Back to podcast

Podcast transcript: Why there is a need for more data privacy and protection in healthcare

17 min | 31 July 2023

In conversation with:

Pallavi: Hello, this is Pallavi, welcoming you to a new series of EY India Insights podcast on 'Gateway to data privacy and protection'. In today's episode, we explore the data privacy regime in healthcare. Joining us is our esteemed guest, Lalit Kalra, Cybersecurity Partner and Data Privacy Leader at EY India.

With over 17 years in the field, Lalit has been instrumental in assisting numerous clients in strengthening their data privacy and cybersecurity frameworks, specifically within the healthcare and technology sector. Welcome to our podcast, Lalit.

Lalit: Thank you for inviting me to the podcast, Pallavi. It is a pleasure to be here.

Pallavi: To start with, Lalit, what would you say are the advantages and risks associated with digitization of health data?

Lalit: Just like there are pros and cons for every technology that we embrace, so is the case with healthcare and digitization in healthcare. From a patient’s or doctor’s perspective, there have been many advancements that we have seen in technology in healthcare. We know of hospitals where robotic surgeries are happening, where there is a strong emphasis on telemedicine, people are talking about digital personal healthcare – that is how technology is taking the healthcare industry to a new level. 

But at the same time, with digitization, a lot of personal data gets collected. From one perspective, it puts the control in the hands of the patient; it gives them the assurance that their reports or the information that they share with the healthcare provider or doctors is available whenever they need it. They no longer have to carry all the reports or maintain all the records (including prescriptions), nor do these have to be managed in hard copy any longer. Everything is available in the hospital management system (HMS). 

But at the same time, because there are huge amounts of personal data, it is the first point for (cyber) attackers and hackers. Traditionally, the healthcare sector has not been in the forefront of putting controls that would safeguard systems from external cybersecurity attacks or for that matter, even internal attacks. But due to occurrence of a few (cyber) attacks on healthcare providers in the last few years, the industry is implementing cyber controls and preventive tools. 

From an advantage perspective, it (digitization) improves the efficiency of a hospital and reduces cost. At the same time, it enables personal healthcare for a patient. As data gets collected, the risk essentially is misuse of data. There have been numerous cases wherein healthcare data was misused and people were getting random calls for blood donations. Till now, we have seen digital harm; but with health data coming into the picture, it may lead to physical harm. That is an area that people are scared of . There is a need to prevent external hackers from getting access and also ensure that internal users or the people who may not be aware about security but have access to data know how they handle that information. This is what the hospital industry is concerned about. 

Pallavi: Could you also explain the key clauses of India's Digital Information Security in Healthcare Act, popularly known as DISHA? What steps can healthcare providers take to comply with it?

Lalit: DISHA is not a law yet. It was initially proposed in 2017 and some changes were suggested. Around 2020, a revised version of DISHA came in. The focus of DISHA is to ensure that the data collected has consent of the data owner and holds the data controller, or in this case, hospitals or doctors, accountable for what happens with the data. It is in line with the HIPAA (Health Insurance Portability and Accountability Act) of the US, which mandates organizations to implement certain controls to safeguard data being captured and processed. Essentially, it talks about consent. It talks about identifying risks in the systems which help you process personal data in healthcare; notifications that need to be sent in case of a breach; conducting risk assessment to ensure that the data is always protected; periodic management reporting that is to be done by the data controller or the entity to ensure that they are ahead with respect to the data that they are collecting. 

From the perspective of compliance with DISHA, the healthcare industry has a lot of legacy systems and along with that they also have medical equipment which collects personal data and integrates that with some of the latest technologies to ensure that the data is aggregated in one place and then processed. From a healthcare perspective, the legacy systems would need to be upgraded to ensure that there is a provision of consent for processing the data. The personal data that gets collected, what is its purpose? For how long are you going to retain it? Who will have access to it? Which third parties will have access? How will that information be processed? All these aspects need to be identified to ensure there are appropriate controls implemented to safeguard personal data. 

The healthcare officer or the privacy personnel in the organization have a view of what is happening in the data. So, the next step is to create a framework on managing healthcare data within the organization. Then it can be rolled out across the organization or across the hospital to ensure that every individual understands the type of data being processed and to implement controls like technological people-level control or process-level changes which are required to safeguard personal data. 

Pallavi: Considering the current stage of the data privacy Bill, do you expect that it will introduce additional safeguards for patient healthcare data?

Lalit: The Personal Data Protection Bill that the government is working on is likely to be an overarching law above the existing regulations which are there in an industry. It aims to provide an overarching framework that other laws will typically align with.

