New

Are India’s Draft Data Protection Rules Sufficient To Defend Against Health Data Breaches?

Health data security is a pressing concern across the world, especially in India. In June 2023, data from India’s COVID-19 vaccination portal Co-WIN was leaked through a Telegram bot. This bot allowed people to enter someone’s phone number and receive details like the person’s Aadhaar number, vaccination status, gender, and date of birth. Besides vaccination details, the bot also revealed other private information such as voter IDs, passport numbers, and family members’ details.

Data leakage/breach concerns exist not only with public health services but also with private ones in the country. In September 2024, India’s largest health insurance provider Star Health suffered a data breach that led to the leakage of the personal data of 31 million Indians on Telegram. This included information such as policy and claims, documents featuring names, phone numbers, addresses, tax details, copies of ID cards, test results, and medical diagnoses.

Yet, when the Indian government released the draft Digital Personal Data Protection Rules (DPDP Rules, 2025) on January 3 this year, there was no mention of any special protections for health data. While India doesn’t appear to be treating health data differently, other jurisdictions are strengthening protections around health data. In January this year, the US Department of Health and Human Services released a proposed rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This proposed rule requires health plans, healthcare clearinghouses, and most healthcare providers, and their business associates to better protect people’s data from external and internal cybersecurity threats.

Here is a comparative analysis of this proposed rule against India’s draft measures for tackling data breaches/cybersecurity attacks under the DPDP Rules.

What falls under the category of health data?

Even before the proposed security rule, HIPPA had a definition of protected health information (PHI) already in place. This is information that relates to an individual’s past, present, or future physical or mental health or condition, the healthcare the individual obtained, and the past, present, or future payment for the provision of health care to the individual. This includes information that identifies a person or for which there is “a reasonable basis to believe it can be used to identify the individual”. Some of the identifiers here include name, address, and birth date.

While India’s Digital Personal Data Protection Act (DPDP Act, 2023) and the subsequent rules don’t mention health data as a separate category, when the act was still a bill back in 2019, it used to have a provision for sensitive personal data. This included a range of categories including biometric data, DNA, sexual preferences, and practices and medical history.

How to protect health data from data breaches:

Authenticating those accessing the data:

The proposed HIPPA security rule suggests that healthcare providers must put in place multi-factor authentication to identify and authenticate users seeking to access PHI. They must implement and verify at least two of the following three categories of information about a user:

Information that a user knows: This can include a password, or a personal identification number (PIN)
Information that the user possesses: Including but not limited to a token or a smart identification card
Personal characteristics of the user: This includes but is not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.

Authentication that relies on multiple instances of the same factor, such as requiring a password and PIN, is not MFA because both factors are “something you know.” Cybercriminals trying to access the PHI would need to use significantly more resources to launch an attack if they have to go through multi-factor authentication.

Unlike the proposed security rule, the draft DPDP Rules, 2025 enforce appropriate access controls to their computers. They must also have visibility on who is accessing the personal data through appropriate logs, monitoring, and review. This will enable them to detect anyone who accesses the personal data without authorisation, and prevent such a situation from occurring again. There is no clear mention of multi-factor authentication or rather any specific authentication technique that healthcare providers have to implement to ensure that only a limited set of individuals can access this data. Instead, the focus is on ensuring that data is secure through encryption, obfuscation or masking, or the use of virtual tokens mapped to the personal data.

Mapping out the flow of health data:

Under the proposed rule, the US Department of Health and Human Safety adds the definition of technology assets to mean the components of an electronic information system, including but not limited to hardware, software, electronic media, information, and data. It requires healthcare providers to create a network map of their electronic information systems and all the technological assets that may affect the confidentiality, integrity, or availability of PHI. This network map contains details of where its technological assets are physically located. It gives the example of a situation where a healthcare provider might find out that its business associate (located offshore) creates, maintains or transmits PHI. In such a case, the provider also has to include the technology assets that the business associate uses to create maintain or transmit PHI in their network map as well.

Besides this, under the current HIPPA security rule, regulated entities have to obtain written satisfactory assurances that their business associate will appropriately safeguard PHI before allowing them to create, receive, maintain, or transmit PHI on their behalf. The proposed rule adds to this by stating that companies must obtain written verification from their business associates’ that they have implemented the technical standards required under the security rule once every twelve months. Similarly, the draft DPDP Rules say that companies must have a requirement in place in their contracts with data processors (entities who process data on a company’s behalf) that the processors will implement ‘reasonable security standards’ during their processing activities. Here again, the company does not clearly define security standards.

