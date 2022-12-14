AIIMS cyber attack: Is India ready for Ayushman Bharat Digital Mission?
Was the recent cyber attack in All India Institute of Medical Science (AIIMS) Hospital just a taste of what's to come in the digital future of India's healthcare system?
On 23 November, AIIMS-New Delhi issued a statement saying their server withheld details of their outpatient and inpatient digital hospital services including smart lab, billing, report generation, appointment system, were affected.
What followed was a frenzy of staff scrambling for hours to get the server running as services came to a sudden stand still as a result of the breach.
But, let's zoom out from the AIIMS incident to take a look at the larger plan to digitise healthcare that's being pushed by the government under the Ayushman Bharat Digital Mission.
Is India ready to go paper-less and fully digitise healthcare? FIT speaks to experts.
Simply put, the Ayushman Bharat Digital Mission, launched in September 2021, is an initiative by the Union Government to digitise health records and data of citizens in order to ease services.
ABDM involves a bunch of other smaller programmes and provisions including the Ayushman Bharat Health Account (ABHA) app, ABHA number and a health facility registry.
However, there are several challenges in the way they are actually implemented that could result in a security breach, says Dr Suresh Munuswamy, public policy expert, and assistant professor at Public Health Foundation of India.
For one, Dr Munuswamy explains, in AIIMS, there was just one server holding all this information. This is why services were not available for the next week.
According to reports, it's only on 13 December, a whole 19 days later, that online appointment services were restored at AIIMS.
"You need to increase a lot of manpower, you need to a lot of security, you need to distribute data across different server, and someone has to pay for it," adds Dr Munuswamy.
Under the programme, the hospitals involved essentially have to take care of the infrastructure needed to support the digital network.
"You can’t expect a doctor to be a good computer administrator. So, you are essentially asking each hospital to hire a whole new IT team to set up the digital ecosystem," says Srinivas Kodali, Researcher with Free Software Movement of India, tells FIT.
"If you want safety, the only way to do that is to spend a lot of money and hire more people."
Dr Munuswamy says the way around it is by increasing allocated funds by the government towards the programme.
Though the Supreme Court has recognised that the right to privacy is a fundamental right, there is no data protection law in place in this country, says Rohin Bhatt, a human rights lawyer practising at the Supreme Court.
Though there is a proposed Digital Data Protect Bill 2022 draft, but it's not much good until it becomes a law.
"The draft doesn’t demarcate between personal data and sensitive personal data. Health is a sensitive personal data," says Pallavi Bedi, a public policy lawyer and a researcher at the Center for Internet Security.
"So the extra safeguard that should be there for health data is also not there," she adds.
Take for instance, the incident at AIIMS. As far as we know, no substantial legal recourse followed the cyber-attack.
"All of that data is now in the hands of these cyberterrorists. You don’t know they will use it," adds Bhatt.
"It exposes people to a gross invasion of their privacy without their consent," adds Bhatt.
“Is there a privacy violation, yes. But more than that, the question is, how is it harming you?" says Srinivas Kodali.
The harm, Kodali goes on to say, comes from a number of directions, including the insurance industry, personal targetting etc. There's no real way of anticipating just how the data may be used.
You don't get to decide what the government, and private hospitals do with your data thereafter, he says.
According to Kodali, a plausible scenario is that all this information collected from the citizens is given it to the insurance industry. The insurance industry can then start determining who should pay how much health insurance based on their data.
This isn't a far fetched concern, considering arrangements like this have already being flagged in other countries.
This is because there's a lot of money to be made from this information, targetted advertisements being one example.
Do you need Aadhaar to register? ABHA number, COWIN number, Health ID - What is the difference, and where do you use which one?
What health information of yours is linked to it?
How will it be used? Who has access to it?
Most people don't have the answers to these questions.
"You have to look at it from the high level and the granular lever," says Dr Munuswamy.
Speaking to FIT, a resident doctor at AIIMS said that the hospital has kiosks for creating Health Accounts for patients, and that they are encouraged to register.
Most people who sign up for it don't fill out their own forms. "You have data entry operator filling it out for them," says Bedi.
"That's a concern too because you're sharing all this data with somebody. Many don't know that the ABHA number is sensitive, or how it really works," she adds.
The process is meant to be a voluntary one, but is it truly voluntary in the absence of informed consent?
The bottomline is that digitising health data can help streamline healthcare services, and help hospitals function faster and more efficiently, but when the data being handles is of such sensitive nature, and in such a mamoth scale, concerns of privacy and security need to be addressed.
The Quint has reached out to the National Health Authority. Their response will be added to the story.
