Opinion Express View on ICMR leak: Plug the breach
This should serve to drive efforts towards more robust digital data systems
About two months after intelligence agencies reported that personal details of more than 80 crore people had been leaked from the ICMR website and put on sale on the dark web, the Delhi Police has arrested four persons. The investigation could yield valuable cyber security lessons. But the major challenge before law enforcing agencies and policymakers is to be one step ahead of such infiltrators, especially at a time when the government is emphasising healthcare digitisation — the breach in the servers of India’s premier medical research agency was, actually, first flagged by a US agency.
The severity of the pilferage is not just because of the volume of the data in question but also the type of information that was leaked — including Aadhaar and phone numbers, passport details, and health records. These are not just personal identifiers but keys that can unlock information on financial transactions, personal communications and medical details. The breach also raises concerns about privacy violations.
The utility of digital systems in healthcare was demonstrated during the Covid vaccination drive. Electronic repositories of patients’ medical histories, diagnoses, treatments and other healthcare information can lead to quicker diagnosis, better treatment decisions, and improved safety standards. The Centre’s initiatives including the Ayushman Bharat Digital Mission have brought digital healthcare to the centre stage.
It operates on the principle of a federated architecture — data isn’t stored in a single repository but information flows between all participants in the system. Even, the salience of data security measures cannot be overstated. A World Bank study of the Ayushman Bharat Digital Mission pointed out that health insurers can access patient data because they are in the ecosystem.
Cyber attacks can also disrupt the functioning of medical systems. Last year, a ransomware attack on the AIIMS servers pushed the top government hospital in the capital to shift a large part of its operations to the manual mode for almost two weeks. The data was reportedly repopulated into the hospital’s systems. The question, however, remains: Did the compromised information find its way to the dark web?
India is, of course, not the only country to be dogged by health data security issues. The NHS in the UK has suffered several attacks in recent times.
In July, it lost 70 terabytes of sensitive information in a ransomware attack. The UK’s Data Protection Act enjoins health service providers to inform people if their data is compromised. In the US, the Health Insurance Portability and Accountability Act requires regulated entities to comply with its breach notification rules. These laws have, by all accounts, not made systems foolproof.
But they are a part of an ongoing process to make healthcare repositories more secure. India’s recently introduced Data Protection Act has been criticised for being insensitive to the demands of securing health-related information. The attack on ICMR should push policymakers to make systems more robust.
Share
