- Health data is of enormous value and unauthorised access to this data poses serious risks: Health data can be used to create custom diseases, threaten the life of a person, can result in stigmatisation of certain groups of people, and can erode the trust in the healthcare system.
- Many challenges in securing healthcare data: There are many challenges when it comes to securing healthcare data including the lack of a data protection bill, people not being aware of the seriousness of health data, end-users unknowingly making costly mistakes, and lack of sufficient security systems.
- Challenges are only going to increase: The amount of healthcare data that is collected is only going to increase because of the growing number of companies and connected devices entering this space. This in turn will increase the challenges in securing health care data.
From enabling the creation of custom diseases to eroding the trust in the healthcare system, stolen health data can be used for various nefarious purposes. While the lack of a data protection law might be one of the biggest challenges in securing health data, the growing number of companies and connected devices collecting health data only makes the challenge of securing this data harder. In a panel discussion held by MediaNama on COVID-19 and Cyberattacks on Healthcare, experts shared their views on the risks of health data getting compromised and the challenges in securing health data and healthcare infrastructure.
Pallavi Bedi, Senior Policy Officer at the Centre for Internet and Society, Arvind Sivaramakrishnan, Group CIO of Apollo Hospitals, Niranjan Ramakrishnan, CTO of Leixir Dental Lab Group and CEO of My Lab Connect, and Vishal Gondal, Founder of GOQii, participated in this panel discussion.
This discussion was held on July 28 in partnership with the CyberPeace Institute, and with support from Facebook.
Risks of health data getting compromised
- Health Data can be used to create custom diseases: “Earlier this year, the US National Counterintelligence and Security agency came up with a report, which talked about China’s collection of genomic and other healthcare data from Americans. Just imagine, losing your DNA is not like you losing your credit card which you can change tomorrow, your DNA is unique to you. But this DNA information coupled with so many other things can be used to make custom diseases, custom viruses, it can be used to create all kinds of simulations and tests on your data. So there is a massive national security risk when it comes to all the underlying data of health,” Gondal said.
- Can result in life-threatening situations: “For example, we are now talking about connected devices getting embedded in people, we are talking about insulin pumps or pacemakers which are connected. Now imagine if somebody can hack into a pacemaker and say, ‘please deposit a million dollars or I will be stopping your pacemaker’ or suddenly, I can pump in 24 units of insulin in your body,” Gondal added.
- Can be used to run entire simulations: “We are right now in a biotech revolution, where entire business simulations like Moderna vaccine was completely simulated and tried out in data environments. So what could literally happen is that if they have data of 100 million people, their computer models can directly use this health data and start simulations. So effectively, you will be participating unknowingly in clinical trials across the world,” Gondal said.
- Stigmatisation of certain groups of people: “Health data is sensitive data. The sensitive health data about LGBT community patients, or age data, or leprosy, something like that come with a stigma attached to it. In that sense, breaches raise stigmatization of those individuals and it raises concerns about whether those people will get proper access to testing and whether they will be comfortable going to hospitals,” Bedi said.
- Eroding trust in the healthcare system: “I think it obviously will damage the security of the healthcare system, and the trust that individual has in that particular hospital or the particular doctor, whether I would feel comfortable going there and sharing that data because I don’t know who’s going to use it, and what’s going to happen to it,” Bedi added.
- Expensive for a reason: “Healthcare data is $500, financial data is $4. Why are people willing to pay $500 for healthcare data? It’s because this data can be used for so many more things,” Gondal added.
Challenges in securing health data:
- No data protection law: “One of the biggest challenges is that we don’t have a data protection law here. In the absence of any law, either a personal data protection bill, or any specific law, which deals with health data particularly, protecting health data obviously becomes an area of concern,” Bedi opined.
- Health data collection is only going to increase: “All these companies, whether it is Google, whether it is Facebook, whether it is Apple, they are all now trying to enter health care. The minute we are talking about healthcare, we are suddenly talking of connecting health data with behaviour data, with search data. So the repercussions of this are going to be multifold. To just give you an example, the GOQii device captures 25,000 data points per person per day, which includes heart rate, temperature, SPO2, blood pressure steps, etc. I believe in the next three to five years, your phone will do 90% of diagnostics, including your blood sugar levels, etc and each person will have a million data points a day. Now, imagine that much data if not secured properly, because this data can change the face of biotech because you can use it to do all kinds of research, drug development, biotech, everything,” Gondal said.
