Thursday, February 2, 2023

Indian health data $ 7bn treasure: AIIMS info breach is risky

Shivaji Sarkar

Health data is critical. Had one secret been known, Indian subcontinent may have had different political contours.
In 1947, Mohd Ali Jinnah’s health conditions were in wraps giving no clue to Congress leaders that his days were numbered. Had there been the slightest inkling, possibly the Indian subcontinental history could have been different. But did the British rulers know about it? Is that the reason that the Radcliffe Commission drew the lines of Partition in five-week haste without visiting those areas?
These are difficult questions but everyone has secretly admired the way the critical information of Jinnah remained in shrouds. The healthcare information rarely may have had such immense political and economic significance.
The incident is being remembered as for days the critical All India Institute of Medical Sciences, Delhi, web portal server is inoperational, since November 23 morning, supposedly because of suspected ransomware. The AIIMS has switched over to manual procedures and sought the assistance of Indian Computer Emergency Response Team or CERT-IN, the nodal emergency agency of the Ministry of Electronics and IT.
The AIIMS data breach may be graver than it appears. It may be recalled that how a global collaborative investigative project revealed that Israeli company NSO Group’s Pegasus spyware targeted over 300 mobile phone numbers in India, including that of two serving ministers in the NDA government, three opposition leaders, one constitutional authority, several journalists and business persons.
No less worrisome were the Cambridge Analytica, which had allegedly stolen the data of 50 million Facebook users in 2014, claimed that the Congress party was the firm’s client in India. Some other apps despite pious intentions were blamed for compromising data.
The latest move for a data protection law needs to have a wider ambit. Almost all apps on the social media, corporate or public seek unnecessarily access to contacts, camera and location. These must be stopped. The Competition Commission of India (CCI) on October 25 imposed a fine of Rs 936.44 crore on Google for anti-competitive practices in its Play Store policies.
The Indian healthcare data is stated to be worth $ 7 billion in the world market. It is just not about profiling a population but information of some key persons itself may be worth more than that. The global healthcare information market size is valued at $ 359.8 billion in 2021 and is expected to expand at a compound annual growth rate (CAGR) of 13.2 percent till 2030.
The risk is far greater than it can be fathomed particularly in the light of government using the coronavirus pandemic to push its plan to digitise the health records and data of 1.3 billion people, despite concerns about privacy, increased surveillance, technology and human rights. It can be utilised in many ways, including for blackmailing, seeking ransoms or political mapping. The storing of individual information in Aadhar and linking it to several instruments like income tax data, balloting system and banking are fraught with great risks to the nation and individual citizens.
According to a report published in The Lancet journal, in 2016, global expenditure on health is anticipated to increase to $ 18.3 trillion by 2040 across the globe. So would data worth multiply.
Hackers’ access to private patient data not only opens the door for them to steal the information, but also to either intentionally or unintentionally alter the data, which could lead to serious effects on patient health and outcomes. If this at all happens to AIIMS or any health data, it can lead to severe flaws in the line of treatment. The Ayushman Bharat itself has enormous records along with ESI Hospitals. The move to have a centralised healthcare data needs rethinking.
AIIMS attack may have many dimensions. It presumably has sensitive medical data that can be attacked, copied and altered. On May 14, 2016, AIIMS, Raipur also similarly suffered an attack by a Pakistani hacker, Amir Muzaffar. The homepage of the institute was damaged and the hacker left messages of bravado.
That data on the net is not safe was exposed by Indian hackers claiming to have accessed more than 80,000 coronavirus patients’ healthcare records that were insecurely stored on government servers in June 2020. The group, calling itself Kerala Cyber Warriors, announced that it had gained access to the Delhi State Mission website “in less than 10 minutes”. Its members claim to have accessed sensitive data including patients’ names, addresses, phone numbers, covid19 test results, and passport details. In the US itself, in 2019, 41.4 million patient records were hacked.
At the initial peak of the covid19, Indian healthcare industry registered 7 million cases of cyber attacks. With a 300 percent surge in such attacks in India, it is necessary to place intrinsic security at the heart of digital strategies.
The stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. The cost to correct a breach in healthcare is almost three times that of other industries — averaging $ 408 per stolen health care record versus $148 per stolen non-health record, says IBM and Ponemon Institute report.
In May, 2017, patient outcomes were threatened when Britain’s National Health Service was hit as part of the “WannaCry” ransomware attack on computer systems in 150 countries, resulting in ambulances being diverted and surgeries being cancelled. Similar ambulance diversions due to ransomware happened in the U.S.
In September, 2020, a key Indian political person’s account was hacked, as per Twitter. The US experts say that with proper planning and investment, it’s possible to mitigate this risk. The NIC and AIIMS has to do it. The government has to protect the information delinking it from Aadhar, PAN and other instruments.
Health care organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and even the targeted key persons. The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as social security numbers, and intellectual property related to medical research and innovation. One reason of the vulnerability is the easy access to the sites for diagnostic and treatment facilities. The gateways for users need separation.
The AIIMS or any healthcare breach is perilous and the nation needs to be extremely cautious on centralised data prospecting.

Must Read