Rudra Shandilya and Disha Chaturvedi[i]
In today’s technological epoch, everything, every sector revolves around technology. The healthcare sector is no exception to this rule, especially with the introduction of the concept of digital healthcare. Digital healthcare refers[ii] to the use of information technology for providing healthcare facilities and for Digital Health Data (DHD) storage including Personal Identifying Information (PII) and Protected Health Information (PHI). PHI/PII is the information[iii] in a medical record which is made during a healthcare service and can be used to identify an individual. It includes the patient’s medical history, present conditions and reports, potential health problems, and health insurance number amongst other things. To protect such data, considering the value it holds, there is a pressing need for cybersecurity.
Cybersecurity is a set of techniques and processes[iv] that safeguard computer networks, devices, and data from cyber threats and proscribed access. It works as a shield against cyberattacks. It includes, network security, application security, information security and cloud security.
The digital healthcare sector is prone to cyberattacks, because the technology it counts upon is linked to the internet. Everything it encompasses, be it healthcare devices, data, PHI or PII, makes it vulnerable to cyber threats. Expanded versatility and fast digitalization bring numerous advantages but, simultaneously, they also widen one’s susceptibility to such dangers. Other than the danger of healthcare data breaches that cause both, reputational and monetary losses, surging compliance necessities should also be taken into consideration. Private information is targeted the most as it costs a lot in the underground market, where the attackers may sell it or coerce the authorities to pay money by threatening to sell the data. They may even attack data through a ransomware, a type of malware which locks the data of the victim until ransom is paid. Further, valuable data like that of important medical research costs a fortune in the black market. It is not just the data but healthcare devices also which are hacked through ransomwares creating peril for the patients whose lives are supported by such devices. Comparitech[v], which is a UK based firm, recently released cybersecurity rankings amongst 76 countries, in which India emerged as the 18th least cyber secure country. Also, recently, the Interpol has sent a purple notice[vi] to different countries, including India, as a warning against ransomware attacks during this pandemic. Outdated technology and less knowledge of cybersecurity make the digital healthcare sector more susceptible to such attacks. Furnishing the healthcare sector with proper machinery, updated equipments and resources could help in achieving a higher level of cybersecurity against cyber threats.
Recent episodes of Healthcare Data breaches
Cyber-criminals particularly are attracted towards DHD since it encompasses personal and financial data which can be used for the purposes of blackmailing and extortion. Recent events of healthcare data breaches are a matter of serious concern for the digital healthcare sector in India. In the year 2019, FireEye, a USA based security firm revealed the fact that some Chinese hackers broke into a top Indian digital health website, stealing around 68 lakh health records[vii] including, but not limited to, doctor and patient information. It has been observed at times that such hackers are state-sponsored[viii] for targeting medical research which may enable such countries to bring new advanced medicines to the market faster than their competitors. In another instance that followed, millions of pregnant women[ix] had their details leaked due to an error which made their private health data publicly accessible. The affected database stored details of the pregnancy and the history of genetic ailments. Episodes like these serve as reminders of the importance of powerful cybersecurity frameworks to secure healthcare data in India.
There are basically three categories of harm that could be caused to an individual when his/her DHD is breached; first, the society gets to know about the medical history of the individual; second, the employer gets to know about the leaked PHI and hence, might become unwilling to employ the individual; and third, the chances of any future DHD loss in itself becomes a nightmare for the individual.
The government of India recently introduced a mobile contact tracing app known as the ‘Aarogya Setu’. The application works by linking the user’s name, phone number, age, sex and profession to his/her geolocation data. The app then uses the Bluetooth and location information of the device continuously to monitor the track of its users. Further, all the collected data is then uploaded to a central digital healthcare database managed by the government. Earlier, the app was to be used voluntarily but, by way of a recent order under Section 10 of the Disaster Management Act, 2005, the government has made use of the app “effectively mandatory”[x] at various places. This raises a serious cybersecurity concern amongst the citizens. This concern surged after Robert Baptiste[xi], a French ethical hacker reported various security and privacy flaws in the app. He demonstrated the loopholes by tracking movements across India. However, the government tagged these allegations as vague[xii]. While the paranoia around the app’s security concerns remains unaddressed, a Bengaluru-based software engineer[xiii] apparently breached the app’s security system in less than four hours, giving a panic attack to the government and citizens. Therefore, it is necessary for the government to extensively implement regulations and security features.
Legislations dealing with Digital Health Data
There are different legislations that deal with the issue of cybersecurity and digital health in India. Earlier, the database of the digital healthcare sector was only safeguarded[xiv] by the provisions of the Information Technology Act, 2000, read with, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which offered some degree of safeguard to the collection, disclosure and transfer of sensitive private data, which covered within its scope medical records and history. The main problem with the aforementioned act was its enforceability. The act provides for civil as well as criminal remedies in case of data breaches but, is unable to properly define the competent authority to be approached for availing such remedies.
