New Delhi: In a cramped, heavily guarded computer facility room at the All-India Institute of Medical Sciences (AIIMS) in Delhi, sleep-deprived engineers and faculty were working overtime last week to get the hospital’s server up and running after the massive cyberattack late November.
Since then, the government-run hospital has taken the official line that the system is getting back to normal and that patients’ data is safe and backed up.
However, documents accessed by ThePrint show that the hospital’s administration had raised major concerns about data and systems safety soon after AIIMS moved to a completely digitised set-up in 2016, and had flagged how lags could “have serious repercussions on patient care”.
Speaking on condition of anonymity, several doctors at AIIMS also alleged that the hospital’s systems had always been vulnerable to attacks since there was neither a rigorous cybersecurity upkeep regimen nor any training given to staff on online hygiene.
“The digitisation was shabbily done. We were simply told to move to an online system for bookings, appointments, and other services. There were no measures taken for cybersecurity,” said one doctor at AIIMS.
The AIIMS cyberattack, which led to the hospital’s entire digital infrastructure collapsing on 23 November, has been described by experts as one of the “biggest” and “most serious” that India has ever seen. The attack, suspected to have been orchestrated by Chinese hackers, could have compromised the sensitive data of as many as four crore patients, including political leaders and other VIPs, possibly leaving them vulnerable to blackmail and extortion.
Much has been discussed about India’s lack of preparedness for cyberattacks in general, but a trail of documents from AIIMS also tells a tale of apparent negligence that runs in parallel with the government’s push for digitisation of healthcare.
Also read: ‘Foreign sabotage, ransomware, espionage’ — angles under probe in AIIMS cyberattack
Early warnings
On 19 July 2016, the Delhi AIIMS, India’s biggest tertiary care hospital, completed implementation of the e-Hospital project under the Narendra Modi government’s Digital India Initiative. In so doing, it became the country’s first fully digital public hospital.
This transformation of the mammoth institution was trumpeted as a big success and plans were made to replicate the model at other AIIMS and public hospitals. As of last year, 420 ‘e-hospitals’ had been established across the country, according to then IT minister Ravi Shankar Prasad.
But deficiencies in the AIIMS digitisation framework started emerging soon after it was implemented.
Six months after full digitisation, on 9 January, 2017, Dr Deepak Agrawal, from the neurosurgery department, who was then chairperson of the computerisation committee, wrote to the Union Health Ministry.
In his letter, he pointed out that the e-hospital installation by the National Informatics Centre (NIC) — the government department responsible for setting up IT infrastructure — had not been bolstered with appropriate systems for upkeep and security.
“The largest e-Hospital installation by NIC is at AIIMS, New Delhi. However, there is no database administrator, security administrator and system administrator at site for the installation, putting the whole project at risk,” wrote Dr Agrawal.
He added that the NIC did not have the expertise to provide any support in this regard and had asked AIIMS to recruit these experts.
Urging the health ministry to take up the matter with NIC and the Department of Electronics and Information Technology, Agrawal wrote: “[W]ithout these experts there is a major risk to e-Hospital installation at AIIMS, Delhi.”
The response of the health ministry is not known, but four months later, the medical superintendent of AIIMS, Dr D K Sharma, also brought up similar issues in a report about the implementation of the e-Hospital.
Writing to the health ministry, he reported that the AIIMS online registration system was seeing more than 6,500 new appointments and over 5,000 follow-ups daily, but he also flagged major concerns.
“There is no disaster backup for maintaining continuity of operations in case of primary site failure, despite repeated requests to the NIC for the same. This can have very serious repercussions on patient care,” wrote Dr Sharma.
The minutes of the meeting on the progress of implementation of the e-Hospital application in AIIMS on 16 July 2016 say that the NIC is the driving IT force behind the digital transformation done in AIIMS. But Dr Sharma’s letter to the ministry states that the NIC had no service agreement with the hospital.
