(In a major data breach, private information of lakhs of citizens registered on the CoWIN portal has, reporterdly, been leaked. FIT is republishing this story in light of the recent event.)
Was the recent cyber attack in All India Institute of Medical Science (AIIMS) Hospital just a taste of what's to come in the digital future of India's healthcare system?
On 23 November, AIIMS-New Delhi issued a statement saying their server withheld details of their outpatient and inpatient digital hospital services including smart lab, billing, report generation, appointment system, were affected.
What followed was a frenzy of staff scrambling for hours to get the server running as services came to a sudden stand still as a result of the breach.
The cyber attack was carried out by Chinese hackers, a senior government source told news agency on Wednesday, 15 December. The official added that in the five servers have been successfully retrieved now.
But, let's zoom out from the AIIMS incident to take a look at the larger plan to digitise healthcare that's being pushed by the government under the Ayushman Bharat Digital Mission.
Is India ready to go paper-less and fully digitise healthcare? FIT speaks to experts.
Lessons From the AIIMS Cyber Attack: Is India Ready to Digitise Healthcare?
1. What is the Ayushman Bharat Digital Mission?
Simply put, the Ayushman Bharat Digital Mission, launched in September 2021, is an initiative by the Union Government to digitise health records and data of citizens in order to ease services.
According to the official website of the Nationa Health Authority, ABDM "will bridge the existing gap amongst different stakeholders of healthcare ecosystem through digital highways."
ABDM involves a bunch of other smaller programmes and provisions including the Ayushman Bharat Health Account (ABHA) app, ABHA number and a health facility registry.
However, there are several challenges in the way they are actually implemented that could result in a security breach, says Dr Suresh Munuswamy, public policy expert, and assistant professor at Public Health Foundation of India.
Expand2. What Went Wrong in AIIMS
For one, Dr Munuswamy explains, in AIIMS, there was just one server holding all this information. This is why services were not available for the next week.
According to reports, it's only on 13 December, a whole 19 days later, that online appointment services were restored at AIIMS.
"The services should not be interrupted. If you had had backup servers, if you had duplicate servers for the data, then you should have at lease carried forward the service, which didn’t happen."
Dr Suresh Babu Munuswamy, Public Health Foundation of India"You need to increase a lot of manpower, you need to a lot of security, you need to distribute data across different server, and someone has to pay for it," adds Dr Munuswamy.
Infrastructure and Investment: Are We Covered?
"We are looking at data that is on a whole new level. There are multiple gateways being exposed here, and ensuring their security is an expensive affair."
Dr Suresh Babu Munuswamy, Public Health Foundation of IndiaUnder the programme, the hospitals involved essentially have to take care of the infrastructure needed to support the digital network.
"You can’t expect a doctor to be a good computer administrator. So, you are essentially asking each hospital to hire a whole new IT team to set up the digital ecosystem," says Srinivas Kodali, Researcher with Free Software Movement of India, tells FIT.
"If you want safety, the only way to do that is to spend a lot of money and hire more people."
The question, then is, are hospitals willing to shell out what it takes?
Dr Munuswamy says the way around it is by increasing allocated funds by the government towards the programme.
Expand3. There's Also a Lack of Legal Frameworks
Though the Supreme Court has recognised that the right to privacy is a fundamental right, there is no data protection law in place in this country, says Rohin Bhatt, a human rights lawyer practising at the Supreme Court.
Though there is a proposed Digital Data Protect Bill 2022 draft, but it's not much good until it becomes a law.
"The draft doesn’t demarcate between personal data and sensitive personal data. Health is a sensitive personal data," says Pallavi Bedi, a public policy lawyer and a researcher at the Center for Internet Security.
"So the extra safeguard that should be there for health data is also not there," she adds.
"There are policies, but there are no laws, and policies are not laws. You don’t have to really enforce policies."
Srinivas Kodali, Researcher with Free Software Movement of IndiaTake for instance, the incident at AIIMS. As far as we know, no substantial legal recourse followed the cyber-attack.
"The government has made no statement about if they've managed to get the systems in place. They haven’t said if the perpetrators were caught, if they are being prosecuted, and what is happening."
Rohin Bhatt, Lawyer in the Supreme Court"All of that data is now in the hands of these cyberterrorists. You don’t know they will use it," adds Bhatt.
"Even thought we have had a massive data breach, and this is really sensitive health data, we clearly still don’t have a framework for addressing it."
Rohin Bhatt, Lawyer in the Supreme Court"It exposes people to a gross invasion of their privacy without their consent," adds Bhatt.
"If something like this happens where my data is compromised, who do I go to? That question remains."
