Last month, the All-India Institute of Medical Sciences (AIIMS) — the country's largest public healthcare institute — was attacked with ransomware. Now, a probe has found that the IP address of the two hacking emails sent by the hackers originated from Hong Kong and the Henan province of China. This is as bad as it could be. Firstly, the AIIMS cyber-attack presents a classic example of the threats looming in a digitized world in absence of adequate firewalls. Secondly, it also prima facie appears to be a perfect example of how entities from foreign countries can conspire against a targeted nation. However, the most worrying revelation has been the glaring loopholes in the cyber security apparatus of AIIMS — India's premier medical institute. If it were to be put bluntly, cyber safeguards were nearly absent in this case. It is shocking by all accounts that a sensitive and critical institution, which relies so heavily on digitization, did not have a dedicated cyber cell to tackle any potential threat. The AIIMS episode certainly was an incidence of extreme negligence. It is nothing short of ridicule that AIIMS is contemplating to establish a cyber cell now after it has received a major ransomware attack. Even if a beginning is made today, the task will be uphill going forward. Furthermore, if an institute of AIIMS' prestige is struggling so badly on the cyber-security front, what should one expect of relatively smaller and unorganized medical institutes? The Union Health Ministry should take serious consideration of the issue and step up its actions to put requisite safeguards in place. With the recovery of patient data — pertaining to around 3-4 crore patients — the biggest threat has been averted but this should not cover up the fact that the privacy of such a large number of patients was allowed to be risked. Since the exact location of the IP address and the nature of the hacking entity — whether it was an individual or an institution — is not clear yet, the nature of potential manipulation remains in the realm of the unknown. The data could be used for commercial purposes by a competing firm or it could be used to pose security threats by nefarious elements. As subsequent revelations are made in the future, the picture will get clearer. But one thing is certain, the lapses are grave. Furthermore, apart from the recovered patient data, the hacked servers of AIIMS might be containing sensitive and crucial research-based data. Uncertainty looms large over the recovery of such data, if any. More importantly, even though the probe is ongoing, the question of accountability remains in the fix. It is difficult to pinpoint the blame on any particular authority or person at this juncture because it was a structural failure. The probe, however, has a more important end to meet. The immediate focus rightly appears to be on the tracing and recovery of the hacked data. Once the case starts settling down, much bigger challenges will be waiting in the future. A complete overhaul of the existing cyber-security apparatus is needed in the years to come. It may be noted that India's leading cyber-security agency, CERT-In, had detected the infection of only a limited number of servers of NIC and AIIMS but, subsequently, the ransomware reached out to AIIMS' extended server network. This snowballing effect is a reminder that AIIMS should have had a hierarchical or pyramidal cyber security mechanism in which a layer of the system will be insulated from the attack on another layer. A system with multiple checks should be seen as imperative for any institute which is as sensitive and crucial as AIIMS. The ransomware attack is a wake-up call that the lingo of cyber-attack should no longer bother only the technical experts. It is now affecting people on a large scale, in an organized manner. Why should then the response to it be so unorganized and piecemeal?