Asia is rapidly digitalising – is its cybersecurity up to scratch?
- As people, businesses and services in Asia increasingly operate online, regulatory frameworks to safeguard private data are proving inadequate
- Discrepancies in levels of protection across the region also highlight the need for a more unified approach
Just as 2022 bowed out, India’s capital experienced a major disruption to its healthcare services that had nothing to do with Covid-19.
On November 23, the All India Institute of Medical Sciences (AIIMS), India’s leading public health institute in New Delhi, was the victim of a cyberattack that left services in shambles. According to a media statement issued by AIIMS, the institute’s “e-Hospital” application run by the National Informatics Centre, a department of the Indian government, crashed.
Backup servers were affected as well. In addition to affecting outpatient and inpatient services at the hospital, other digital services were disrupted too, such as billing, report generation, appointments and lab analysis.
As of December 3, servers remained down for the 11th consecutive day, leading to serpentine queues and much confusion before online services were finally restored. A data breach of this nature is a nightmare, experts say, because it exposes the sensitive medical data of at least 30-40 million patients, roughly the population of Canada.
AIIMS Delhi also holds the medical data of senior bureaucrats in the Indian government. In an unrelated incident on November 30, the website of the Indian Council of Medical Research (ICMR), the country’s premium government-led biomedical research institute, allegedly came under attack as well – with 6,000 hacking attempts made in a single day.
These aren’t isolated incidents. The Indian healthcare industry has allegedly been the target of over 1.8 million cyberattacks (many of these failed attempts) in 2022 alone, as per data published by the think tank Cyber Peace Foundation.
And yet we have no clear answers to key questions, such as how this data is stored by the various organisations, government or otherwise, that claim our data. We don’t know who exactly has access to it, how it is backed up to protect against disasters, or how such a security system would function in the first place. And yet, the attacks keep growing.
Nearly 80 per cent of companies in the Philippines have been victims of data breaches over the past 12 months, with two in five firms losing at least US$500,000 to fraudsters, a Philstar Global report says.
A comparison of data privacy laws across Asia published in the Asia Business Law Journal shows that many of the safeguards are still a work in progress, with kinks needing to be worked out.
In India, a revised data protection bill was drafted in December 2021, but one of the most controversial elements of the bill remains Clause 35 that conveniently exempts the Indian government from complying with the provisions of the bill. If misused, activists say, this exemption can morph into a toxic cocktail that gives the government undue power for surveillance, while crushing the legitimate civil right to demand information from the government.
While the European Union’s GDPR privacy regulations would apply throughout the world when handling data of residents from the European Union, it is clear that Asia too could benefit from a more uniform regulatory policy, or at least one that was more consistent and less fragmented.
In Asia, Thailand, South Korea Japan and China are seen to have the strictest data privacy laws, while those of other Asia countries remain complex and evolving.
As we live more of our lives online, priorities must shift to ensuring adequate protection for citizens from digital crime and data theft, while ensuring smooth economic growth. And there’s no denying that a lot depends on how soundly this legislation is established in Asia now.
Kamala Thiagarajan is a freelance journalist based in Madurai, southern India