It is being described as the biggest data breach in India’s history and the whole of Tuesday, October 31st saw headlines splashed across news channels and enough and more verbiage online on the Indian Council of Medical Research (ICMR) data leak. Yet, the leading Indian research institution has thus far maintained a studied silence.
Firstly, data breaches do happen or as one cyber-security expert, who did not wish to be named, says, it is like when there is data there is always the danger of leakage and it so happens that the ICMR is the latest victim. But then, just going by the alleged numbers involved – 81.5 crore people affected – does make it hard to ignore.
Conversations with healthcare experts and cyber-security gurus do suggest that questions abound:
First, whatever reports are pouring in, what is holding back ICMR from sharing clarity on what it is doing to at least validate the authenticity of it all? Is this true or just a hoax that needs to be dismissed as false claims by a hacker? What capabilities are already in place to detect data leaks? Was the data entrusted with appropriate qualified cybersecurity agencies – government or private? If there was indeed a data breach then where was the epicentre of the leak? Some argue that since it was detected when it was up for sale on the dark web, it raises question on both prevention and detection. This even as one argues that 100 per cent prevention could have its own challenges. But then, what detection controls are in place is certainly a question worth seeking an answer to? After all, even small entities talk of VAPT (Vulnerability Assessment and Prevention Testing) for security testing. Also, why did it have to take a foreign agency to discover a data breach when the country has powerful establishments that could be relied on to check and detect?
Also, cyber-security experts point out that typically data is lost in small chunks and not in such magnitude in one shot, so was this going on for a long time? If so, then for how long? When it all begin? What about the accountability architecture and especially in relation to government entities? Since, typically the agency that stores the data needs to answer then what about those entities like the pathological laboratories and others that feed the data, what about addressing their concerns about the future? What are the next steps that the ICMR is contemplating? These and more questions may need some answers if the faith in digital health initiatives have to remain strong.