- Applications built on an unsecured platform: “Unlike UPI, which was built on top of a banking system which was already having some level of security, I think the health sector is going to have a massive explosion of problems because it is being built on a system which underlying has no security,” Gondal said.
- People do not understand the seriousness of this data: “One big challenge in healthcare is people don’t understand the seriousness of how important this data is and how can it be misused. When people look at financial data, they understand that ‘Oh, my bank account could be wiped out’ or you know fraud could be done and so on. But in healthcare, there is a general lack of awareness that how can this data be misused,” Gondal said.
- Users might be exposing a lot of data unknowingly: “Last year, there was this big report where Fitbit data was used to actually locate US military sites, because they were looking at walking patterns and other patterns and easily able to locate where sites were. Now imagine in India, we have millions of Chinese devices lying around and so many people are using these devices knowingly and unknowingly. All this is exposing a lot of stuff,” Gondal added.
- Lack of a sufficient security system: “Security systems for protecting such data may not be sufficient. We are not aware of the kind of security systems that we need to have in place. One hospital in Delhi may have one system and another hospital a completely different system to safeguard my personal data,” Bedi added.
- End-user mistakes are the biggest security risks: “The biggest cause of any of the security compromises is the end-user mistakes. For example, we clearly tell people you’re not supposed to access the emails from unknown senders, you’re not supposed to register email IDs outside of your network. People go and subscribe using that email for Facebook and everywhere. Then they start getting a lot of spam emails and they open an attachment. They don’t even tell anyone because in the healthcare environment there are night shifts, there are off times, etc. It’s extremely difficult for you to kind of monitor them 24 x 7. Whatever the kind of filter and governance system you put in place, there are still ways and means for people to kind of go out of the network, and that one entry is good enough for you to get completely compromised,” Ramakrishnan said.
- Chances of fraud in UHI are tenfold: In response to a question on what challenges the government’s proposed United Health Interface (UHI) poses, Gondal said: “I think it’s going to be a big challenge because a lot of fraud in healthcare used to happen because of insurance and claims and all of that. Right now, I think the chances of fraud in this entire system is going to go tenfolds because people will figure that out by just getting somebody’s OTP I can generate some invoice there. And so, you know, there might be hospital appointments booked in my name and your name in some small city in town.”
- Opening up for portability opens up doors for security issues: “Access to applications have gone up during the beginning of COVID. Everybody started telehealth and telemedicine, teleconsultation etc. So now every other organization is trying to really get into home care and wellness care etc. And the next two years, I can tell you all the aggregator companies are going to be focusing on the wellness and the home care kind of model. On one side you are trying to reach out to the patients, on the other side, you need to know that the more you’re opening up portability, the more you’re going to open up the doors for security issues,” Ramakrishnan said. “Whenever there is communication between two systems or cross-communication, I think there are loopholes that are instantaneously created. In the language of a cyber enthusiast,” Sivaramakrishnan added.
What is India doing in terms of digitisation of health records?
- National Digital Health Mission: “Sometime in 2019, National Digital Health Blueprint came about. Then in 2020, the National Digital Health Mission (NDHM) based on this blueprint came about. What the blueprint talked about was the utilization of using digital services for providing health services across the country. Basically, the point was that health records are scattered across different people. If I am in one state and I go to another state, I can’t carry my health records. How do I transfer it, how does it become portable from one hospital or one health clinic to another health clinic?” Bedi said.
- Health ID: “One of the main points of the mission is to create a unique health identifier, the Health ID, which is supposed to be linked to your electronic health records. All your blood reports, your doctor medical reports, it’s in one place, and that health ID, if you give consent to the doctors, you will have access to your health records, whichever hospital you go, in case if I shift from Delhi to Bombay, and I go to different doctors,” Bedi added.
- Agenda And Reading List: Cyberattacks On Healthcare
- 416 Crores Allocated This Year To Strengthen Nation’s Cybersecurity, Here Are Some Measures Taken So Far: IT Ministry
- IT Ministry Reveals Over 6 Lakh Cybersecurity Incidents In First Half Of 2021, No Comment On If Critical Infrastructure Was Targetted
- Summary Of The Draft Implementation Strategy Of The National Digital Health Mission
Have something to add? Subscribe to MediaNama and post your comment