NEW DELHI :The All India Institute of Medical Sciences (AIIMS) has not upgraded its computer and IT system for the last 30 years, officials said, days after the country’s premier medical teaching hospital came under a ransomware attack.
Medical records of millions of patients, including VVIPs, were compromised during the 10-day-long attack.
Out-of-date, old equipment and software, and antiquated versions of the Windows operating system were in use to manage medical records up until the attack. The need to upgrade the IT system was raised multiple times with top authorities, but nothing was done about it, the officials cited above said, speaking on condition of anonymity.
“There was no upgradation computer and IT facility in the institute for atleast last 30-40 years. Out-dated and old equipment without the latest version of Windows were in use. We flagged concerns on this issue many a times to the top administration but no improvement was done. Till date, the computer and IT division was headed by a doctor who does not have any know-how of IT related work.... so there are multiple flaws," said a senior official at AIIMS.
On 23 November, AIIMS said it was hit by a ransomware attack damaging all its servers. Sunday marked the 12th day of the servers being down and the hospital working manually.
The hospital administration is now planning to frame a cybersecurity policy for the safety of hospital and patient data.
“Under this new cyber security framework, AIIMS is planning to depute a cybersecurity officer and senior IT professionals for IT-related work. A sperate network will be created for e-hospital and e-office-related work, while another will be set up for doctors for emails and other official work. Besides this, all department faculties, HODs, scientists have been directed to ensure security audits of the software they are using from CERT-IN certified auditing agencies so as to prevent malware spread from their software in the servers and connected endpoints," said another official at AIIMS aware of these developments.
The hospital’s computer and IT facility has called a meeting of IT vendors to provide such solutions before 31 December and block access to AIIMS network and central servers from any other non-security audit applications.
All faculty and doctors have been directed that no routers, hub etc should be connected to the AIIMS network port by any user.
Last week, the institute in a statement claimed that it has restored e-office but due to the large volume of data involved, hospital operations are being done manually.
Queries sent to AIIMS and health a ministry spokesperson did not elicit a response.
The central government has deputed experts of the National Investigation Agency, Defence Research and Development Organisation, India Computer Emergency Response Team, Delhi Police, Intelligence Bureau, Central Bureau of Investigation and ministry of home affairs to help AIIMS resolve the crisis.
