Through half a century of being involved in medicine, I was intimately familiar with the importance of documenting reliable, clean data. Some years ago, however, with the advent of digital health, I am now as much an advocate of data protection as data generation.
Once digital health entered the picture, the world changed. Personal details, medical histories and test results are now stored in digital records and online healthcare systems. Leakage of this information could lead to identity theft, discrimination and emotional distress for patients. It is now the primary responsibility of healthcare providers and organisations to keep patient information safe and private, ensuring that health details are not misused and do not fall into the wrong hands.
Data breaches
Data breaches (accessing private digital information without permission) are now becoming a reality. Over 314 million medical records were breached globally between 2009 to 2021. In India alone, there were 1.9 million cyberattacks in 2022, including a major ransomware attack on AIIMS, Delhi. Over a quarter of all major reported breaches worldwide are in the healthcare domain. This has led to stringent rules and secure systems in several countries.
In India, data protection is still at a nascent stage. Reports are still sent on WhatsApp and on email. Clinics store years of records on free cloud drives. Data protection in healthcare is a multi-faceted challenge that requires continuous adaptation to regulatory changes, technological advances, and new cybersecurity threats, and India must prepare for this.
Protection methodologies
Patients discuss personal and sensitive information. Protecting this information ensures trust and confidence in the care provided. Failure to comply may lead to penalties and legal consequences.
A combination of policies, technologies and staff training must be used to safeguard data. First, explicit permission must be obtained before collecting, storing or sharing data. Patients must be informed how their data will be used. Records must be complete, accurate and updated. Strong passwords, encrypting digital records, access control, locking physical files, logging out of systems and never leaving patient data unattended or visible to unauthorised persons are some rules that should be strictly followed. Breaches involving patient data loss, or access by unauthorised individuals must be reported immediately. Frequent audits to ensure proper working of systems; real-time responses in case of data breaches, including informing affected individuals are some other measures that must be taken.
Clinicians may face significant liabilities for improper disclosure of Protected Health Information (PHI), including legal, professional, and financial consequences. Public loss of trust can affect clinicians’ credibility, career prospects, and relationships with patients and healthcare institutions, leading to reputational damage
Know your rights
Patients must be informed and aware about: what data is collected about them; how to access and correct their health records and must be informed if their data is leaked in a breach. Patients must also only share information with trusted healthcare providers; ask questions if unsure about how their information will be used or stored; access and obtain copies of health records and digital health data; give or withdraw consent for processing health information; request corrections or updating of inaccurate or incomplete data and file complaints or seek redressal for privacy violations or breaches and must also choose strong passwords for their health portals. These rights can be asserted through the Ayushman Bharat Digital Health Mission’s Personal Health Records portal or app.
The Indian scenario
This year, in November, rules for the Digital Personal Data Protection Act, 2023 were notified. Unlike law in the U.S., the DPDP Act is not an exclusive healthcare legislation. Compliance with the DPDP Act, IT Act (SPDI Rules), and the Clinical Establishments Act is mandatory for all healthcare providers.
The DPDP Rules 2025, have several restrictions on cross-border transfers of personal data. Penalties go up to ₹250 crore per breach if transfers occur without lawful grounds. The rules also restrict transfers to blacklisted countries. The Act is set to reshape how Indian healthcare participates in global trials and innovation, and with India’s system still evolving, sector-specific compliances are not predictable.
Emerging challenges
While technology makes healthcare more efficient, it also brings new risks. Hackers target hospitals, medical apps and even wearables. Challenges include: clear guidance on exemptions especially in emergencies, to avoid litigation; addressing low privacy awareness among patients; integrating new compliance requirements with existing, outdated healthcare IT infrastructure; meeting security vulnerabilities in interconnected systems and telemedicine platforms; minimising human error such as inadvertent exposure of sensitive data via phishing, weak passwords, or improper protocols and regulatory disparities due to differing regional standards especially in cross-border healthcare services.
Serving real needs
The doctor-patient relationship, for centuries, has been a one-to-one confidential interaction, based on trust. While the new law comes with stringent regulations and high penalties, it perhaps does not take into account every need of the healthcare sector. For one, in modern healthcare the stakeholders in the ecosystem grossly outnumber the individuals who were the principal players decades ago – there are hospitals, clinics, diagnostic centres, entities managing aggregation of data, health insurers, IT service providers, public health authorities and more. The definition of digital health privacy therefore, may well need to be rewritten to take this into account.
For another, pilot projects and group therapy show that patients want to and take comfort from exchanging notes with each other. The right to privacy may have to take into account this factor too. There is no doubt however, that while trust is still an inherent part of the professional lives of doctors, the right to privacy, in an age where all information is online, needs to be safeguarded more than ever.
If the DPDP Act is following the adage of “you have to be cruel to be kind” with regard to sensitive, healthcare-related information, then all stakeholders must perhaps keep in mind another adage: “it is better to be safe than sorry.”
(Dr. K. Ganapathy is a distinguished professor at The Tamil Nadu Dr. MGR Medical University and past president of the Neurological Society of India and the Telemedicine Society of India. drkganapathy@gmail.com)
Published – December 29, 2025 10:53 am IST
