With a 300% surge in cyber-attacks in India, it is necessary to place intrinsic security at the heart of digital strategies. 

Health data is critical. Had one secret been known, the Indian subcontinent may have had different political contours. In 1947, Mohammed Ali Jinnah’s health conditions were in wraps, giving no clues to Congress leaders that his days were numbered. Had there been the slightest inkling, possibly the Indian subcontinent history could have been different.

But did the British rulers know about it? Is that the reason that the Radcliffe Commission drew the lines of Partition in five weeks without visiting those areas? These are difficult questions but everyone has secretly admired the way the critical information of Jinnah remained in shrouds. The healthcare information rarely may have had such immense political and economic significance.

The AIIMS data breach may be graver than it appears. It may be recalled that how a global collaborative investigative project revealed that Israeli company NSO Group’s Pegasus spyware targeted over 300 mobile phone numbers in India, including that of two serving ministers in the NDA government, three opposition leaders, one constitutional authority, several journalists and business persons.

No less worrisome was Cambridge Analytica, which had allegedly stolen the data of 50 million Facebook users in 2014, claiming that the Congress party was the firm's client in India. Some other apps despite pious intentions were blamed for compromising data.

The latest move for a data protection law needs to have a wider ambit. Almost all apps on social media, corporate or public, seek unnecessarily access to contacts, camera and location. These must be stopped. The Competition Commission of India (CCI) on October 25 imposed a fine of Rs 936.44 crore on Google for anti-competitive practices in its Play Store policies.

The Indian healthcare data is stated to be worth $7 billion in the world market. It is just not about profiling a population but information of some key persons itself may be worth more than that. The global healthcare information market size is valued at $359.8 billion in 2021 and is expected to expand at a compound annual growth rate (CAGR) of 13.2 per cent till 2030.

The risk is far greater than it can be fathomed, particularly in the light of the government using the coronavirus pandemic to push its plan to digitise the health records and data of 1.3 billion people, despite concerns about privacy, increased surveillance, technology and human rights. It can be utilised in many ways, including for blackmailing, seeking ransoms or political mapping. The storing of individual information in Aadhar and linking it to several instruments like income tax data, balloting system and banking are fraught with great risks to the nation and individual citizens.

According to a report published in The Lancet journal, in 2016, global expenditure on health is anticipated to increase to $18.3 trillion by 2040 across the globe. So would data worth multiply.

The AIIMS attack may have many dimensions. It presumably has sensitive medical data that can be attacked, copied and altered.  On May 14, 2016, AIIMS, Raipur also similarly suffered an attack by a Pakistani hacker, Amir Muzaffar.That data on the net is not safe was exposed by Indian hackers claiming to have accessed more than 80,000 coronavirus patients’ healthcare records that were insecurely stored on government servers in June 2020. The group, calling itself Kerala Cyber Warriors, announced that it had gained access to the Delhi State Mission website “in less than 10 minutes”. Its members claim to have accessed sensitive data including patients’ names, addresses, phone numbers, covid19 test results, and passport details. In the US itself, in 2019, 41.4 million patient records were hacked.

At the initial peak of Covid19, Indian healthcare industry registered seven million cases of cyber-attacks. With a 300 per cent surge in such attacks in India, it is necessary to place intrinsic security at the heart of digital strategies.

The stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. The cost to correct a breach in healthcare is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record, says IBM and Ponemon Institute report.

The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as social security numbers, and intellectual property related to medical research and innovation. One reason for the vulnerability is the easy access to the sites for diagnostic and treatment facilities. The gateways for users need separation.

The AIIMS or any healthcare breach is perilous and the nation needs to be extremely cautious on centralised data prospecting.

(The author is a senior journalist)