Last year, reports about health data leaks from India’s CoWIN portal were making rounds in the media. However, National Health Authority (NHA) officials denied them. Last month, the personal data of RS Sharma, head of NHA, was exposed in a massive data leak via the Telegram app.
While the officials initially denied any such leak, a few days later, Delhi police arrested two individuals concerning the leak.
The data leak exposed personal information including name, Aadhaar number, passport, VoterId and COVID vaccination status of millions of citizens. It was one of the largest data leaks in India after the CoWIN and AIIMS data breaches, as reported by Context.
These recent data breaches, especially health data leaks, have raised several concerns, and people are demanding a digital data protection bill from the government to secure sensitive data.
But will the data protection bill secure India’s health data?
In this article, we will discuss the current digital health infrastructure of the country and how securing health data is a major challenge faced by the healthcare industry.
India’s health data: Digitization drive and challenges
India is pushing digitization of health data and services under the ambitious Digital India program. The Ayushman Bharat Digital Mission (ABDM) is rolled out to create a unique health ID for every individual and link it to their Aadhaar ID.
Apart from this, the country also aims to develop and export its digital public infrastructure models, including Aadhaar, payment system UPI and National Health Stack data platform to Asian and African countries to improve access and efficiency.
While these initiatives are great, and digitization of health data will help improve patient outcomes, the absence of adequate laws to govern data collection, sharing and security leaves people vulnerable to scams, harassment and identity thefts.
The rush to expand the digital public infrastructure across borders also puts individuals at risk from data collection and data overreach, said Raman Jit Singh Chima, Asia policy director at Access Now, in a statement to the Context.
Currently, India has no data protection bill, and its national cybersecurity policy was last updated in 2013. Inadequate laws and an exponential push for digitalisation without discussions have resulted in high risks of cyberattacks and data breaches in the country.
India’s data breaches
Cybersecurity firm CloudSEK’s reports show that India was the second biggest target for cyberattacks after the US in 2021 and 2022.
Another report by CheckPoint research revealed that weekly cyberattacks in the country increased by 18% in the first three months of 2023. India saw over 1700 attacks every week, double the global average, especially targeting healthcare, education, research and government websites and applications.
In 2022 alone, data of nearly 600,000 people was stolen and sold on bot markets by hackers, a study by NordVPN revealed. It said India was worst hit by data breaches last year, including big leaks like the CoWIN data leak and AIIMS cyberattack that compromised the health records of nearly 40 million patients.
India passed new legislation last year that required VPN firms to report data breaches within six hours of noticing them and maintain IT and communications logs for six months. However, the absence of adequate laws leaves the country’s digital infrastructure vulnerable to new threats.
Digital data protection bill: The reality
While a lot of India’s health data security relies on the data protection bill, digital security experts aren’t satisfied with its current draft and contemplate if the bill will secure data effectively.
The data protection bill draft received a great deal of criticism from experts stating the bill’s language lacks clarity, leaving room for interpretation and potential loopholes. It also provides exemptions to government agencies, raising concerns about potential misuse.
Several critics also argue the effectiveness of the bill if government agencies will be exempt from accountability in cases of data breaches. The government authorities’ refusal to acknowledge breaches is another challenge in implementing effective data protection in the country.
“The more data there is, the more it can be abused. If you can access the entire medical history of individuals, imagine how valuable that is for the private sector; how will it be protected from misuse?”
– Prateek Waghre, policy director at Internet Freedom Foundation, a non-profit.
The government will have to work with digital security experts, conduct discussions, hold themselves accountable and make effective legislations to improve data privacy and security in the country. Or India’s health data leaks will badly affect the people and the country’s entire social framework.
