New Delhi: The server of All India Institute of Medical Sciences (AIIMS) Delhi remained hacked for more than a week. It is feared that the data of around 3-4 crore patients could have been compromised due to the breach.
It created anxiety and fear as the hospital had to shift its patient care services in the emergency, outpatient, inpatient and laboratory wings to manual mode as several hospital servers remained down.
The India Computer Emergency Response Team (CERT-IN), Delhi Police, and Ministry of Home Affairs representatives are still examining the ransomware attack.
Some reports suggest that it was an attack from one of the non-friendly states.
Also, reports suggested that the hospital received some ransom calls but there was no confirmation.
The AIIMS server has stored data of several VIPs, including former prime ministers, ministers, bureaucrats and judges.
A case of extortion and cyber terrorism was registered by the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police on November 25. Internet services were blocked on computers at the hospital at the recommendations of the investigating agencies.
Are we prepared to face cyber theft and crime?
International or domestic law is still under development regarding how to control mega cyber-crimes. Notwithstanding some new international and domestic laws, it remains a significant challenge to identify, control and arrest criminals beyond geographical boundaries.
While society, and most of us, with the ongoing digital comforts and use of the virtual world, are more exposed to cyber-crime threats, Chances are that our complete data is now available on the darknet, and our privacy is exposed and compromised.
Millions of cyber-crimes are reported across the world every day. In India, we find more than 10,000 cyber-crimes registered with different police and other agencies every day.
But the attack on hospitals, educational institutions or any important use of public essential service, more so on hospitals, is not only a crime against humanity but a murderous attempt on the lives of hundreds of patients, students, and researchers.
Some of the recent global cyber-crime against hospitals are:
Despite being a global crime, worldwide hospitals are facing the hacking of their records—dysfunction of their systems etc.
Cyber attacks on hospitals affected million in the U.S. On October 3, 2022, a major health system that operates over 1,000 hospitals in U.S. and care facilities across 21 states was hit by a cyberattack that impacted millions of Americans. CommonSpirit Health was hit with a cyberattack that forced the health company to take specific computer systems offline "as a precautionary step." In comparison, it remains unclear whether patient health information was compromised.
Non-State actors are using cyber-attacks: Iranian-back Hamas terror group have stepped up its cyber activities against Israel. A report published by Washington-based think tank the Atlantic Council has warned to take the challenge seriously. According to the report, the U.S. overwhelmingly focuses its cybersecurity concerns on the "big four" nation-state adversaries — China, Russia, Iran and North Korea — non-state actors are becoming increasingly organized and efficient in cyber warfare.
In India: The cyberattack immobilized AIIMS' e-hospital system – including appointments and registration at outpatient departments (OPD), billing at inpatient departments (IPD), laboratory report generation, and smart lab, among others.
Last year, Mahatma Gandhi Memorial (a trust-run) hospital in Mumbai was affected by a similar cyber-attack. The hospital administrators found their systems locked and noticed an encrypted message by the attackers demanding ransom in Bitcoins to unlock it.
According to Indusface, a software security company, there were more than 1 million cyber-attacks of various types across Indusface's global healthcare clientele. Of these, 278,000 attacks were reported in India alone.
Why are hospitals targeted?
Healthcare organizations deal with vast amounts of personal and private data, which can be hugely valuable for criminals and terrorist groups. So, Hospitals, pharmacies, care centres and other healthcare organizations are prime targets for cyber-criminals.
Healthcare organizations always take it easy; sometimes, they need help investing in the latest security technologies, making them easy targets for cyber-crime, from scams to sophisticated ransomware.
Cybercriminals have exploited the COVID-19 pandemic. Data breaches in Healthcare have climbed for the past five years, rising a massive 42% in 2020 when the pandemic hit. Of the total ransomware attacks reported in 2020, 60% targeted the healthcare sector. Cybercriminals are taking advantage of such situations.
Which cyber threats are most at risk in healthcare?
