The risks of storing health records of 1.3 billion Indians on the National Health Stack

The National Health Stack, on which the National Digital Health Mission will function, is designed to generate vast amounts of data, thus making it one of the largest health databases in the world.
Doctor holding a tablet
Doctor holding a tablet
Written by :

In September 2021, Prime Minister Modi announced the National Digital Health Mission (NDHM), a programme that aims to provide every citizen of the country with a Health ID — a unique 14-digit ID generated by the Ministry of Health and Family Welfare. This Health ID will contain a patient's complete medical history, everything from prescriptions to diagnostic reports. It can be accessed not only by the patient but by players across the healthcare industry, including hospitals, laboratories, insurance companies and others. But where will this data be stored?

This is where the National Health Stack (NHS) comes in. NHS is considered to be the building block for the digital infrastructure, on which the National Digital Health Mission (NDHM) will function. The NHS has an ambitious and hard task ahead of it. 

What is the NHS?

The blueprint for the NHS, titled ‘National Health Stack: Strategy and Approach,’ was released in 2018. It says that the NHS will create the master health data of the nation in the form of Health IDs. It will form the building blocks on which a universal health protection scheme under the Pradhan Mantri-Rashtriya Swasthya Suraksha Mission (PM-RSSM) will be built. The NHS will create the frameworks for all health data of Indians to be made available for medical research and make the health data available for predictive analytics by private entities to aid policymaking. It will also create the framework to allow the health data to be shared across all health programmes of the Union government. 

This will make the NHS one of the largest health databases in the world. The NDHM hopes that having the health data of 1.3 billion Indians digitally stored will put the country at the forefront of medical research in the world. But will our health data be secure? Are there checks and balances in place to ensure private entities do not misuse our health data? 

Researchers from the cybersecurity and privacy community have grave concerns.

The NHS is essentially a collection of cloud-based services, with each service provider developing their own open-source Application Programming Interfaces (APIs), allowing them to access the health data and provide health services.

In its consultation paper, the core intent of the NHS is described as a means to enable on-time payments for the service providers. The Ministry of Health and Family Welfare believes that the NHS will enable the “distinction between good and bad service providers, as dictated by data, and subsequent recognitions/treatments, a self-sustaining win-win ecosystem in healthcare where better service providers will bubble to the top.”

Building the NHS ecosystem

As of March this year, about 374 private entities have empanelled with the NHS, according to a response from the NDHM to RTI queries filed by Srinivas Kodali, a researcher on open data. 

These numbers are only expected to grow as more private entities, such as hospital chains, diagnostic centres, Artificial Intelligence (AI) companies, health data management companies, insurance companies, join the NHS to develop applications and services, catering to hospitals and users. 

With so much data at play, multinational companies (MNCs) from the IT sector and startups will get involved as well, say experts. “It’s a hard business where the MNCs have to be accurate with the data being collected, provide 24/7 service to hospitals and avoid cybersecurity risks,” says Kamalavelan, the secretary of the Free Software Hardware Movement (FSHM), an advocacy group based out of Puducherry. 

“The startups will be working with analytics based on AI, providing the analysis layer for the NHS. But what happens when a data breach takes place? Or even worse, what happens if any of the health data of Indians get shared with third parties with links to hostile foreign governments? What then?” asks Kamalavelan, whose group works on building awareness on technology and its impact on governance and society.

It is important to note that in September this year, Jawaharlal Institute of Postgraduate Medical Education and Research (JIPMER) in Puducherry suffered a ransomware attack, crippling its teleconsultation services. As a precautionary measure, the digital grid on which the hospital functioned was shut down according to a report in The Hindu. In 2018, a similar ransomware attack was reported at Mahatma Gandhi Mission Hospital in Mumbai.

Between October 1 and November 25, 2020, over seven million cyber attacks were recorded on the Indian healthcare sector, including vaccine makers and hospitals, according to a report by the CyberPeace Foundation, a Jharkhand-based civil society organisation and think tank that works on building resilience against cybercrimes and global threats of cyber warfare. 

These attacks were recorded on the healthcare sector-based Threat Intelligence Sensors network specifically simulated in India by the foundation. The network identified a total of 54,34,825 attacks in October, and 16,43,169 attacks in November, said the company in a press release.

