Thiruvananthapuram: Health minister Veena George admitted in the Assembly on Monday that cyber attacks had taken place in the Regional Cancer Centre (RCC) last April, with the software dealing with radiation treatment being one of the targets.
There were reports that details of over 20 lakh patients were compromised. The minister, however, assured the House that details of patients' radiation treatment were secure because there was backup.
The cyber attacks, which sources say were ransomware attacks, happened on April 28 and were targeted at two software: the PACS software of the Radiodiagnosis wing run by the GE company and CITRIX software of the Radiation Physics wing run by VARIAN company.
"The attacks were spotted before they could spread to the critical system," the health minister said. The attack was detected in the evening of April 28 when the treatment details of a patient were sought to be uploaded. It was found that the function could not be carried out as the software was not opening. "The Cyber Information Wing immediately made sure that the virus had not spread to other computers," the minister said. The very next day a similar thing happened to a computer run by VARIAN company.
The probe carried out by the Cyber Operations Wing of the police and CERT (Computer Emergency Response Team), Kerala, found that the virus had attacked eight desktop PCs and four servers. "Following this, to restore the information in the infected computers, radiation treatment was stopped for five days and resumed on the sixth day," the minister said. "When a major cyber attack had taken place in AIIMS, Delhi, one of the world's foremost medical institutes, treatment was shut down for a month," the minister said, suggesting that the damage control in the RCC was swift.
Vadakara MLA KK Rema said that the police report had found that the RCC's cyber security network was not up to standard. She also wanted to know how such a low-quality security network got approved for a premier institute like the RCC. In reply, the minister said that no attacks were carried out on the RCC's major servers or software. "The reason for this was that these main servers and software were adequately protected," the health minister said.
She said there was a reason why the VARIAN's software was particularly vulnerable. "They had initially taken a decision not to have anti-virus protection for their system. The reason they gave was that it would slow the patient result uploading process. The servers are directly monitored by the company," the minister said.
Rema pressed the minister further. "We have reports that say that details of 20 lakh patients have been leaked," she said. The minister said there was no valuable information in the compromised servers. "One important thing to note is that in these compromised systems, there were only treatment plans of the patients like scan reports. Other personal details of the patients (that could link an individual to treatments) were not there," the minister said.
Moreover, she said that there was no proof that the data had been stolen. "IT experts tell us that if that was the case such information would have by now appeared in the dark web. No details of RCC patients have appeared on the dark web. The data has been encrypted and we understand that they had not been able to retrieve it," the minister said.
To provide additional assurance that patient information is safe with the government, the minister said that the information provided in the Aadhar-based eHealth Portal of the State Digital Health Mission was also safe as the doctor could access information only with the patient's consent.
Congress MLA A P Anil Kumar wanted to know whether a law would be introduced to protect patient data. The minister reiterated her earlier point that the attackers could not touch the central servers and software of the RCC. Also, she said the response was swift. "Only the radiation wing had to be shut down for five days. No other wings of the hospital were affected," the minister said.
Nonetheless, she said that an audit would be carried out in major hospitals by IT experts to analyse whether the cyber security apparatus in these hospitals needed to be augmented.