Will India's Healthcare Data Be Protected? #PrivacyOfThePeople

Tl;dr

In the continuation of our weekly series #PrivacyOfThePeople, we look at the impact of the Personal Data Protection Bill, 2019 on different sections of society. In the past, we’ve covered the effects of the Bill on worker surveillance and agricultural data. In this post, we examine the Bill in relation to healthcare data. We explore the need to secure such data as well as why private companies and foreign hackers are interested in the data of senior citizens.

Background

Last week, in the third post in our #PrivacyOfThePeople series, we looked at social media user rights under the Personal Data Protection Bill, 2019. We took a deep dive into the merits and demerits of the Bill when it comes to the common person and data fiduciaries. Users of any social media platform who are direct stakeholders of their own data must have greater say and better protection in this increasingly digital world.

This post continues to discuss how different groups of people are affected by the Personal Data Protection Bill, 2019.This week, we’re taking a look at why there is an increasing interest in healthcare data and medical records and whether the Bill adequately protects such data. In the past, we have discussed privacy-related concerns in healthcare through our explainer on the Unique Health Identifier Rules and our analysis of the National Digital Health Mission’s health Data Management Policy.

The issue

In a world where everything is becoming increasingly digital, each industry is facing a unique set of challenges that come with digitization. As such, in the health sector, digital technologies are being deployed for overcoming inefficiencies, ensuring better utilization of available resources, delivering certain services and follow-up, etc, for faster data collection. In a country with more than one billion people, any sort of data is bound to be scattered, even more so when it comes to healthcare data. As these records and databases transition to an online setting, healthcare organizations face an uphill challenge to protect this data. According to the US Department of Health and Human Services’ Office for Civil Rights, between 2009 and 2020, 3,705 healthcare data breaches of 500 or more records have been reported.

To understand why there is an increased interest in healthcare data, we must first understand what exactly is healthcare data? As per the National Digital Health Mission (NDHM), health data can be classified into the following categories:

  • Personal health data – data related to an individual containing detailed information of various health conditions and treatments. It includes any data with personally identifiable information of various stakeholders, such as healthcare professionals; and
  • Non-personal health data – includes aggregate health data and anonymised health data where all personally identifiable information has been removed.

Why is it then, that the value of medical records on the web surpasses that of social security and credit card numbers? According to Tom Kellermann, chief cybersecurity officer of Carbon Black, “Health information is a treasure trove for criminals. By compromising it, by stealing it, by having it sold, you have 7 to 10 personal identifying characteristics of an individual.” A lot of healthcare data is sensitive personal data. Not only is this data sensitive, but it is also of great value to brokers who sell this data to private agencies and researchers. This is clearly evidenced by one of the largest Indian healthcare data breaches in 2019 when cyber criminals had stolen 68 lakh records of patient and doctor information. This breach contained Personally Identifiable Information (PII). According to another report, over 41.4 million patient records were breached worldwide in 2020 alone. This has alarming consequences.

A number of things can happen with stolen healthcare data. Traditional criminals may resort to coercion and extortion by using your information. Others may commit identity theft. One of the most common places your data may eventually end up, however, is at insurance companies. In fact, hospitals in the US regularly sell medical information to data mining companies who then aggregate the data and resell it to private practitioners, insurance companies, etc. While both secondary use and sale of medical data are anonymised beforehand, several reports have revealed the possibility of identifying people even based on such disparate information. Such practices can result in an increase in insurance premiums and targeted advertising, leaving very little control over such sensitive information with the patient themselves.

In the absence of stringent data protection regulations, your parents’ and grandparents’ data can end up with foreign researchers or helping insurance companies profit.

The PDP Bill and Health Data

Under section 3(21) of the Personal Data Protection Bill, 2019 (PDPB), ‘health data’ is the ‘data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services’. Further, under section 3(36) of PDP 2019, ‘sensitive personal data’ refers to personal data that may reveal, be related to, or constitute health data, among others. At present, the Bill is silent on non-personal and anonymized data. As we have written extensively earlier, protecting personal data alone solves only half of the problem - non-personal data needs to be thoroughly regulated as well. In today’s world, it is nearly impossible for everyday users of the internet to achieve true anonymity. Indeed, many studies have already shown how anonymised data can be de-anonymised and used to identify individuals (see here and here).

Furthermore, the Bill fails to adequately safeguard data of any sort in the case of data breaches. Clause 25 which deals with the breach of personal data states that in cases where a data breach may cause harm to the data principal, the data fiduciary must inform the Data Protection Authority. However, the clause does not require the data fiduciary to inform the data principal (in this case, users whose healthcare data is now public). It is instead left to the Authority to decide: a) whether the data fiduciary must inform the data principal, b) the remedial action the data fiduciary must undertake, and c) the details of the data breach that can be made public. Moreover, there are no penalties imposed on the data fiduciaries in the event of a data breach. Given that the systems the digital healthcare industry rely on are already severely vulnerable to cyber attacks, the lack of penalties disincentivises enterprises from adopting more robust security standards..

Solution

To remedy some of the aforementioned issues, here are our recommendations:

  1. Clearly identifying the need, purpose, and safeguards for healthcare data: It has been argued that since the medical community is still divided over the impact of digital health records on clinical outcomes, there is a need to comprehensively study the same in the context of efficacy and privacy concerns. Lessons from studies from other countries may also be beneficial. For example, a survey of general physicians in Australia found that they accessed only a tiny fraction of all the reports uploaded onto the database. To this extent, the government must also hold consultations with diverse stakeholders to calibrate this framework towards a focus on improving medical outcomes (rather than on data collection). Hence, a transparent, consultative approach with public health groups, independent academics, and experts, digital rights organisations needs to be conducted on priority.
  2. Protect Non-Personal Data: Allow non-personal and anonymized data to be regulated by the Data Protection Authority. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms for non-personal data.
  3. Strengthen the security framework: Companies must provide users with explanation of security practices and safeguards that their data will be subject to. Additionally, in case of a breach or hack, users must be informed about the incident and give details about the extent to which their data has been affected.

This is the third post in our #PrivacyOfThePeople series on how the Personal Data Protection Bill will impact different facets of our life; you can read part 1 on worker surveillance here, part 2 on the farmers here, and part 3 on social media here. Join us next week as we look at the Bill in the context of student data.

Important Documents

  1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
  2. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
  3. Previous blogpost dated January 18, 2021, titled “Unconstitutional draft report on non-personal data ignores concerns about privacy and data monopolies” (link)
  4. IFF's Explainer on the Unique Health Identifier Rules, 2021 (link)
  5. Previous blogpost dated June 17, 2021, titled "Analysing the NDHM’s Health Data Management Policy: Part 1" (link)
  6. The SaveOurPrivacy Campaign (link)

This post was largely drafted by Tanvi Roy, who is an undergraduate student majoring in Computer Science at Ashoka University and currently interning at IFF.