Threat actors chasing India’s health data could be one of the spoilers of the promising healthcare investment trend panning out
Protection of health data in India remains a weak link. In what could possibly be the country’s largest health data breach so far, health data of over 81.5 crore Indian citizens, extracted from COVID-19 test details with the Indian Council of Medical Research (ICMR), were offered for sale on the dark web. The previous month, the official website of the Ministry of AYUSH in Jharkhand had reportedly been breached, exposing over 3.2 lakh patient records on the dark web. While the cyber attacks on ICMR, CoWIN, and AIIMS made news, there could be many more health data breaches that have not been disclosed to the public, or worse, remain undetected by the breached entities.
The private sector too has not been spared. The latest healthcare company to be targeted by threat actors seems to be Redcliffe Labs, though Prabhat Pankaj, CTO, Redcliffe has refuted news around customer data breaches at Redcliffe Labs. He went on to list the measures taken by the company to secure its IT infrastructure, reiterating its dedication to cybersecurity, and emphasised that it would continue to invest in cutting-edge technology to protect customer information.
Industry leaders say that they are taking data breaches very seriously. Commenting on the ICMR data breach, Pavan Choudary, Chairman of the Medical Technology Association of India (MTaI), cautioned that the recent breach of ICMR’s database could trigger identity thefts leading to coercions, extortions, fraud, and doxing.
These massive data breaches only underline the importance of the Digital Personal Data Protection Act, 2023 introduced in August. The Act seems perfect on paper, seeking to protect individuals’ fundamental rights and freedoms, particularly their right to the protection of their personal data. The Act also obligates the data fiduciaries to keep data secure.
However, there is always a gap between intention and implementation. As Choudary points out, “such well-intended legislation needs to be supported with adequate enforcement mechanisms, ring-fencing of all data reservoirs, regular audits, and regular education and awareness programmes.”
What’s worrying is that 66 per cent of India’s healthcare professionals were not confident that their technology infrastructure is sufficient to prevent cyber threats, according to an early 2023 survey of healthcare professionals, conducted by Grant Thornton Bharat and Association of Healthcare Providers (India).
Only 40 per cent felt that their technology infrastructure can ensure patient data privacy. Probably prodded by the increasing number of cyber attacks, a sizable number (84 per cent) of respondents plan to significantly enhance their budget for digital solutions and technology initiatives. Hopefully, these investments in cyber security are implemented with the urgency and utmost care required.
Weak health data security increases mistrust of the healthcare ecosystem and poor implementation could be one of the spoilers of the promising healthcare investment trend panning out. This is why the entry of some of the world’s largest PE players into India’s healthcare services market could bring in more effective investments in cyber security, among other infrastructure. However, the razor sharp focus on profits , with the endgame being profitable exits, raises another concern: while access to high-end care will increase, will more patients be able to afford such care?
Global PE fund Blackstone’s first big splash investment in India’s healthcare services sector continues the PE/VC-driven consolidation wave in India’s healthcare service sector. Blackstone’s acquisition of the CARE Hospitals network, further bolstered by the latter acquiring majority stakes in KIMSHEALTH, creates one of the largest healthcare platforms in the country, with more than 4000 beds, across 23 facilities in 11 cities. That most of these are in under-penetrated, emerging cities signals the intent to focus on new markets.
Many owners of smaller hospitals, still reeling from the impact of COVID-19 on their revenue, are reportedly looking for an exit. In other cases, founders may be searching for strategic investment partners, to expand their geographic footprint and secure their legacy on a global scale.
Are global investors. like PE firms, the knights in shining armour? Only time will tell.
According to the Grant Thornton Bharat Pharma and Healthcare Dealtracker Report for Q3 2023, single specialty facilities emerged as a focus segment with increased investor interest in the healthcare sector. Even though there was a decline in M&A values, and deal volumes in healthcare may remain subdued, Bhanu Prakash Kalmath from Grant Thornton Bharat alludes to expectations of sustained momentum, as the sector’s growth drivers, such as increasing demand for healthcare services, growing adoption of new technology, digital health and sustained government support, are expected to remain in place.
Highlighting the focus on single speciality hospitals, the report lists PE fund BPEA EQT’s investment of USD 657 million in Indira IVF, Quadria Capital’s infusion of USD 159 million in Maxivision Super Specialty Eye Hospital, Asian Healthcare investing USD 73 million in Asian Institute of Nephrology and Urology and TPG Growth, and Temasek investing in Dr. Agrawal’s Healthcare, valuing USD 80 million.
Similarly, Manipal Health acquiring a majority stake in AMRI Hospitals and India Resurgence Fund investing in Ivy Health & Life Sciences are examples of continuing consolidation, with bigger national players expanding into regional healthcare markets.
Blackstone Private Equity MD Ganesh Mani’s assurance that they are “committed to being a long-term investor and business builder” and his plan to bring in “global scale and operating expertise” spell out the roadmap ahead for most PE platforms investing in India’s healthcare services sector. As he indicated, the platform will grow both organically and through acquisitions. Thus, it is highly likely that we will hear of more regional hospital networks joining one of the main global investor-driven healthcare platforms jostling for market share in India’s healthcare service service.
But for this consolidation wave to be beneficial for patients in the healthcare ecosystem, we need to address the various trust deficits. This is why legislation like The Digital Personal Data Protection Act, 2023 is important. The Act might assure patients that their digital personal data, including digitised health data, is protected and private. Data breaches of health data from public databases need to be thoroughly investigated, in a transparent manner, with a view to identifying and fixing the weak links and most importantly, preventing future data breaches. It is time we realise that ‘data is the new oil’ is more than just a pithy one-liner.
VIVEKA ROYCHOWDHURY Editor