“There is no service-level agreement with NIC, because of which the vendor (NIC) cannot be held accountable for any lapses in service,” he wrote. “Upkeep time does not meet international standards.”
The hospital also experienced frequent breakdowns of the patient portal and laboratory information system which led to problems in the registration, appointments, and viewing lab reports, Dr Sharma pointed out.
In response to queries from ThePrint, Ravindra Kumar, senior technical director, HOD (e-Hospital and ORS), NIC, said that while NIC provided the e-hospital software used by AIIMS, the hospital operated the system on its own servers, and was responsible for periodic operating system upgrades, as well as keeping anti-virus software up-to-date.
“NIC is primarily responsible for development and maintenance of e-Hospital application software and to provide support in terms of handholding of end-users in the use of applications by hiring outsourced resources,” Kumar said in an e-mail.
He added that following the malware attack, AIIMS is taking steps to make its networks, as well as individual devices using it, more secure. “No cyberattacks or system malfunctioning prior to the current incident is in NIC’s knowledge,” Kumar said.
ThePrint made multiple attempts to contact Dr D K Sharma and Dr Deepak Agrawal through calls, messages, and visits to their offices, but received no response. The health ministry and AIIMS director also did not respond to ThePrint’s queries. This report will be updated if a response is received.
‘Cyber-safety never given importance’
In a 2016 note titled ‘The First Digital Revolution in Healthcare’, V Srinivas, the then deputy director (administration) of AIIMS, described how digitisation had ended the “3 am serpentine lines” at the patient registration centre and the wait time at the hospital was reduced by six hours.
“But while digitisation did ease the functioning of the hospital, cyber-safety “was never given importance,” said a doctor at AIIMS, adding: “There are no workshops or seminars organised to inform doctors about digital hygiene. The systematic upgradation of computers at AIIMS is also absent.”
The hospital’s website shows that many doctors are still using personal Gmail accounts for official work.
To prevent disasters, the NIC details steps on how updated anti-virus software should be installed on systems and security audits should be done every six months (or as and when any changes are done to the source code).
But these measures were never implemented, claimed several doctors that ThePrint spoke to. Some say they are still in the dark about the nature of the cyberattack.
“A few days back, the heads of the departments at AIIMS were called for a meeting by the hospital’s director and were simply told to not use any external devises on their computers. No information was given to us about when the system will be restored or how the malware entered the hospital’s system,” said a doctor who attended the meeting.
Another doctor at AIIMS added that the cyberattack had disrupted the process of using the Unique Health ID to make patient records available outside the AIIMS server for more seamless care.
“The process of digitisation was progressing. The idea was to make the patients’ records accessible even in private hospitals if the patient moves out of AIIMS for treatment. But the cyberattack is a big setback,” the doctor said.
AIIMS’ current computerisation committee chairperson, Dr Pooja Gupta, did not respond to ThePrint’s questions. ThePrint also tried to reach out to past heads of the committee, but was unsuccessful.
Not an isolated instance
AIIMS is not the only public health institution reeling under cyberattack. On 30 November, just days after the strike on AIIMS, there were reportedly as many as 6,000 attempts to hack the server of the Indian Council of Medical Research (ICMR).
These tries, which were reportedly traced to a blacklisted server in Hong Kong, failed since the firewall and security measures were up to date.
Last month, the server of Safdarjung Hospital was also down for a day after a cyberattack.
A doctor who worked at Safdarjung Hospital when the process of digitisation was underway there alleged that safety protocols and training were not prioritised.
“The first digitisation drive started department wise in Safdarjung Hospital in 2019. However, there was no data safety training given. Then during the Covid pandemic, and all training programmes were suspended or forgotten,” the doctor claimed.
In March, the National Institute of Mental Health and Neuro Sciences (NIMHANS) had faced a cyberattack, although not at the scale of the one at AIIMS.
(Edited by Asavari Singh)
Also read: India is dangerously unprepared for Chinese cyber-war. AIIMS ransomware attack shows why
COMMENTS