Pallavi Bedi, Researcher, Center for Internet Security.Expand4. How Your Healthcare Data Can Be Used Against You
“Is there a privacy violation, yes. But more than that, the question is, how is it harming you?" says Srinivas Kodali.
The harm, Kodali goes on to say, comes from a number of directions, including the insurance industry, personal targetting etc. There's no real way of anticipating just how the data may be used.
You don't get to decide what the government, and private hospitals do with your data thereafter, he says.
"Even if the government doesn't, the private hospitals can (sell your data)," explains Kodali.
According to Kodali, a plausible scenario is that all this information collected from the citizens is given it to the insurance industry. The insurance industry can then start determining who should pay how much health insurance based on their data.
This isn't a far fetched concern, considering arrangements like this have already being flagged in other countries.
"In terms of data in the black market, health data is worth a lot more than even financial data."
Srinivas Kodali, Researcher with Free Software Movement of IndiaThis is because there's a lot of money to be made from this information, targetted advertisements being one example.
Sensitive health data being out there also exposes many vulnerable groups like HIV patients, TB Patients, and people with disabilities to potential exploitation.
“Market tends to punish you. Until recently, AIDS patients were not given health insurance. IRDAI, Insurance Regulatory and Development Authority, had to step in and say that something like this should not be allowed.”
Srinivas Kodali, Researcher with Free Software Movement of IndiaExpand5. Do You Know What You’re Signing Up For?
Do you need Aadhaar to register? ABHA number, COWIN number, Health ID - What is the difference, and where do you use which one?
What health information of yours is linked to it?
How will it be used? Who has access to it?
Most people don't have the answers to these questions.
"You have to look at it from the high level and the granular lever," says Dr Munuswamy.
"Even basic literacy is a problem in our country. And then you are adding digital literacy to it. So, a lot of people may or may not understand what is happening. If you have to get them on to a system, you have to explain things very clearly to them."
Dr Suresh Babu Munuswamy, Public Health Foundation of IndiaSpeaking to FIT, a resident doctor at AIIMS said that the hospital has kiosks for creating Health Accounts for patients, and that they are encouraged to register.
He goes on to say that a lot of them are not very clued up on what it is they're signing up for. All they know is that they're getting a 'health number'.
Most people who sign up for it don't fill out their own forms. "You have data entry operator filling it out for them," says Bedi.
"That's a concern too because you're sharing all this data with somebody. Many don't know that the ABHA number is sensitive, or how it really works," she adds.
The process is meant to be a voluntary one, but is it truly voluntary in the absence of informed consent?
The bottomline is that digitising health data can help streamline healthcare services, and help hospitals function faster and more efficiently, but when the data being handles is of such sensitive nature, and in such a mamoth scale, concerns of privacy and security need to be addressed.
"If the government is pushing health digitisation, they will also have to push safety and security."
Srinivas Kodali, Researcher with Free Software Movement of IndiaThe Quint has reached out to the National Health Authority. We haven't received a response yet.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)
Expand
What is the Ayushman Bharat Digital Mission?
Simply put, the Ayushman Bharat Digital Mission, launched in September 2021, is an initiative by the Union Government to digitise health records and data of citizens in order to ease services.
According to the official website of the Nationa Health Authority, ABDM "will bridge the existing gap amongst different stakeholders of healthcare ecosystem through digital highways."
ABDM involves a bunch of other smaller programmes and provisions including the Ayushman Bharat Health Account (ABHA) app, ABHA number and a health facility registry.
However, there are several challenges in the way they are actually implemented that could result in a security breach, says Dr Suresh Munuswamy, public policy expert, and assistant professor at Public Health Foundation of India.
What Went Wrong in AIIMS
For one, Dr Munuswamy explains, in AIIMS, there was just one server holding all this information. This is why services were not available for the next week.
According to reports, it's only on 13 December, a whole 19 days later, that online appointment services were restored at AIIMS.
"The services should not be interrupted. If you had had backup servers, if you had duplicate servers for the data, then you should have at lease carried forward the service, which didn’t happen."Dr Suresh Babu Munuswamy, Public Health Foundation of India
"You need to increase a lot of manpower, you need to a lot of security, you need to distribute data across different server, and someone has to pay for it," adds Dr Munuswamy.
Infrastructure and Investment: Are We Covered?
"We are looking at data that is on a whole new level. There are multiple gateways being exposed here, and ensuring their security is an expensive affair."Dr Suresh Babu Munuswamy, Public Health Foundation of India
Under the programme, the hospitals involved essentially have to take care of the infrastructure needed to support the digital network.
"You can’t expect a doctor to be a good computer administrator. So, you are essentially asking each hospital to hire a whole new IT team to set up the digital ecosystem," says Srinivas Kodali, Researcher with Free Software Movement of India, tells FIT.