The question of anonymity

Health data is sensitive and will be stored in a federated manner, says the NHS blueprint. In other words, the health data will be stored locally at the hospitals/clinics in the form of digital registers called Personal Health Registry (PHR). To access this data, consent from the entities that generate the health data, meaning the patient, is needed. 

The consent process will be facilitated by Health Data Fiduciaries (HDF) using OTP sent to mobile or Aadhaar-based authentication etc. The HDFs are “trustees” of the health data, they facilitate the consent-driven interaction between the patients and entities – diagnostic centres, government hospitals etc – that want to consume the PHR for delivering better services to the individual.

The HDFs will determine the purpose and the means of the processing of the personal data in the PHR.

Further, the actual health data of a patient stored in PHRs will be anonymised at the time of sharing by HDFs, says the NHS blueprint but it provides no further clarity on how this anonymised health data will be used by private entities, points out Srinivas Kodali.

”The problem comes after a point of time when organisations like hospitals and diagnostic chains continue to have patients’ data. There are no checks and balances in place to ensure that the anonymised health data is not taken out of the NHS sandbox (a platform to develop and test software) and used for private gains. My concerns arise on what kind of data anonymisation they will be doing because there are no standards that are set yet,” he says.

“If the government of India tomorrow says they will deanonymise health data, where are the protocols?” he asks. There need to be more clarifications on how anonymised data will be used, stresses Srinivas.

Possible national security risk

The health data is a double-edged sword, says Smith Gonsalves, a cyber expert who specialises in enhancing the information security of MNCs and assisting Law Enforcement Agencies in cybercrime-related cases. “It may give the government of the day the power to analyse diseases and deliver better health care but it can also turn out to be a national security risk if not stored properly,” he points out. 

"In the hands of hostile foreign spy agencies, the health data of our country can be weaponised. The data can be used by foreign entities to target high-value targets in India and pin the cause of death on pre-existing conditions. It can also be misused by any government in power as there are no adequate checks and balances within the government itself on how the data should and shouldn’t be handled,” says the researcher.

The health information could potentially be used to target political opponents as well, says Smith.

Smith urges the Indian government to treat the health data of the country’s citizens as military-grade data with dedicated servers. “If need be, the Indian government should step in and provide the hospitals with the required digital infrastructure encouraging them to adopt better cybersecurity practices,” he adds.

“One solution is to roll out the NHS on the blockchain rather than on a cloud service model,” says Smith. On a blockchain, the Health ID will work as a private key used to encrypt and decrypt data shared between a sender and receiver. The private key will enable patient anonymity on the Public Health Registry (PHR), which can be on the blockchain. Authorisation for the government or private entities to use the data can be granted using these private keys, by the patient.

“The blockchain model still leaves room for health data from the hospital-end to be used for analytics," says the researcher who urges the information security community in India to raise the security concerns with the Union government.

“It is also important that the government take steps to ensure that the health data of Indians are treated equivalent to protecting their fundamental right to privacy,” he adds.

The digital divide, privacy concerns

The NHS model being followed gives the existing MNCs, the venture capitalists funding the startups and the pharma heavyweights power to set the agenda on future policy and technology adoption, say experts. This approach could lead to people being left out of the digital health care system, warns Kamalavelan. “Technology can always be useful but problems arise when people, for whatever reason, cannot be part of the system.” 

Srinivas, on the other hand, raises concerns about who gains access to the health data of minors and young women. “An aggregated health data could pose a risk to minors from the LGBTQ+ communities, they will find it hard to hide their sexual orientation or hide, if there are any, STDs from parents. If a single woman has had an abortion before marriage, this medical health data could get recorded and could pose personal problems for her in the future,” he adds.

Kamalavelan warns that much like how people were left out of government schemes and access to PDS due to issues with Aadhaar, the present architecture of the NHS could lead to people being left out of India’s health care system. "People have not been able to access schemes for reasons such as a spelling mistake in their name in the Aadhaar card or due to the lack of documentation or simply due to their ignorance. Some people didn't even know they had to enrol for an Aadhaar to gain access to basic services. Are we going to ignore such people if the same situation arises when it comes to healthcare?” asks the researcher, while pointing out that a decade since the rollout of Aadhaar, several of these issues still persist. 

Related Stories

No stories found.
The News Minute