In March 2018, the first of its kind Digital Information Security in Healthcare Act (DISHA) was proposed by the Ministry of Health and Family Welfare in India to provide oversight for data security in the health sector.1 According to this law, patients would have the right to refuse or allow the collection and sharing of their personal health data. Under this Act, hospitals cannot deny treatment to patients who refuse to share their health data. It is important to understand the context for this ground-breaking legislation.
With the increase in smartphone users in India, the use of mobile applications has also grown. To measure daily activity, a simple weight loss app would require user data like height, weight, Body Mass Index (BMI), daily meals, medicines, allergies, previous health issues, family history of diseases and location tracking.
App developers often let third-party service providers use this data without the users’ knowledge. This data is collected, stored and shared seamlessly and may be stored indefinitely even when the user has deleted the app or the data on his or her end. This creates a growing vulnerability, as a 2017 Breach Level Index study by the digital security firm Gemalto reported that data theft has increased by a whopping 783% in India.2 Of this, 58% of data breaches were identity theft. Access to government data was the second most common type of breach.
The Rise of Healthcare Apps
By 2020, the Indian healthcare industry is estimated to grow up to over $280 billion.3 India’s smartphone penetration reached 28.5% of its total population by May 2018, up from 12.8% in 2013. The world’s second most populous country now ranks second in the ‘Top 50 Countries/Markets by Smartphone Users and Penetration’.4
App developers often let third-party service providers use this data without the users’ knowledge. This data is collected, stored and shared seamlessly and may be stored indefinitely even when the user has deleted the app or the data on his or her end.
As more people start using smartphones, there is an increased use of health apps and sharing of medical data online. Currently, the top free medical app on the Android Play Store is PharmEasy with over one million downloads. The app provides services like home delivery of healthcare products, diagnostic tests, and health-related articles, local deals and sales alerts for more user engagement. Another Delhi-based app for doctors from over 10 countries, Buzz4health – Clinical Cases, has over 100,000 downloads.
Health apps have been a boon to Indians as they provide services like delivering medicines to the doorstep, connecting patients to hospitals and specialists and checking symptoms online to identify potential non-communicable diseases. Users share their personal and medical data on health apps. From ailments, meals to a location on fitness tracking apps, everything is shared for a better assessment.
After the Cambridge Analytica fiasco, India woke up to the tremendous need for stringent data protection laws. Commentators have proposed steps such as “purpose limitation” wherein apps can only collect data that is necessary and relevant.5
With technology playing a huge role in the spread of health apps, it becomes imperative to talk about data privacy. These personal health records can be misused by profit-motivated businesses. The problem in using this technology interface is two-fold. Firstly, the information provided in the health apps can be wrong or misleading, and secondly, the storage, usage and sharing of users’ data are problematic.6
After the Cambridge Analytica fiasco, India woke up to the tremendous need for stringent data protection laws. Commentators have proposed steps such as “purpose limitation” wherein apps can only collect data that is necessary and relevant
Due to the complexity of the privacy policies, users allow their data to be shared without completely understanding the permissions they grant for their data use. Thus, many health apps reuse the users’ data, carelessly or illegally, for business transactions without the users’ knowledge.
Data (Mis)use
In August 2017, the Supreme Court of India ruled the Right to Privacy as a fundamental right.7 This came in light of the data breach by Aadhaar card, a system whereby every Indian citizen gets a unique 12-digit number for identification through biometric data. The Aadhaar poses a huge threat of identity theft unless the government tightens its security.
The digitisation of government operations has been done at the expense of Indian citizens’ privacy. This is as true for the healthcare sector as it is for Aadhaar. There have been instances when the medical data – some deeply personal and incriminating – have been shared in the public and private domains by the health apps. A European study, conducted on popular health applications on Android, found that 50% of the apps shared data such as text, multimedia content or X-ray images with third parties.8
Blizzard transactions – multiple transactions or high-frequency sharing of users’ data by service providers and third-parties without their awareness — enable the marketer to manipulate users by predicting their behaviour. In 2012, for example, a father in Minneapolis in the United States learnt about the pregnancy of his teenage daughter after the supermarket chain, Target started sending her customised coupons on baby products. Target had figured out that she was pregnant from data they had on her consumer behaviour.9
Imagine such an incident happening with users having AIDS and depression; diseases which are stigmatised in Indian society. Data dissemination without consent can result in employment termination of workers suffering from medical conditions, unfair treatment of children at schools and bullying among peers. Privacy policies are especially significant for mental health patients, who may not be able to make sound judgments about how much to share online.
Making the fine print on privacy more legible
The research I recently published, along with Adam Powell and John Torous, examined the readability of the privacy policies of healthcare apps. We found them to be “lengthy” and “linguistically complex”.10 This has important implications. First, lengthy privacy policies are quite difficult to read on a desktop, let alone a phone. Second, only a college graduate would be able to comprehend these privacy policies. Only 6% of Indian citizens have a college education, according to the 2011 census. In order to ensure that the majority of India’s citizens are able to wilfully consent to privacy policies when using apps, the latter must be simplified.
Data dissemination without consent can result in employment termination of workers suffering from medical conditions, unfair treatment of children at schools and bullying among peers.
We argue that if government agencies like the Indian Air Force and the High Court of Bombay can provide accessible websites that impart information in simple language, so can healthcare apps. Complex concepts can be explained graphically to make them more accessible to people with limited reading comprehension. For instance, Creative Commons has created a standardised set of graphs and logos on abstract concepts such as, de-identification and anonymisation that can assist the users in making informed decisions.11
In addition, standardisation of policies would enable users to avoid the hassle of re-reading a long document each time they agree to use software by providing consistency across licenses as offered by the General Public License (GNU).12 Finally, outreach efforts to help educate and explain the risk and benefits of digital technologies like apps may be necessary to ensure that individuals are equipped to make informed decisions regarding use. Online resources for digital technology ethics and privacy also exist such as the freedom to access and use Connected and Open Research Ethics Initiative.13
Patient-provider confidentiality agreements should become the standard for the healthcare app sector. This can be done by providing clearer privacy policies that agree to protect any sensitive data. Strict action must be taken against those businesses that flout the rules.
In this context, the United States, China, and the European Union have taken some drastic steps by introducing data protection laws. The US 1996 Health Insurance Portability and Accountability Act and the Chinese Cybersecurity Law focus primarily on data sharing and usage, the recently launched European Union’s General Data Protection Regulation (GDPR) has introduced additional features on personal rights. Under GDPR, patients can exercise the “right to erasure” where providers have to honour a patient’s request to erase their personal data permanently.14
Way Forward
Catching up with the other countries, India is geared up to launch its data protection law– DISHA. However, data protection laws rarely make it a mandate for service providers or in this case app developers to outline consent in clear, lucid language.
Patient-provider confidentiality agreements should become the standard for the healthcare app sector. This can be done by providing clearer privacy policies that agree to protect any sensitive data. Strict action must be taken against those businesses that flout the rules.
The increasing trend of smartphone users should alert the authorities of the potential threat of data breaches in the healthcare sector. Users share their health data in the apps, which do not have clear privacy policies to protect this data from third-party service providers. Most often the language of privacy policies is incomprehensible and can only be understood by the health literate. This leaves the other 94% of smartphone users, who don’t have a college education and the mentally ill patients quite vulnerable. Regulators should step in and implement clear rules for privacy policies, and regulate the information shared by health apps.