Before getting into the case study of the cyber attack and how it happened, we must know what AIIMS is about. AIIMS is one of the most prestigious medical institutions in India and serves as a major healthcare provider for the country. It is also a hub for medical research and education, with a large number of international collaborations. The cyber attack on AIIMS, therefore, had far-reaching consequences and highlighted the need for better cybersecurity measures for critical infrastructure.

To find out about any incident, we must study about the root of the problem because there must be some shortcoming which would have been there in the past and no one cared about it , so let's see when and where the things went wrong. It all started when the hospital’s administration had raised major concerns about data and systems safety after a while when AIIMS moved to a completely digitised set-up in 2016, and they also had flagged how lags could have serious repercussions on patient care. It was further reported that the digitisation was shabbily and hastily done. They were simply told to move to an online system for bookings, appointments, and other services, but there were no measures taken for cybersecurity or setting up any cyber security division internally to handle such situations.

Now let's see how the problems which were just swept under the carpet in the past ,got collected and collectively gave birth to a larger problem, which was on November 23, 2022, the e-Hospital application used by AIIMS Delhi to manage appointments and consultations stopped working after the servers on which this application and its database were hosted became the target of a cyberattack.It was reported that the last successful login into eHospital was at 49 seconds past 7.07am, suggesting this was when the last of the servers were infected.

To tackle the situation, the hospital’s activities were converted from computerised to manual as the hospital could not be shutdown for a number of days till the situation gets normal again.Now, when, inner staff of AIIMS could not handle the situation it was the time to call in the cavalry that were the units from The Indian Computer Emergency Response Team within the Ministry of Electronics and Information Technology, Delhi cybercrime special cell, Indian Cybercrime Coordination Centre, Intelligence Bureau, Central Bureau of Investigation (CBI), National Forensic Sciences University, National Critical Information Infrastructure Protection Centre and NIA.

It was reported that a case of extortion and cyber terrorism was registered by the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police on November 25.

During the initial audit of the incident it was found out that the data breach had reportedly compromised the data of nearly 3–4 crore patients, including sensitive data and medical records of VIPs. Several VIPs, including former prime ministers, ministers, bureaucrats, and judges, had their data stored. Around 38 lakh patients get treated at AIIMS every year. All their data is lost now. The exploited databases contain Personally Identifiable Information (PII) of patients and healthcare workers, and administrative records kept on blood donors, ambulances, vaccination, caregivers and employee login credentials.

And five servers of the All India Institute of Medical Sciences (AIIMS) were affected and an estimated 1.3 terabytes of data was encrypted under ransomware.

The government informed the Lok Sabha on Tuesday that the cyber attack at the All India Institute of Medical Sciences (AIIMS) in Delhi took place as “unknown threat elements” tampered with the IT (Information Technology) servers at the hospital due to “improper network segmentation. After the initial probe, it was taken into account that two Protonmail addresses belonging to the attackers had been mentioned in media reports: “dog2398” and “mouse63209”. Two IP addresses have been traced to Hong Kong and Henan province in China. But this limited information is not sufficient to make any judgement about the same.

Experts from India’s Computer Emergency Response Team (Cert-IN) examined the affected servers and on November 24 found that four servers – two application servers, one database server and one back-up server – were infected, leading to multiple databases being encrypted.

Then, after the incident was in a controlled manner, the Antivirus solutions were installed on nearly 1,200 of the 5,000 computers available. Twenty out of fifty servers have been scanned, and this activity is ongoing 24 hours a day, seven days a week.

Now it was the time to make some changes in policies to handle any such situation in the future for that some new organizations such as the National Counter Ransomware Taskforce (NCRT) and National Information Security Policy Guidelines (NISPG) were discussed by the government to protect critical assets.