By Aishwarya Jagani

 As India Prime Minister Narendra Modi’s government gears up for a full rollout of its National Digital Health Mission (NDHM), experts continue to raise privacy and security concerns over what could be the world’s biggest health database. 

“Large databases are always risky, especially when handling sensitive data like health data,” Prasanth Sugathan, legal director of the Software Freedom Law Centre in New Delhi, told Digital Privacy News.

“Moreover, in this case, the data could be exposed to multiple entities — and the data-security practices of these entities will have a bearing on the safety of the sensitive health data” he said.

The NDHM was announced in August, with test-runs launched in six union territories — federal areas that are governed, in part or in whole, by Modi’s government.

Dr. Indu Bhushan, CEO of the National Health Authority of India, told a technology conference last month that the mission soon would be ready for national expansion, adding that “the mission of the new digital health program is to provide affordable medical-health facilities to the citizens.”

It contains information on medical history, prescriptions, diagnostic reports and disabilities. The program assigns a unique health ID to each of more than 1.3 billion Indian citizens.

“The data could be exposed to multiple entities — and the data-security practices of these entities will have a bearing on the safety of the sensitive health data.”

Prasanth Sugathan, Software Freedom Law Centre.

Described by Modi as a digitized “swasth khatha” — a “health book” — for citizens, NDHM aims to streamline healthcare records, giving citizens easier access to healthcare and greater control over their medical data, officials said.

Further, the program seeks to consolidate the largely fragmented state of health records in India.

To address privacy concerns, a National Policy on Security of Health Systems and Privacy of Personal Health Records is being developed, in accordance with the India’s Personal Data Protection Bill that passed last year.

‘Privacy by Design’

Bhushan told Digital Privacy News: “NDHM will follow the principle of ‘privacy by design’ and ensure that the privacy of data receives the highest degree of attention in how the data is collected, stored, shared and used.

“There is a pre-existing legal framework, including laws, rules and judgments of the Supreme Court for the protection of privacy and the prevention of abuse.

“In addition, the draft Health Data Management Policy has been released for public consultations,” Bhushan said.

Still, privacy experts argued that the risk of this information being leaked and manipulated by advertisers remained high.

Since the data likely contains personally identifiable information and can be shared with third parties — though in an anonymized form, as is stipulated in the policy — it poses a massive security threat, particularly for sexual minorities and those with disabilities, advocates said.

In addition, enrollment in NDHM currently is voluntary, though critics said they feared it soon could become mandatory.

“Such data may be sold to third parties, causing an increase in service costs to existing patients,” Harleen Kaur, a consultant at the National Institute of Public Finance and Policy (NIPFP) in New Delhi, told Digital Privacy News.

NDHM will “ensure that the privacy of data receives the highest degree of attention in how the data is collected, stored, shared and used.”

Dr. Indu Bhushan, National Health Authority.

She also referenced the draft of the Digital Information Security in Healthcare Act (DISHA), introduced in 2018 by the Ministry of Health and Family Welfare, in a bid to protect the digital health data of citizens.

DISHA has yet to make it into Indian law.

“The draft DISHA Act had provisions which disallowed the government to share the health data with any such third party,” Kaur said.

“However, there is no such security for patients now under NDHM, which is a policy and not a law anyway.” 

In addition, the Software Freedom Law Centre in New Delhi told Digital Privacy News: “The draft policy, otherwise, is silent of sharing of health data with third parties i.e. advertisers.

“However, it does put a restriction on sharing, circulating or publishing of personal or sensitive personal data publicly by any person or entity.”

No Federal Data Laws

According to news reports, the NDHM database would be stored on individual hospital servers.

But critics said that, unlike the federal HIPAA law in the United States that protected health-data privacy, India lacked clear regulation on the issue and did not yet have a data-protection law.

The digital ID under the program takes the form of a mobile application that gives users access to the entirety of their online health records, since birth.

Critics said that this essentially formed what possibly could be the largest centralized health database in the world, putting the security of the health data of millions of citizens in jeopardy.  

Voluntary for Now

Enrolling in NDHM is voluntary, though citizens can opt out at any point.

However, with previous health and identity programs like Aadhar, India’s biometric identity system launched in 2010, and Aarogya Setu — the contact-tracing app introduced in April to help fight COVID-19 — having been made mandatory, the possibility cannot be ruled out for NHDM, critics said.

“While the NDHM is voluntary, we have already seen the voluntary-mandatory conversion of UIDAI in the past,” NIPFP’s Kaur told Digital Privacy News.

“For instance, Aadhar was made compulsory for e-filing of taxes,” she posed. “While on paper, the NDHM scheme is voluntary, it is quite possible it will follow the same path: One wouldn’t get insurance or treatment in selected hospitals unless they sign up.”

But responding to citizen fears that the digital health ID might be required for any access to any future COVID vaccine, Union Health Secretary Rajesh Bhushan told a recent news conference that those choosing not to participate in NDHM would not be denied any COVID vaccination or related medical care.

“Such data may be sold to third parties, causing an increase in service costs to existing patients.”

Harleen Kaur, National Institute of Public Finance and Policy.

Further, the Aadhar database, which is linked to an individual’s fingerprints and face and iris scans, has been plagued with reports of data leaks since its beginning more than a decade ago.

“By the mere existence of NDHM online health records, the privacy and security of data is threatened — as this data was not aggregated earlier,” said Kaur of the NIPFP.

“An ambition to centralize this data will also create a single point of failure.

“Security breaches have been reported in the financial sector,” Kaur told Digital Privacy News, “so, it is inevitable that such data breaches will happen in the health domain as well.”

Aishwarya Jagani is a writer based in Mumbai, India.

Sources (all external links):

• The Print: India needs a digital health mission. But it also needs data privacy law to ensure it works
• Deccan Herald: Privacy concerns as India pushes for digital health ID 
• First Post: Narendra Modi launches National Digital Health Mission; all you need to know about new health ID 
• Livemint: Why the draft health data management policy raises red flags about privacy
• The Hindu: Digital health mission ready for nationwide roll-out soon: Ayushman Bharat CEO