(The Bill) gives freedom to organizations and regulators to inculcate and embed the specific laws into the privacy framework. The controls that the Bill talks about would be similar to what DISHA recommends, but it will add additional controls in terms of data principle rights, where the data can be stored, conducting periodic audits, and adopting additional technical controls. In a way, it may add additional safeguards and give more comfort to the people that the healthcare provider which is processing their data is compliant with a standard or a nationalized data privacy law.

Pallavi: As India focuses on the digital public goods (DPGs) in healthcare, which rely heavily on digitized data, what measures or safeguards should be implemented to protect this data?

Lalit: The healthcare industry is moving towards digital care for patients. It is moving towards digital telemedicine. We are seeing a lot of video consultation happening. At the same time, equipment is being created to help healthcare providers personalize healthcare plans and monitor them remotely. All the digital smartwatches that we wear collect a lot of data. In many developed nations, hospitals have actually started relying on the information that gets collected from a smart device and (looking at ways) to utilize that for regular monitoring. For example, a pacemaker can send real time data to a doctor who can monitor the dosage that needs to be given to the patient based on the reading that the pacemaker gives. 

With that in mind, the healthcare provider or the industry has a long way to go before it can be in a comfortable zone. From an organizational perspective, it starts with how you safeguard the data that is being stored in the equipment and servers of the organization? Controls will be needed at different layers. You will have the perimeter layer, the application layer, and other layers where you have to put technological controls. 

The next level of concern that would start coming in is the medical equipment. Right now, a lot of those are legacy. There are very few controls which can be implemented on those, but those are connected to IP and to some of the systems by way of integrations and data sharing. Those are the weak spots in the entire lifecycle and which need to be protected. Organizations need to identify controls and implement them in weak spots; on medical equipment specifically.

Pallavi: In light of the recent COVID data breach, concerns have been raised about the adequacy of data security measures in India, despite existing laws. What are your thoughts on this matter?

Lalit: The government came out in its support and said there was no breach. And that is a statement which typically we have to rely on. India is essentially on the global lineup as one of the top five countries in terms of cyberattacks. The digitization happening in India is at a faster rate compared to the technological controls being implemented within the healthcare ecosystem. Laws need to be strengthened further to ensure that the culprits or organizations which are not following the relevant practices are penalized and that they implement relevant controls. From a legal perspective, there is still a long way for the organizations to go. 

In terms of the private industry, for healthcare, the organizations are still working towards controls. But in terms of the government space, they have a long way to go in terms of how personal data is handled, who all have access to that information, and what  technological controls are to be implemented across the organization. The breach at AIIMS was a classic example of what can happen in case the healthcare ecosystem is not handled properly. Although there was no impact on patient care, many of the systems were not available for long, which impacted the efficiency and cost from an organizational perspective.

Pallavi: What are your insights into the potential benefits and risks associated with the use of generative AI in healthcare data?

Lalit: Generative AI is the buzzword in today's world. From a usage perspective, we have seen several scenarios. Google came up with studies where, based on the data it is collecting, AI is able to tell you whether you are susceptible to a heart attack or susceptible to some forms of cancer. From a usage perspective, there are limitless use cases that are applicable. From a gen AI perspective, how many of those would actually be put to use is something that we all will have to wait and watch. 

I am actually a huge fan of the benefits that (gen) AI can bring in terms of how the data is handled, what are the models, and the use cases that you can create? The entire telemedicine medicine industry would actually change if (gen) AI use cases were actually put to better use. The digital care that happens with (gen) AI coming into the picture will go to the next level. Today, for example, many people are going into depression or facing mental stress. Generative AI can play a critical role in identifying those and ensuring that those people get the right support as and when it is needed. 

In terms of risks, yes, it is a technology which comes with its pros and cons. It will have to be protected. People are talking about regulated and ethical AI. There aren‘t any specific regulations at present that have been created and enforced on usage of AI across healthcare or across the industry at large. We will have to wait and see how AI usage and AI development is regulated. 

It certainly poses a lot of risks in terms of data handling, access, models, and where does it stop in terms of decision making (because one of the critical use cases in healthcare for Gen AI is the decision-making)? How much would you rely on AI for automated decision-making? Which is the line of prescription that has to be defined and to be given to a patient? All these would take some time before being actually put to use. But yes, certainly, there is a need for control and ethical AI and regulated AI before it is put to practical use.

Pallavi : Thank you, Lalit, for all those insights and for sparing the time to share all these insights on data privacy regime in the healthcare sector.

Lalit : Thank you, Pallavi, it is a pleasure.

Pallavi : On that note, we come to the end of this episode. If you would like us to explore other such topics on data privacy, please do leave us some suggestions that you would like us to deep dive into. Thanks for listening in. Goodbye for now.

Back to podcast