public hospitals and dispensaries in India had little information technology infrastructure.23 Questions remain how the underfunded public health infrastructure in India will accommodate cybersecurity systems and training in its budget. “Certainly, governments have a very clear obligation to be supporting the health sector,” says Austin.
Bhattacharjee agrees. “The cybersecurity policy was announced back in 2013. A decade has passed and we still don’t have an updated policy,” he says. Joseph is concerned that the proposed data protection law does not treat health data as sensitive personal data. “Earlier iterations of the bill classified health data as sensitive, which meant it had a certain extra set of protections. The latest version has done away with this,” he says. “It’s a mistake to treat health data as similar to other kinds of data.”
Experts say the Indian government will also need to give higher priority to regulating cybersecurity systems and practices in all health facilities. Bhattacharjee is urging government authorities to classify the health sector as critical infrastructure, as in the United States. (That said, a 2022 survey of 641 US information technology and security practitioners in healthcare organisations, found the majority of American healthcare facilities were challenged by a lack of in-house expertise and insufficient staff for cybersecurity.24)
Austin says the Indian government should set stricter compliance standards for cybersecurity at health facilities, support IT training for healthcare workers, and consult more closely with experts in the field.
It has at least unveiled several cybersecurity initiatives since the AIIMS attack. The minister of state for electronics and information technology, Rajeev Chandrashekhar, expects parliament to consider new laws on data protection and regulation of information technology to be taken up in parliament in an ongoing session that started on 31 January 2023.25 His ministry also informed parliament shortly before Christmas that it had completed a draft of the new national cybersecurity policy.26 However, the document has yet to be made public. Reportedly, the Indian government is also working on building a national counter ransomware taskforce and drawing up national information security policy guidelines to prevent such attacks in the future.27
“Many things are being done,” says Bhattacharjee. “But things have to be done far more proactively because attacks on Indian networks are growing. Every institution and organisation has to be prepared, which includes getting the right budget and priorities. I don’t think it is commensurate with what it should be.”
Competing interests: None.
Commissioned, not externally peer reviewed.