Ransomware
The cyber-attack healthcare organizations are most at risk of is ransomware. Between July and September last year, researchers found that 68 healthcare ransomware attacks had taken place worldwide. 60% of healthcare ransomware attacks occurred in the United States, with medical clinics being the most frequently attacked.
A report from Sophos found that 34% of healthcare organizations were reportedly affected by ransomware globally in 2020. Of that number, 65% of healthcare organizations reported that cyber-criminals had successfully encrypted data. A further 34% paid the ransom to get their data back.
Phishing
Phishing is one of the most common cyber threats across the board, with 81% of organizations affected by phishing last year. Healthcare is no exception, and phishing attacks are one of the most common attacks in the healthcare sector. Phishing can range from mass email campaigns to trick employees into giving up passwords to highly targeted campaigns to illicit fake invoice payments.
During the height of the COVID-19 pandemic, phishing attacks rose by a staggering 220%. Email-related cyber-crime, including phishing attacks and business email compromise in the healthcare industry, rose by 42% last year.
Laws on hacking in India
Section 43 and section 66 of the I.T. Act cover the civil and criminal offences of data theft or hacking, respectively.
Under section 43, a simple civil offence where a person, without permission of the owner, accesses the computer and extracts any data or damages the data contained therein will come under civil liability. The cracker shall be liable to pay compensation to the affected people. Under the ITA 2000, the maximum cap for compensation was fine at Rs. One crore. However, in the amendment made in 2008, this ceiling was removed. Section 43A was added in the revision in 2008 to include a corporate shed where the employees stole information from the company's secret files.
Section 66B covers punishment for receiving stolen computer resources or information. The penalty includes imprisonment for one year or a fine of rupees one lakh or both. Mens rea is an essential ingredient under section 66A. Intention or the knowledge to cause wrongful loss to others, i.e., the existence of criminal intent and the evil mind, i.e., the concept of mens rea, destruction, deletion, alteration or diminishing in value or utility of data, are all the primary ingredients to bring any action under this Section.
The jurisdiction of the case in cyber laws is mainly disputed. Cyber-crime does not happen in a particular territory. It is geography less and borderless. So, it gets tough to determine the jurisdiction under which the case has to be filed. Suppose a person works from multiple places and his data gets stolen from a city while he resides in another city; there will be a dispute about where the complaint should be filed.
How to counter it? Masses need more awareness and training
Masses need to be aware of hacking/Phishing and where to reach in case of e- causality. Hacking poses a severe threat to the virtual world. Only a few people in the country are aware of this theft. There needs to be more awareness in the country regarding hacking and cracking.
The laws made by the government are stringent but lack a bit of enforceability and awareness in society. Most of the minor hacking cases go unnoticed because people abstain from filing cases for petty crimes even when there is harsh punishment.
It is sometimes difficult to track a virtual hacker. Since hacking can happen anywhere in the world, it gets tricky for the police to trace the culprit and punish them in another country.
What does one need to do?
Notify the concerned authorities. Write a complaint about cyber-crime. It can be filed at any cyber cell globally. There are various cyber-crime cells in India; a complaint can be filed at any of these. In India, there is National Cyber Crime Reporting Portal.
* Firstly, write an application to the head of the cyber cell department, and the complaint should contain the name, address, Email and telephone number.
* Secondly, submit some supporting documents with your complaint to the cell;
* Server logs- log files that get automatically with the server when files are opened. It saves a list of activities performed on a day-to-day basis.
* Hardcopy and soft copy of the defective material- all the material that the hacker has tempered with must be submitted to the cyber cell as evidence.
* A hard copy of the original web pages and the defaced ones- documents of both the original and defaced material should be submitted to make the work easy to locate the defaced or tampered material.
* Details of the control mechanism where the complainant needs to tell the details of those who had access to the password and the computer.
* If there is suspicion of any person, a list of the suspects should be given for further reference that helps the cyber cell in the investigation.
Nowadays, there are even provisions for the complainant to access the complaint filed and check the status online without going anywhere.