If the number of patient records held captive by the ransomware attack on AIIMS servers was to be the population of a nation, it would be the 38th most populated country in the world at almost 4 crore. That would be just behind Afghanistan and just ahead of Poland! There would be 157 countries and 29 overseas colonial territories behind it, in population. It would be foolish to underestimate the scale of this attack!  

In its HIMS (Hospital Information Management System), a hospital stores tonnes of information ranging from administrative to personal to highly sensitive. Imagine if this were to be sold on the dark web! Further, just imagine if one hospital has 4 crore patient records, how many such records would be there in other hospitals? No wonder then, that by some accounts Indian health care sector is the second most targeted in the world.  An observation is, that these attacks have gone up in days after the pandemic, because digitisation in some instances may not have kept pace with IT security / defences.

How do ransomware attacks take place? To begin with, no system is always hundred percent fail-safe. Cyber attackers need access to identities. Such an identity could be a user, or a machine. A user gets compromised once their credentials fall into the wrong hands. A machine gets compromised if it falls into the wrong hands. Let us say that an IT user’s laptop is compromised due to phishing or malware or any other attack. And the laptop has privileged access to the organisation’s sensitive resources like applications, database etc. There, you have a condition ripe enough to expect an attack if you do not have counter measures. A machine could also get compromised if it cannot defend itself, say it is behind obsolete firewalls, or it does not have proper anti virus protection. Email can be a very handy vector to deliver malware to such a machine.  

Once attackers have such an access, an attack is mounted. The attackers hold information captive in the attacked party’s system itself. They encrypt this information denying its owner access to it. The attacked is then blackmailed into providing something of value in exchange for decrypting the information by providing a key.

Can such attacks be prevented? For sure. What needs to be done? The list below is not exhaustive, but a good one to begin with.

  1. A comprehensive Privileged Access Management solution can keep privileged accounts away from malicious code or software/ransomware. Privileged identities of both machines and humans need to be properly secured.
  2. Implementing an advanced Muti-Factor Authentication (MFA) solution.
  3. Conduct regular third party cyber safety audits of the identities, and implement audit recommendations. In a lot of places the recommendations are documented, but ignored.
  4. Access to information should never go unregulated. Again, having Privileged Access Management helps by providing the least privilege access and zero trust.
  5. Run user awareness programs on how breach may happen, how phising attack works, identities get compromised, or are stolen.
  6. Isolate the access to core network. Only designated network admin(s) should have access to it.
  7. The anti-virus definitions on end user equipment need to be latest. Patch the systems, software & OS regularly.
  8. Maintain redundant online and offline backup in different and secure places.

We can custom make anti-ransomware checklists for your organisation depending on your IT systems’ maturity.   

Reach out to our in-house Cyber Protection experts. They are happy to get on a call with you +91 8800896811 / info@erasmith.com.

, , , , , , ,