"If you want safety, the only way to do that is to spend a lot of money and hire more people."
The question, then is, are hospitals willing to shell out what it takes?
Dr Munuswamy says the way around it is by increasing allocated funds by the government towards the programme.
There's Also a Lack of Legal Frameworks
Though the Supreme Court has recognised that the right to privacy is a fundamental right, there is no data protection law in place in this country, says Rohin Bhatt, a human rights lawyer practising at the Supreme Court.
Though there is a proposed Digital Data Protect Bill 2022 draft, but it's not much good until it becomes a law.
"The draft doesn’t demarcate between personal data and sensitive personal data. Health is a sensitive personal data," says Pallavi Bedi, a public policy lawyer and a researcher at the Center for Internet Security.
"So the extra safeguard that should be there for health data is also not there," she adds.
"There are policies, but there are no laws, and policies are not laws. You don’t have to really enforce policies."Srinivas Kodali, Researcher with Free Software Movement of India
Take for instance, the incident at AIIMS. As far as we know, no substantial legal recourse followed the cyber-attack.
"The government has made no statement about if they've managed to get the systems in place. They haven’t said if the perpetrators were caught, if they are being prosecuted, and what is happening."Rohin Bhatt, Lawyer in the Supreme Court
"All of that data is now in the hands of these cyberterrorists. You don’t know they will use it," adds Bhatt.
"Even thought we have had a massive data breach, and this is really sensitive health data, we clearly still don’t have a framework for addressing it."Rohin Bhatt, Lawyer in the Supreme Court
"It exposes people to a gross invasion of their privacy without their consent," adds Bhatt.
"If something like this happens where my data is compromised, who do I go to? That question remains."Pallavi Bedi, Researcher, Center for Internet Security.
How Your Healthcare Data Can Be Used Against You
“Is there a privacy violation, yes. But more than that, the question is, how is it harming you?" says Srinivas Kodali.
The harm, Kodali goes on to say, comes from a number of directions, including the insurance industry, personal targetting etc. There's no real way of anticipating just how the data may be used.
You don't get to decide what the government, and private hospitals do with your data thereafter, he says.
"Even if the government doesn't, the private hospitals can (sell your data)," explains Kodali.
According to Kodali, a plausible scenario is that all this information collected from the citizens is given it to the insurance industry. The insurance industry can then start determining who should pay how much health insurance based on their data.
This isn't a far fetched concern, considering arrangements like this have already being flagged in other countries.
"In terms of data in the black market, health data is worth a lot more than even financial data."Srinivas Kodali, Researcher with Free Software Movement of India
This is because there's a lot of money to be made from this information, targetted advertisements being one example.
Sensitive health data being out there also exposes many vulnerable groups like HIV patients, TB Patients, and people with disabilities to potential exploitation.
“Market tends to punish you. Until recently, AIDS patients were not given health insurance. IRDAI, Insurance Regulatory and Development Authority, had to step in and say that something like this should not be allowed.”Srinivas Kodali, Researcher with Free Software Movement of India
Do You Know What You’re Signing Up For?
Do you need Aadhaar to register? ABHA number, COWIN number, Health ID - What is the difference, and where do you use which one?
What health information of yours is linked to it?
How will it be used? Who has access to it?
Most people don't have the answers to these questions.
"You have to look at it from the high level and the granular lever," says Dr Munuswamy.
"Even basic literacy is a problem in our country. And then you are adding digital literacy to it. So, a lot of people may or may not understand what is happening. If you have to get them on to a system, you have to explain things very clearly to them."Dr Suresh Babu Munuswamy, Public Health Foundation of India
Speaking to FIT, a resident doctor at AIIMS said that the hospital has kiosks for creating Health Accounts for patients, and that they are encouraged to register.
He goes on to say that a lot of them are not very clued up on what it is they're signing up for. All they know is that they're getting a 'health number'.
Most people who sign up for it don't fill out their own forms. "You have data entry operator filling it out for them," says Bedi.
"That's a concern too because you're sharing all this data with somebody. Many don't know that the ABHA number is sensitive, or how it really works," she adds.
The process is meant to be a voluntary one, but is it truly voluntary in the absence of informed consent?
The bottomline is that digitising health data can help streamline healthcare services, and help hospitals function faster and more efficiently, but when the data being handles is of such sensitive nature, and in such a mamoth scale, concerns of privacy and security need to be addressed.
"If the government is pushing health digitisation, they will also have to push safety and security."Srinivas Kodali, Researcher with Free Software Movement of India
The Quint has reached out to the National Health Authority. We haven't received a response yet.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)