The All India Institute of Medical Sciences (AIIMS) had become aware in 2019 that its “existing network is very old, complex, outdated, partially manageable, not so secured and heavily prone to data security risk”. Despite that, the premier medical institution did not apparently secure its network.

Since a malware struck 10 days ago, AIIMS has been able to restore the infected e-hospital data but not the network leaving the hospital to run the out patient department (OPD), lab and other services on manual mode, leaving patients in a lurch. As an alternative, additional staff have been deployed to share the administrative burden.

The contract

Documents accessed by businessline reveal that the computer facility, which looks after the IT of AIIMS, was aware of the vulnerability of its virtual network for at least over three years ago. That’s why a review of the hospital’s e-governance architecture was undertaken and a decision was taken to upgrade network of new blocks as well the existing old network.

A tripartite contract was signed among AIIMS, M/S HSCC India Ltd and M/s Inspira Enterprise India Pvt Ltd for the development of campus-wide digital network solutions and services for new blocks of the hospital at Masjid Moth, New Delhi, and National Cancer Institute, Jhajjar, Haryana. The contract, awarded to Inspira Enterprises for ₹48.92 crore, was to install the state-of-the-art, robust, 100 per cent manageable, centrally controlled, secure and high-end networking equipment and component, the documents show. However, the upgradation of existing old network was not included in the contract.

Concerns flagged, but...

A Shariff, the then professor-in-charge of the computer facility, observed on February 4, 2019, that “... the existing network is very old, complex, outdated, partially manageable, not so secured, not centrally controlled and having link of 1G only shared in the entire institute and its centres.”

Important weak links in the virtual infrastructure which may have been exploited by the hackers were “heavily prone to data security risk; prone to viruses and botnets; limited monitoring of network activity and performance; and complicated and tough to identify network bottlenecks and failure” (as flagged then by Shariff). Later, it was agreed in a meeting under the chairmanship of Subhasish Panda, Deputy Director (Administration), to have a fresh tender for securing the old network. At that point, the computer facility also realised that integration of old with the new network would be a challenge due to the difference in technology, speed and architecture.

AIIMS’ additional spokesperson, Karan Madan, did not respond to businessline’s e-mail questionnaire. Another employee in the hospital’s media cell and protocol division said he was not authorised to speak on any issue.