By Srikanth Samudrala, Co-founder & CTO, ekincare
It was only after The European Union drafted the General Data Protection Regulation (GDPR) in 2018, that the entire world began to prioritize data privacy laws. GDPR is now regarded as the gold standard of data privacy legislation and has therefore influenced legislation in many countries including India. Since 2018, the Indian Government has been working to make individual data privacy a priority in the virtual world. On November 18 2022, a new draft digital personal protection bill was released that focused on personal data, hefty penalties for non-compliance, and relaxed rules on cross-border data transfer.
Even before the recent Data Protection Bill, the Government introduced The Digital Information Security in Healthcare Act (DISHA), India’s HIPAA equivalent, aimed at providing healthcare data privacy, security, confidentiality and standardisation. DISHA also contemplates the establishment of the National Electronic Health Authority (NeHA) and the State Electronic Health Authority (SeHA). While DISHA and the recent data privacy bill changes are a welcome step, India might need additional investments and a deeper look towards data and overall healthcare innovation.
Criticality of data in healthcare
In earlier days, healthcare data was handwritten by medical personnel that is voluminous to handle and store. The advent of technology enabled storage and retrieving of such data at the tap of a finger, but this ease of technology comes with its own risks. As digitalisation increases, data breaches and cyber-attacks have become much more regular, making patient information more vulnerable. That is why the greatest level of data privacy is vital in healthcare services as the people entrust healthtech companies with such data.
Nowadays, data is critical in information warfare. Data is a necessary component of AI. As a result of digital revolutions, the amount of data about an individual is expanding. Health records must adhere to strict data privacy regulations. The threat is posed not just by hackers, but also by organisations that engage in malicious activities or use backdoor methods to obtain data.
Data breaches can enable hackers to utilise healthcare data to blackmail and extort people while also causing them significant pain. They can also utilise medical information to perpetrate fraud, such as insurance fraud. Another risk is that unencrypted medical data exposes the victim’s identity, bank accounts, and so on. Last year, a US based cybersecurity firm reported that attackers from China compromised an Indian healthcare website and breached more than 68 lakh health records which contained information of patients and doctors. According to the firm, the average cost of a single stolen record in healthcare is US$ 380, which is the highest among all the industries. Chinese backed (invested) startups overseas, including India, will now also need to tread more cautiously considering India’s laws will now have more stringent measures in place to penalise breaches. More recently, five AIIMS servers were targeted by hackers and China’s role was suspected in this attack. In another incident, a data set of a hospital in Tamil Nadu contained patient data that was reportedly being sold on the dark web.
At the grassroot level, some of the major challenges we face in healthcare data security are lack of awareness, digital literacy, role based access and governance by the healthtech ecosystem.
Lack of awareness is the most difficult issue to address! Health care workers who gather patient data require some level of data security training. If workers are not provided with fundamental instructions, it becomes very difficult to arrest or, in certain situations, avert the breach.
Healthcare professionals are usually not trained in tech simply because it’s not a part of their day to day job. But with basic training, anyone can learn how to handle tech and software. Digital literacy emphasizes, among many things, the importance of online safety skills, basics of internet safety such as creating strong passwords, understanding and using privacy settings, and knowing what to share or not on social media.
Any infrastructure inside the business that handles patient data should be configured with role-based access. Role-based access operates on the premise that persons with restricted access to information will also have restricted access to data and other information.
Indian brands in the health-tech space, have put in place widely accepted industry norms for data protection and security. They recognise that electronic health records contain sensitive data and hence put in place systems and practices, to mitigate data theft/ hacking.
The Government of India has a global role to play when it comes to information exchange. It houses one of the largest populated countries of the world with the highest digital illiteracy rate. Digital health adoption needs to be carefully balanced by stringent data protection measures. Loss of trust dents the ecosystem and slows down the adoption of digital health. Digital Privacy laws are still in the infancy stage in India. In the context of employer-led benefits, the onus is on the employer to ensure compliance of data protection. One, then, needs to take extreme measures in maintaining data encryption, data security, and regular training for healthcare personnels so as to maintain compliance with India’s data protection law. There is therefore, a strong governance and regulatory framework needed to ensure data protection. With these introspections in place, we will witness a change in the way healthcare and health-tech is delivered.