The Union Cabinet’s recent approval of the Digital Personal Data Protection Bill is a step in the right direction, provided concerns about personal privacy rights are properly addressed and healthcare organisations plan proactively to protect their data
The alleged attack and data breach on the CoWIN platform has underlined yet again the vulnerability of health data and the need to protect citizens’ privacy. The CoWIN platform has COVID vaccination details and as such is a rich repository of health data and contact information of all Indian citizens who needed to register on the platform in order to get their COVID vaccines.
This is thus a gold mine of information and it is but natural that there have been quite a few reports of data breaches in the past as well, most recently at AIIMS, and ICMR. This time, Twitter posts claimed that by using a Telegram BOT, one could access the personal data of vaccinated citizens by simply passing the mobile number or Aadhaar number of a beneficiary.
On June 12, the Union Health Ministry clarified that all such reports were ”without any basis and mischievous in nature.” Can we as citizens, trust the Ministry’s reassurance that the Co-WIN portal is “completely safe with adequate safeguards for data privacy”? Even though the release listed out security measures that are in place on Co-WIN portal, from Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc, it is scary to think that our identity details can be so easily accessed. Only OTP authentication-based access of data is provided and as per the Health Ministry statement, all steps have been taken and are being taken to ensure security of the data in the CoWIN portal.
While the development team of Co-WIN confirmed that there are no public APIs where data can be pulled without an OTP, what is worrying it the admission that some APIs have been shared with third parties such as ICMR for sharing data. It is also reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. As per the health ministry release, this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application.
While the Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report, CERT-In’s initial report has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.
There are reports that past data breaches were of individual health workers and the data compromised was restricted to these health workers, with the backend remaining safe. One hopes that unlike in the past, when the health ministry did not reveal the conclusions of previous investigations into health data breaches, there is more transparency now.
Commenting on the CoWIN platform cyber attack, Pavan Choudary, Chairman, Medical Technology Association of India (MTaI) reasoned that health data is the most monetisable data for hackers. According to him, the details which have been stolen (as per media reports), are not the ones that can be used to extort or coerce. Data regarding sexual and terminal diseases is what is used usually for coercive exploitation. However, he cautions that if this breach is real, it is an alarm bell which may augur the possibility of identity thefts and emphasises that the government needs to ringfence all the data reservoirs. He concludes that the recent attacks on AIIMS, ICMR, and now the Co-WIN app, make the passage of the Data Protection Bill becomes ever more urgent.
The Union Cabinet’s recent approval of the Digital Personal Data Protection Bill is thus a step in the right direction, provided concerns about personal privacy rights are properly addressed.
But will a Bill really protect our health data? The healthcare sector has been a laggard when it comes to going digital and even more lackadaisical at securitising its data. And today, the sector is paying for this oversight. Unfortunately, the real losers are citizens/patients.
The 2022 Threat Landscape Report by Tenable revealed that India’s healthcare sector was the second most targeted by cybercriminals, indicative of innovation outpacing cybersecurity in the industry. In addition, Cert-In in its latest study found that healthcare is among the fifth most-targeted industries by ransomware actors.
More evidence comes from the Verizon 2023 Data Breach Investigations Report (DBIR). As per the DBIR 2023, System Intrusion, Basic Web Application Attacks and Miscellaneous Errors represent 68 per cent of breaches in the healthcare vertical. While external threat actors account for 66 per cent of breaches, the report flags the rather high percentage of internal threat actors (35 per cent), which must give CIOs/CDIOs in the healthcare sector sleepless nights. The report warns that the insider threat in this industry cannot be discounted, as ‘this is also a sector in which we see evidence of collusion, multiple actors working together to make their breach dreams a reality.’
Thus proactively protecting our health data, be it on public portals like the CoWIN platform, or our health records with healthcare organisations like hospitals and diagnostics companies, should be top priority for all.