Wrong dosage of radiation to cancer patients, RCC yet to explain: Experts

Thiruvananthapuram, May 11 (FN Agency) Cyber security experts have asked the Regional Cancer Centre (RCC) to explain whether cancer patients were given wrong dosage of radiation due to the corrupted Varian LINAC system software and TPS following the cyberattack on the state-owned premium cancer care hospital and research centre, serving patients from across India. “How many patients have been given the wrong dosage of radiation to the wrong organs due to the corrupted Varian LINAC system software and TPS? they asked. “When did the FIR become registered? Which sections have been charged?” they asked.Being the guardian of patient data, the Director of RCC Trivandrum has the responsibility to explain the cyber attack’s implications to patients and stakeholders, especially under the Digital Personal Data Protection Act, 2023 (DPDP Act), they pointed out. “How much variable radiation planning equipment is available in the RCC?” How has the radiation software of the Varian Radiation Machine (Varian LINAC) been affected?

When do you receive the email claiming ransomware? What are the IP address and the geographical domain of the email?” they asked.The recent cyberattacks on the RCC-Trivandrum and the AIIMS-Delhi are both significant incidents that highlight the vulnerability of healthcare institutions to cyber threats in India. “The cyberattack on the RCC was a significant security breach where hackers targeted the radiation software and servers storing the health information of over 20 lakh (2 million) patients. Even the RCC is yet to disclose on which date the attack took place.” “How were the radiation software and servers breached? Explain the extent of tampering with the radiation software. Was it altered or disrupted?.” How the attackers gained access (e.g., phishing, malware, system vulnerability),” they added.The compromised data included surgical outcomes, radiation treatment details, and pathology reports. The attack disrupted radiation treatment and raised concerns about patient safety and data privacy, sources said. “Cyber Police and the Computer Emergency Response Team (CERT-K) took emergency measures to recover the data, and an investigation is underway to determine the extent of the breach and the origin of the attack.” “This incident underscores the critical need for robust cybersecurity measures in healthcare institutions to protect sensitive patient information.” “Medical data is highly valuable due to its comprehensive information, long-term use, potential for fraud, and lack of security. Healthcare systems often have less sophisticated security measures, making them more vulnerable to breaches. Protecting sensitive information is crucial to preventing identity theft and fraud, making medical data more valuable than credit cards.”

A complete medical record of an individual costs a minimum of USD 250 (approximate cost of data loss is 2000000 x USD 250 = Rs 35000000000).Illicitly obtained medical data is illegal and unethical, as it can be used for fraud and identity theft. The cost of Medical data depends on the scope and depth of information required, as well as the legal and ethical considerations involved in its acquisition and use.The investigating officer must file the First Information Report (FIR) as soon as possible and make sure that it contains all pertinent sections, including those that are included in the IT Act. Additionally, when gathering evidence, make sure the investigating officer strictly follows the Indian Digital Evidence Act, because this will be necessary for presenting the case in international forums.The AIIMS in Delhi suffered a cyberattack on November 23, 2021, causing all servers to be offline.The attack targeted the e-hospital service, affecting the outpatient department and sample collection services. The attackers, believed to be from China, demanded aransom of Rs 200 crore. Despite the attack, the data was restored, and the hospital’s services were rehabilitated after a one-month struggle. Pertinently, the severity of the matter is highlighted by a precedent—the AIIMS cyberattack and the investigations that followed. It is concerning that the incidence at the RCC was not reported in compliance with Indian law.