Digital Health Data Protection: How India Is Tackling Increasing Threat?

With its burgeoning healthtech sector and expanding market of app-based healthcare services, India has witnessed a massive security breach recently.

Amidst the surge in cyber security breaches, the US Federal Trade Commission (FTC) recently issued a mandate aimed at bolstering data protection measures within the digital health sphere.

The finalized Health Breach Notification Rule (HBNR) emphasizes the imperative for digital health apps to notify individuals and regulatory bodies of any breach in their sensitive medical data.

This directive seeks to fortify consumer data privacy and enhance transparency regarding data collection practices. The revised HBNR broadens its scope to encompass a myriad of health apps, including those not bound by the Health Insurance Portability and Accountability Act (HIPAA).

Under this regulation, vendors managing digital health records must promptly notify affected individuals, the FTC, and in certain instances, the media, upon discovering a breach of unsecured personally identifiable health data.

Notably, this includes emergent health data inferred from sources such as location tracking and health-related purchases.

The FTC's action follows recent enforcement measures targeting entities such as GoodRx, Premom, and BetterHelp, which faced penalties for unauthorized disclosures of consumers' personal health information.

These incidents underscore the critical need for heightened vigilance and compliance within the digital health sector.

Growing Health Data Breaches in India

With its burgeoning healthtech sector and expanding market of app-based healthcare services, healthcare seekers in India have been victims of massive security breaches frequently.

For example, in November 2023, the Indian Council of Medical Research (ICMR) was hit by a significant cybersecurity incident compromising the personal data of over 81.5 million Indians. The data was later found for sale on the dark web.

Recently, a report claimed that HealthGenie, a Delhi-based healthcare IT solutions provider, allegedly exposed 4.5 Lakh sensitive documents of patients including clinical and personal data including phone numbers, addresses and payment details.

“The recent cyberattack in the healthcare industry serves as a clear warning, asking for increased care in safeguarding sensitive medical data. As telehealth solutions and electronic health records (EHR) are changing the landscape, the confidentiality of patient information becomes increasingly important,” said Rahul Misra, founder of Vesta Elder Care.

Balancing Innovation & Regulation

Exposing personal medical data poses severe risks for affected individuals. The attackers could misuse the information for identity theft, financial fraud, targeted phishing attacks, blackmail, and potentially compromise patients’ medical histories and personal information.

Individual healthcare data can be sold on dark web forums. For example, hacked medical details could be used for medical identity theft, where threat actors would use stolen information to submit forged claims to health insurers.

Reports suggest a distressing trend wherein sensitive medical data, including patient histories and prescriptions, are shared with third parties without their explicit consent.

This breach of trust not only jeopardizes individuals' privacy but also exposes them to potential risks of identity theft and financial fraud.

Moreover, the widespread reliance on health and wellness apps coupled with the pervasive disregard for privacy policies exacerbates the vulnerability of users' personal data.

A glaring gap in user awareness regarding data privacy underscores the urgent need for enhanced education and regulatory oversight.

Surjeet Thakur, founder and CEO of TrioTree Technologies believes regulations similar to HBNR are not a roadblock but a necessity.

“Since the risk and usage of the data getting into the wrong hands is humungous, this is not a hindrance rather it’s a necessity. The regulatory body can make the transition easier by ensuring the right information is available to everyone, easily and incorporating it in the application should also be efficient,” Thakur said.

He further suggested that there should be easy guidelines to be exposed to healthtech startups as a ready reckoner. “The challenges of other infrastructure-related dependencies, be it cloud or network, or device vulnerabilities, can be ensured by enforcement,” he stressed.

Regulatory Landscape in India

In India, the Digital Personal Data Protection Act (DPDP) of 2023 serves as a pivotal legislative step towards safeguarding consumers' personal data.

Enacted with the aim of establishing a robust framework for data protection, the DPDP Act delineates rights and responsibilities, emphasizing consent, transparency, and accountability.

Under the DPDP Act, consent is the primary basis for processing personal data, including health data, with limited exceptions such as for compliance with legal obligations, responding to medical emergencies, and providing medical treatment during an epidemic.

The Act also requires significant data fiduciaries (SDFs), which may include healthcare providers, to appoint data protection officers and conduct periodic data protection impact assessments to ensure compliance.

Under the DPDP act, non-compliance can attract significant penalties ranging from up to INR 10,000 to up to INR 250 Cr (2.5 billion), depending on the nature and severity of the breach.

Patient Data Security in the Era of AI

As Artificial Intelligence technologies continue to be rapidly adopted in healthcare offerings, it presents a unique challenge to safeguard sensitive patient information, including health records, personally identifiable information (PII), and intellectual property.

Disesdi Susanna Cox, chief data officer at BobiHealth, a pregnancy safety health app, highlights the pressure on data teams to ensure compliance and regulations.

“If an organization uses AI in any way, there are additional regulatory burdens, as well as security issues. All of this can add up to make the ever-changing data privacy landscape very challenging to navigate,” she said.

Aneesh Nair, cofounder and CIO, MyHealthcare underscores the importance of data privacy and security, in the era of AI, which relies heavily on patient data.

“While regulations can protect patient safety and prevent misuse, overly burdensome ones might hinder innovation. India needs a regulatory framework that fosters responsible AI development while addressing unique healthcare challenges. This framework should cover transparency, privacy, bias mitigation, and accountability,” Nair said.

In A Nutshell

As the healthcare industry navigates the complexities of an increasingly digitized landscape, ensuring the privacy and security of patient data remains paramount.

Regulatory initiatives such as the FTC's Health Breach Notification Rule and India's DPDP Act represent crucial steps towards bolstering data protection measures.

However, concerted efforts are needed to address the pervasive challenges posed by cybersecurity threats and data breaches.

By fostering collaboration, promoting digital literacy, and implementing robust governance and cybersecurity measures, stakeholders can collectively work towards building a secure and transparent digital healthcare ecosystem that prioritizes patient privacy and safety.