A few months ago, I received an unexpected call from a colleague who runs a busy dermatology clinic in a metro city. She sounded anxious, almost panicked. Her clinic’s appointment system had frozen, patient files were inaccessible, and a ransom message blinked on every screen: “Your data is encrypted. Pay to recover.”
It was ransomware, she explained—something she had only vaguely heard about in passing. That evening, as I listened to her describe the ordeal, I realized something unsettling: Many of us in medicine, especially in smaller or independent practices, are deeply unprepared for the cyber risks that now shadow our work.
We tend to think of medicine in clinical terms, histories, diagnoses, and treatments, but a modern dermatology practice runs on data. Patient records, clinical photos, digital prescriptions, and payment details. All of it flows through computer systems we assume are secure. Yet, most of us neither understand nor invest in cybersecurity until something goes terribly wrong.
What happened to my colleague wasn’t unique. Over the following weeks, I heard of at least two more clinics that had been targeted. One clinic’s email had been spoofed to send fake invoices to patients. Another had its staff WhatsApp group infiltrated. In each case, the impact was not only financial but also reputational and emotional. Patients lost trust. Staff morale dropped. The doctors, despite being victims, were left feeling responsible.
Even top-tier institutions aren’t immune. The All India Institute of Medical Sciences (AIIMS, New Delhi) cyberattack in November 2022 is a case in point.[1] The digital infrastructure of one of India’s premier hospitals was brought to a standstill for days. Critical systems were crippled, and the personal data of over 40 million patients was potentially compromised. If an institution with dedicated IT staff and significant resources could fall prey to such an attack, what does that mean for the rest of us?
It made me reflect on our blind spots. We diligently attend continued medical education (CME) sessions on dermatoses, workshops on lasers, and argue about treatment algorithms. But how many of us know if our patient data is encrypted? Or who has admin access to our clinic software? Or how to respond if our systems are compromised?
One term we often hear in passing, but rarely understand fully, is firewall. Think of it as a digital security guard that monitors and filters traffic between your internal network and the outside world. But even the best firewall can fail, especially if it’s poorly configured, outdated, or bypassed by something as simple as a phishing email. In other words, a firewall is only as strong as the people and systems around it.
Cybersecurity, I realized, is no longer just an ‘IT’ issue. It is part of our medical responsibility. Much like sterilizing instruments or keeping confidential files locked away, protecting patient data is part of doing no harm.
Of course, we are not expected to become cybersecurity experts overnight. But basic hygiene, both digital and ethical, is essential. Using strong passwords, updating software regularly, avoiding pirated programs, and backing up data are simple steps. Equally important is cultivating awareness among our staff. The receptionist who clicks on a phishing email can unintentionally open the door to a data breach.
Our patients trust us deeply, not just physically but also digitally. They allow us to photograph sensitive lesions, share details of their intimate struggles, and record conversations that may never be spoken aloud elsewhere. Protecting that trust extends beyond the consultation room. A breach, even if accidental, feels like a betrayal.
I also began to think about resilience. Some older medications, we say, still work brilliantly despite all the advances. Maybe the same goes for a good old notebook in certain cases. Not every record needs to be online. While digitization is inevitable and useful, perhaps hybrid systems that balance convenience with caution are worth considering.
There’s also the larger picture of how rapidly healthcare is commercializing and digitizing. In our enthusiasm for apps, online consultations, and patient databases, we may be trying to outrun our ability to secure them. Regulations are evolving, but they lag, owing to the speed at which technology integrates into clinical practice. As clinicians, we must advocate not just for better laws, but for more awareness within our own circles.
In India, cybersecurity laws are primarily governed by the Information Technology (IT) Act, 2000, which lays down legal provisions for data protection, cybercrime, and electronic governance. Key amendments have expanded its scope to cover offences like hacking, identity theft, phishing, and ransomware attacks. The newly introduced Digital Personal Data Protection Act, 2023 (DPDPA)[3], further strengthens privacy rights by mandating how personal data should be collected, stored, and processed.[2] Healthcare providers, including dermatologists, are legally responsible for safeguarding patient data, and failure to do so can result in heavy fines or imprisonment. Notably, even accidental breaches must be reported to CERT-In (India’s Cyber Emergency Response Team).
Looking back, my colleague did recover—partly through luck, partly because her data had been backed up offline. But it came at a cost: weeks of disruption, legal confusion, and bruised confidence. She now shares her experience openly with peers and has made cybersecurity part of staff onboarding.
For me, her story was a wake-up call. We learn so much from textbooks, mentors, and conferences—but sometimes, the most important lessons come from crises we never saw coming. We prepare for clinical emergencies; we must do the same for digital ones.
Conflicts of interest
There are no conflicts of interest.
Use of artificial intelligence (AI)
The preparation of this manuscript was carried out entirely by the authors without the use of artificial intelligence technologies.
Funding Statement
Nil.
References
- 1.Gandhi P, Pahwa S. All India Institute of Medical Sciences (AIIMS), Delhi: Cyberattack puts digitalisation under scanner. Management. 2024;1:8. [Google Scholar]
- 2.Blythe SE. A critique of India's information technology act and recommendations for improvement. Syracuse J Int’l L and Com. 2006;34:1. [Google Scholar]
- 3.Naithani P. Analysis of India's digital personal data protection act. International Journal of Law and Management. 67. 10.1108/IJLMA-05-2024-0174 2023 [Google Scholar]