Public health has been compromised by the pandemic. The health of pharmaceutical companies is under threat too, but from a different kind of source. The Indian pharmaceutical company, Lupin, is the latest victim of this ‘contagion’ — cyber attacks. This incident has been reported just a fortnight after Dr Reddy’s Laboratories isolated its data centre services after suffering a similar cyber strike. What is especially worrying is that the attack took place soon after the latter got the nod to conduct trials of Sputnik V, a vaccine for Covid-19 developed by a Russian research institute. During the period from July to September, India has allegedly witnessed 4.25 lakh cloud security breaches and the country, it has been reported, is the sixth most vulnerable nation when it comes to such depredations on pharmaceutical firms. A study by Deloitte has also revealed that the pharmaceutical industry is one of the principal targets of cybercriminals. Even though commercial and medical data are under serious threat, the discourse on data privacy in India is disproportionately tilted towards protecting personal data. The intellectual property of private companies such as research data belonging to pharmaceutical companies are incredibly valuable and, hence, vulnerable. If the integrity of research data is compromised, a medication may lose consumer trust or, worse, be rendered ineffective.
In India, protecting such data remains the onus of the pharmaceutical companies themselves. Although the government introduced the personal data protection bill, 2019, it does not adequately address the vulnerabilities of India’s data economy. Instead, the bill proposes a preventive framework that is inclined towards excessive government intervention. This could lead to a significant increase in compliance costs for businesses and end up in a troubling dilution of privacy rights of companies vis-à-vis the State. This is not the only anomaly. The push towards a digital economy has not been accompanied by a simultaneous emphasis on online security. A legal framework for the future of health data privacy is, hearteningly, in the works. The draft digital information security in healthcare bill is being crafted to protect citizens’ health data as part of an ambitious health data digitization drive. Could the scope of this legislation be widened to include medical data of companies rather than just personal data of patients? What would be even better is to have one comprehensive law that covers all aspects of data. It should be drafted in consultation with the State, commercial firms and individuals — the critical stakeholders in the matter.