The WannaCry ransomware attack on computer systems in 150 countries in 2017 put the lives of patients at risk after ambulances were diverted and surgeries canceled. Britain's National Health Service was among the health systems affected by the attack.
Since then, there have been many cybersecurity attacks in the US leading to ambulance diversions.
The frequency of cyber-attacks on US hospitals and health systems more than doubled from 2016 to 2021. The health industry was the third largest target for cyber attacks in 2023, after education and government.
Cyber attacks in Indian health care are second highest in the world.
One of the largest data hacks in Indian history in 2023 shone a spotlight on the security of personal health information, especially as the sector becomes increasingly digitized.
Security and privacy concerns lie at the crux of information systems research.
As more healthcare providers rely on the internet, cyber threats such as data theft become more of a risk.
Online patient portals which enable individuals to view medical test results, download data, engage with medical professionals and schedule visits are prone to cyber attacks.
Privacy risks are obvious but these breaches also have a strong financial impact on healthcare enterprises and loss of customer trust.
Even if the notion of absolute privacy is unattainable, healthcare providers should define where an individual's privacy may be compromised to maintain credibility and attract future patients.
While secondary information use is both widespread and legal, it can be considered an invasion of privacy when it occurs without the knowledge or consent of the consumer.
An important concern is whether consumers have a choice to allow their medical information to be digitized or if they may change their attitudes toward opting in for Electronic Health Records (EHRs) maintenance by hospitals.
Nations around the world have been grappling with this issue.
The EU shared a proposal in data governance to adopt a wider definition of data sharing in 2021 after receiving 449 contributions from 32 countries.
The USA HIPPA privacy rule gives individuals rights for their protected health information, provides coordinated care and enables patients' access to test reports but does not deal with the patient's right to foresee the secondary use of their shared information per se.
The UK's health information laws grants protection against improper access, disclosure or loss of patient personal health information along with legitimate reason to view the same.
German digital health laws and regulations proclaim doctor-patient confidentiality, and the informed and explicit consent of patients to transfer data legally. French laws elaborate specifically on healthcare IT and prohibit the sale of identifiable patient health data.
Indian healthcare data privacy laws need to keep up with these global policy proceedings to strengthen its data breach legislation and bestow security in health access to the population.
The Digital Personal Data Protection Act has not been notified yet, after being passed in Parliament in August 2023. It does not delve into data breaches involving cyber terrorism, third party leakage, or individual and organizational loss of credibility.
Outsourcing security protection can give rise to system interdependence risks to a managed security service provider (MSSP) , making information security systems vulnerable to cyber attacks.
Privacy in the digital domain is an important agenda for policy makers. The extent of data theft, data sharing and accessibility has significant bearing on cyber policies. The development of automated detection systems using a design science approach for combating fake websites can enhance online security.
As consumers become more concerned about their privacy, it will be imperative for healthcare firms to adopt privacy protection and security policies to protect against cyber threats.
For India, with over one billion people with access to the internet, individual home computer users represent a significant point of weakness in achieving secure cyber infrastructure.
In order to secure individuals' security of personal data, security policies should provide a broader description of electronic presence, identifiability, awareness of logging, awareness of audit which would substantially reduce intentions to commit access policy violations.
With a lack of regulation by government, the onus falls to the individual to ensure their devices are safe from hackers.
If individuals need to make choices online for their healthcare needs, then security policies need to consider user personalization preferences to provide them with customized security solutions which should find a clear mention in the security policies of the public and private healthcare enterprises.
If the security policies incorporate a common set of values incorporating anonymity, secrecy, confidentiality and control, then the possibility of cyber threat can be controlled and managed to a large extent.
The ultimate responsibility lies with the State to enhance cybersecurity readiness. A robust data security framework built upon privacy preferences, information disclosure norms, systems privacy settings, institutional data governance policies and stakeholders' credibility index score could prove helpful in restoring the trust deficit in digitized healthcare systems.
(The author is Associate Professor of Public Policy at Manav Rachna International Institute of Research and Studies. She has been a Post-doctoral Research Fellow in Information Science at Indian School of Business (ISB).This article was originally published under Creative Commons by 360info)