Recently, the draft of the Digital Information Security in Healthcare Act, 2018[xvii] popularly known as the DISHA came into picture. It aims to provide for protection, standardization and privacy, DHD confidentiality, and establishment of Health Information Exchanges and a National Digital Health Authority. The draft legislation endeavors to control the procedures of gathering, utilising, and sharing DHD. The standardization it proposes also helps in guaranteeing that such data stays secure, classified, and private. Further, DISHA provides for digital sharing of private healthcare data with clinics and hospitals, and between clinics and hospitals[xviii] which serves as a basis for the formation of digital healthcare records in India since it incorporates the required patient’s medical data. It also provides that the owner of the DHD would have extensive rights[xix] relating to consent, transparency, and data collection. The most notable part of the aforesaid legislation is that it states that health data, including physiological, mental and physical health condition, sexual orientation, biometric data and prior medical records, is data that can only be the property of the person it belongs to. DISHA also proposes for strict penalties in the case of mishandling of the data. Hence, the draft legislation could be considered as an important step towards data security for the digital healthcare sector in India. However, DISHA is expected to be merged with the Personal Data Protection Bill, 2019 which under section 3(36) states that the ‘health data’ of a person embodies ‘sensitive personal data’[xx].
Legislations of other countries dealing with Digital Health Data
European Union (EU)– The recent General Data Protection Regulation (GDPR) has been in force since 25th May 2018[xxi]. The primary aim of the GDPR[xxii] is to simplify the regulatory environment and to provide individuals control over their private data. It lists out various requirements for organisations and corporations on storing, managing and collecting private data. The notable point in the GDPR is that it applies to any organisation[xxiii] that processes or collects data/information from residents of the EU or in the EU, and hence, also covers medical institutions in the EU.
United States (U.S.)– The U.S. practices “combination of self-regulation, legislation and regulation”[xxiv] instead of government interference only. Approximately twenty sector or industry-specific federal laws, and more than a hundred data/general privacy laws at the state level[xxv] are currently in force in the U.S. For instance, the privacy law in California namely, “California Consumer Privacy Act” (CCPA) provides Californian residents with four personal data privacy rights[xxvi]: the right to equal services, the right to opt out (or in), the right to access, and the right to notice. Compliance with the CCPA is mandatory for all organizations and individuals in the United States.
It’s an obvious fact[xxvii] that India lacks a common tradition of privacy and anonymity. While privacy forestalls access to data, anonymity shrouds what makes it personal. A recent survey demonstrates that 76% of the healthcare professionals[xxviii] in India utilise digital health records. With such rapid digitalization of the Indian healthcare industry, it is necessary to have a proper legal framework in place to handle issues related to cybersecurity. Digital health could provide a transformative effect to the healthcare industry in India, but it must also come with the requisite safeguards to prevent the PII and PHI from being vulnerable to abuse and fraud and to protect the individuals’ privacy and human rights. Hence, it is imperative on the part of government to look upon digital healthcare privacy.
[i] Rudra Shandilya and Disha Chaturvedi are undergraduate law students at National Law University, Visakhapatnam. Their interests include corporate and technology laws, as well as human rights, and gender issues. They can be reached at [email protected] or [email protected]
[ii]Gaurav Dhooper, National Digital Health Mission and Data Protection Concerns, Analytics India Mag, https://analyticsindiamag.com/national-digital-health-mission-and-data-protection-concerns/, (last visited on 21 January 2021). [iii]Protected Health Information, True Vault, https://www.truevault.com/protected-health-information#:~:text=PHI%20stands%20for%20Protected%20Health,as%20a%20diagnosis%20or%20treatment., (last visited on 21 January 2021). [iv]What is Cybersecurity?,Cisco, https://www.cisco.com/c/en_in/products/security/what-is-cybersecurity.html, (last visited on 21 January 2021). [v]Paul Bischoff, Which countries have the worst and best CyberSecurity?, Comparitech, https://www.comparitech.com/blog/vpn-privacy/cybersecurity-by-country/, (last visited on 21 January 2021). [vi]Devesh