Need FOR Codifying Data Processors

Speaking to MediaNama soon after the DPDP Rules came out, Bagmishika Puhan, Managing Partner at Puhan and Puhan LLP made a similar point arguing that the government needs to codify the requirements for data processors as well. Puhan pointed out that while the government requires companies to inform the Data Protection Board, it should also consider adding a breach notification obligation on data processors to ensure that they immediately tell the companies they are working with about a breach.

The need for risk analysis:

The proposed security rule requires healthcare providers and other regulated entities to identify all reasonable threats or hazards to the security or integrity of PHI. They must also identify all predisposing conditions to their electronic information systems that create, receive, maintain, or transmit PHI. Further, Healthcare providers must assess the risk level for each identified threat and vulnerability. Unlike the proposed security rule, the DPDP Rules do not have any risk analysis requirements.

What about significant data fiduciaries?

The DPDP Rules set up higher regulatory thresholds for significant data fiduciaries. While there is no clear list of which companies are significant data fiduciaries, the government will decide which falls within this category based on the amount and sensitivity of personal data they handle, potential risks to individuals’ rights, impacts on India’s sovereignty and security, risks to electoral democracy, security of the State and concerns about public order.

These companies will have to control their data flows to other countries based on recommendations by a government-formulated committee. They must also carefully verify that any algorithmic software that they use for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data does not harm the rights of individuals. Companies within this segment must conduct a data protection impact assessment (DPIA) and an audit every year to ensure compliance with the act and the rules.

Even the additional protections here fall short of adequately dealing with the health data question. They have localisation requirements but not any additional requirements for protecting data from breaches or security risks.

Are the requirements under India’s data protection rules sufficient?

In contrast with the proposed HIPPA security rules, India’s DPDP Rules appear to be falling short of protections for data breaches/cybersecurity incidents. Speaking to MediaNama, Shivangi Rai, the Deputy Coordinator of C-HELP brought attention to the vagueness of the “appropriate technological and organizational measures” as well as “appropriate security measures” they ask companies to adopt. Instead of this, she believes that rules should have mandated that data fiduciaries and significant data fiduciaries not just implement security measures but demonstrate that they carry out data processing in conformity with security standards and the law.

“The rules should have made it mandatory to periodically review and update the measures,” Rai explained, adding that there is a need for measurable benchmarks to judge the “appropriateness” of the measures. Further, she mentioned that the requirements for audits and DPIA should not be limited to significant data fiduciaries.

Besides the rules, there is data security associated with the overarching Act as well. Based on the volume and nature of personal data processed, the central government can notify certain data fiduciaries or classes of data fiduciaries (including startups) which it will exempt from the certain requirements such as erasing the personal data of an individual after they withdraw consent for its processing unless required to retain said data under law. “The fact that startups may be exempted from adopting any data protection and security measures under the Act is also problematic,” Rai said.

Should there be sector-specific requirements for breach reporting?

While it is evident that health data is sensitive and needs additional protections, that does not necessarily mean that companies should have different requirements when reporting data breaches pertaining to health data. Speaking at CCAOI’s online event about the DPDP Rules, lawyer and founder of Bshuan Rajaram Avodcate and consultants GV Anand Bhushan responded that he is vary of sectoral differentiation in data breach reporting/notification. “Because its all very blurry, what is a tech company, what is a fintech company, what is a medtech company the lines are blurring very fast,” Bhushan said.

The rules require companies to inform both the people affected and also the Data Protection Board without delay. Further, within 72 hours of a breach, companies must also the board about the measures it is taking to mitigate the risks posed by a data breach. Bhushan called these reporting obligations onerous adding that the adequacy of these requirements (both for health data breaches and otherwise) depends on the enforcement including how quickly the board will be set up. “A difference of industry [when considering the reporting requirements] will truly set the cat among the pigeons, I would be more comfortable with what the materiality of the breach and the threshold of the breach to be the driving forces as far as the notification requirements are concerned,” he said.

Also read:

The post Are India’s draft data protection rules sufficient to defend against health data breaches? appeared first on MEDIANAMA.

Back to Listing

credit: