Cyber Security: Effective Implementation Of Data Protection Act Can Trip Hackers’ Threat

Nearly everyone started questioning the country’s cybersecurity given that AIIMS, with its 15 lakh outpatient and 80,000 inpatient cases a year, was brought to a shuddering halt. Cyber-attacks have increased in frequency and sophistication over the past decade. The attack on AIIMS wasn’t an isolated incident.

The hospital’s internal systems were hit by a breach on November 23, 2022. Soon, the digital patient management system was crippled. Reports said at least 5 physical servers of the 40 physical servers and 60 virtual servers were infiltrated by the hackers. 

The data under threat was extremely sensitive, it included the personal credentials of all patients: their names, age, sex, address, phone number, medical history. Given the number of outpatient and inpatient cases every year, one can imagine the volume of data the hackers had access to. 

Ransomware is a type of malware that blocks access to data or a computer system and threatens to publish it in the dark web. Once hacked, this data becomes encrypted until demands of the hackers are met. During the AIIMS breach, reports claimed the hackers demanded Rs 200 crore in crypto as ransom to loosen their grip.

At this point, one may wonder how such attacks affect the people. Apart from the threat of data leak mentioned above, it caused a huge rush at AIIMS. Long queues of patients laid siege to the hospital as its online appointment system went offline for seven days. The hospital had to deploy extra staff to deal with the rush. All of the hospital's services, including outpatient and in-patient departments, and labs continued to operate manually. 

To repair the damage by the hacking, AIIMS had to go through each system on the network to ensure there is no malware left. If only there had been tighter cybersecurity in place, the long-drawn out and expensive process could have been avoided. Several agencies worked with AIIMS during this time. They included the National Investigation Agency, the  India Computer Emergency Response Team (CERT-IN), the Delhi Police, the DRDO, the Intelligence Bureau, the CBI, and the Ministry of Home Affairs.

Getting Data Protection Right To Dissuade Hackers 

The AIIMS incident got wide media coverage but there have been multiple other cyber attacks in India in the recent past. During the quarter that the AIIMS , Indusface, a Tata Capital-funded software-as-a-service (SaaS) security firm, detected and blocked 829 million cyber attacks and close to 59 per cent of them were directed at India.

Regular data leaks underlined the need for robust data protection measures, stringent regulatory oversight, and proactive risk management strategies to safeguard sensitive information.

India’s Information Technology Ministry released a draft of the Digital Personal Data Protection Bill (DPDPB) in November 2022 for public consultation. It was introduced in Parliament in August 2023, passed by both Houses, got presidential assent and became an Act on August 11.

The Act represents a significant step towards safeguarding privacy and security of individuals' personal information. It regulates collection, storage, processing, and transfer of personal data, with greater transparency, accountability, and consent.

The Act, at its core, allows individuals greater control over their personal data, data fiduciaries need to obtain explicit consent for collection and use of data. It introduced the concept of sensitive personal data, which included financial data, health records, biometric data, and imposing stricter requirements for their handling.

Furthermore, the Act proposes the establishment of a Data Protection Authority of India to oversee and enforce compliance with the legislation. This regulatory body would play a pivotal role in adjudicating disputes, conducting inquiries, and framing guidelines to promote data protection practices.

The Act recognises the importance of cross-border data transfers and proposes mechanisms for regulating such activities. It seeks to balance the free flow of data with protection for personal information, fostering a secure environment for international data exchanges.

It reflects India's commitment to aligning its data protection framework with global standards, such as the European Union's General Data Protection Regulation (GDPR). By doing so, India aims to bolster trust in its digital economy and create a level-playing field for businesses operating within its borders.

While the Act represents a crucial milestone in the evolution of India's data protection landscape, its effective implementation and enforcement will be essential in realising its intended objectives.

The Nine Commandments To Prevent Cyber Attacks

For individual and institutions, especially those in the healthcare domain, the following precautions can help prevent cyber attacks:

• Raising user awareness about cyber attacks, online scams, and phishing campaigns.
• Implementing robust password policies and enabling multi-factor authentication (MFA).
• Regularly updating and patching software, systems, and networks.
• Maintaining multiple backups, both online and offline, in separate and secure locations.
• Monitoring logs for unusual traffic and activity on websites and other applications.
• Blocking illegitimate IP addresses and deactivating port-forwarding using network firewalls.
• Conducting real-time internet monitoring to identify and mitigate low-hanging threats, such as misconfigured apps, exposed data, and leaked access points that cybercriminals leverage for large-scale attacks.
• Avoiding clicking on suspicious emails, messages, and links.
• Refraining from downloading or installing unverified apps. 

Hacking And Data Breaches Worldwide

The AIIMS breach was the biggest one in India in recent times. There have been greater catastrophes worldwide. Credit bureau Equifax was hacked in 2017 leading to the compromising of personal information of over 147 million people.

Their names, their Social Security numbers, their birth dates, their addresses, and in some cases, their driving license numbers were all breached. Besides the US $425 million settlement with US authorities, it had severe repercussions for individuals affected by identity theft, fraudulent activities, and long-term financial insecurity.

Similarly, the Yahoo data breach is another notable episode. The breach, which occurred in 2003 but came to light in 2016, impacted over 3 billion user accounts, exposing names, email addresses, telephone numbers, and hashed passwords. It not only torpedoed Yahoo's reputation and financial standing but had far-reaching consequences for affected users, including potential identity theft and compromised online security.

The more recent Facebook-Cambridge Analytica data scandal brought to light the unauthorised access and exploitation of personal data of millions of Facebook users. Widespread concerns were also raised about data privacy, ethical use of personal information, and the potential top weaponise data for political or commercial purposes.

In time to come, cyber attacks would only get worse. The only way to keep things safe in an increasingly digitalising world is to keep raising awareness and system preparedness alongside robust monitoring and regular software upgradation.

(The author is a New Delhi-based economist. Views expressed are personal.)