K. Pandey, Interpol Warns of Cyber threats during Pandemic, The Hindu, https://www.thehindu.com/news/national/interpol-warns-of-cyberthreats-during-pandemic/article31539121.ece, (last visited on 21 January 2021). [vii]Hackers Steal 68 Lakh Health Records from Indian Healthcare Websites for alleged Cancer Research, Tech 2 First Post, https://www.firstpost.com/tech/news-analysis/hackers-steal-68-lakh-records-from-indian-healthcare-websites-for-cancer-research-report-7225351.html, (last visited on 21 January 2021). [viii]Matt Burgess, China’s Hackers are ransacking databases for your health data, Wired UK, https://www.wired.co.uk/article/china-hackers-medical-data-cancer, (last visited on 21 January 2021). [ix]Shouvik Das, India’s leaked medical data could have been sold or damaged: Bob Diancheko, News 18 Tech, https://www.news18.com/news/tech/indias-leaked-medical-data-could-have-been-sold-or-damaged-bob-diachenko-2089351.html, (last visited on 21 January 2021). [x]45 organizations and more than 100 prominent individuals push back against the coercion of Arogya Setu, Internet Freedom Foundation, https://internetfreedom.in/45-organizations-and-105-prominent-individuals-push-back-against-the-coercion-of-aarogya-setu/, (last visited on 22 January 2021). [xi]Flaw in Arogya Setu app lets one see others’ health status: French cybersecurity expert, The Week Magazine, https://www.theweek.in/news/india/2020/05/06/flaw-in-aarogya-setu-app-lets-one-see-others-health-status-french-cybersecurity-expert.html, (last visited on 22 January 2021). [xii]Government denies hacker’s claims of Security breach in Arogya Setu App, The Hindu Business Line, https://www.thehindubusinessline.com/info-tech/aarogya-setu-app-safe-government/article31514935.ece#, (last visited on 22 January 2021). [xiii]Zarafshan Shiraz, After French hacker Bengaluru techie hacks ‘Unhackable’ Covid-19 Tracking App Arogya Setu in less than 4 hours, India.com, https://www.india.com/viral/after-french-hacker-bengaluru-techie-hacks-un-hackable-covid-19-tracking-app-aarogya-setu-in-less-than-4-hours-4028907/, (last visited on 22 January 2021). [xiv]Nimisha Shrinivas & Arpita Biswas, Protecting Patient Information in India: Data Privacy Law and its Challenges, 5 NUJS L. Rev. 411 (2012), http://docs.manupatra.in/newsline/articles/Upload/B3C7F081-838F-489F-9F77-AF1E209C26F8.pdf. [xv]Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India). [xvi]Ankur Sangal; Pragya Mishra & Shantanu Rawat, India: How much Diligence is Due Diligence in case of intermediaries? Not just paper policies, Mondaq, https://www.mondaq.com/india/advertising-marketing-branding/978962/how-much-diligence-is-due-diligence-in-case-of-intermediaries-not-just-paper-policies, (last visited on 22 January 2021). [xvii]Ministry of Health & Family Welfare (eHealth Section), Government of India, F.No Z-18015/23/2017-eGov (Notified on 21 March 2018). [xviii]Digital Information Security HealthCare Act (DISHA) Compliance Assesment, Cereiv, https://www.cereiv.com/digital-information-security-health-care-act-disha-compliance-assessment/, (last visited on 22 January 2021). [xix]Overview: Digital Information Security HealthCare Act (DISHA), Ikigai Law, https://www.ikigailaw.com/overview-digital-information-security-in-healthcare-act-disha/#acceptLicense, (last visited on 22 January 2021). [xx]The Personal Data Protection Bill, 2019, No. 373, Lok Sabha, 2019 (India). [xxi]Commision publishes guidelines on upcoming new Data Protection Rules, European Commission Press Release, https://ec.europa.eu/commission/presscorner/detail/en/IP_18_386, (last visited on 22 January 2021). [xxii]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). [xxiii]Vikalp Jain, GDPR paves the way for Data Subjects of the World, Analytics India Mag, https://analyticsindiamag.com/gdpr-paves-the-way-for-data-subjects-of-the-world/, (last visited on 22 January 2021). [xxiv]Sushil Kambapati, What India Data Protection Committee can learn from US, EU and China, The Wire, https://thewire.in/tech/what-indias-data-protection-committee-can-learn-from-us-eu-and-china, (last visited on 22 January 2021). [xxv]Noah Ramirez, The Great Big List of Data Privacy Laws by State, Osano, https://www.osano.com/articles/data-privacy-laws-by-state, (last visited on 22 January 2021). [xxvi]Kambapati, supra note 23. [xxvii]Osama Manzar & Udita Chaturvedi, Understanding the lack of Privacy in the Indian Cultural Context, Digital Empowerment Foundation, https://www.defindia.org/wp-content/uploads/2017/09/Understanding-the-Lack-of-Privacy-in-Indian-Cultural-Context.pdf, (last visited on 22 January 2021). [xxviii]Mukul, 76% of Indian Healthcare professional use Digital Health Records: Report, EHealth, https://ehealth.eletsonline.com/2019/08/hackers-steal-68-lakh-records-from-indian-healthcare-site-report/, (last visited on 22 January 2021).