In yet another reminder of the frailty of India’s health data security, sensitive information has been disseminated online in a breach affecting multiple healthcare providers across several states and union territories.
The data exposed include 121 million medical images of patients, such as x-rays and scans, and more than a million medical records according to a recently released report. Of the images, more than 114 million were fully accessible online. Classified information such as patients’ names, national identification numbers, medical histories, and details concerning the facilities where they were availing care and the practitioners involved in their treatment were among the details left vulnerable due to the breaches.
A total of 97 systems in India were found to be vulnerable, in a concerning display of the inadequacies of health data security in the country. Of these, Maharashtra accounted for 46 followed by Gujarat with nineteen.
“The vulnerability is the complete lack of protection, a PACS system uses the DICOM protocol to communicate,” The Economic Times was told by Dirk Schrader, chief marketing officer and security researcher of German firm Greenbone Networks which conducted the report. “For those systems in India (and found globally), there was no access control, encryption…in place. That allowed us to access the system… sometimes the understanding of the term ‘vulnerability’ is a kind of software flaw, which is not the case here. It’s a configuration issue.”
The use of digital health records is on the rise in India. As many as 76 percent of practitioners use them. However, experts have warned that the health sector could become the “the apple of the eye for cybercriminals” and that it is woefully unprepared for cyberattacks.
Last year, Stephen Neumier – managing director for the Asia Pacific at Kaspersky, a leading cybersecurity firm – cautioned that “as rapid digitalisation penetrates the healthcare sector, cybercriminals are seeing more opportunities to attack this lucrative and critical industry, which is honestly not equipped enough to face this virtual danger.” As a case in point, a health data security breach by hackers last year resulted in the theft of 68 lakh digital health records. Another breach last year resulted in 12.5 million pregnant women’s medical records becoming publicly accessible.
Such warnings come at a time when the Government of India is fully embracing digitisation as a route towards universal health coverage. As such, guaranteeing health data security is imperative and must be incorporated into all facets of the Government’s strategy towards the same.