Securing health data in the digital era

We often hear that ‘data is king’ in today’s digital world – and nowhere is this more evident than in healthcare. A patient’s medical data is one of the most powerful tools in the healthcare sector, shaping diagnoses, treatments, and health policies. Health data comes in many forms – clinical records, genetic information, behavioural insights and personal identification – collected from hospitals, clinics, pharmacies, and diagnostic centres. When used effectively, this data enhances diagnosis and clinical decision-making and streamlines healthcare operations.

The real power of health data is unlocked by interoperability or the seamless exchange of information. For patients, digital health records eliminate the need to carry paper files and provide instant access to past diagnoses, prescriptions and allergies, reducing unnecessary tests and treatment delays. For doctors, a complete medical history enables faster, more accurate diagnoses and personalised treatments, like a cardiologist accessing past ECG results to assess heart disease progression without ordering new tests. On a larger scale, aggregated and anonymised health data helps track public health trends, allocate resources efficiently, and predict disease outbreaks – capabilities that proved critical during Covid-19 through contact tracing and case forecasting.

India’s digital health transformation is being shaped by the Ayushman Bharat Digital Mission (ABDM), which embeds privacy and security into its very foundation. ABDM is structured as a decentralised, federated network, creating a secure, interoperable ecosystem, enabling patients to access, control, and share their medical records digitally. Such a model ensures that no single entity has complete control over an individual’s health data, thus reducing vulnerability.

A key feature of ABDM is its consent-driven framework. Personal Health Record (PHR) apps allow individuals to manage access requests, ensuring that data is shared only with explicit consent. Patients can grant or revoke access at any time, reinforcing their control over their medical history. Additionally, ABDM’s encryption protocols and stringent compliance standards ensure that every participating digital health solution meets minimum security requirements, fostering trust in the system.

With over 500 million health records already linked to the ABDM ecosystem and more than 80,000 healthcare facilities contributing (National Health Authority, as of 6 March 2025), the network is expanding rapidly.

Legal frameworks

Managing this vast and growing repository requires a strong commitment to ethical data practices. However, safeguarding health data cannot rely on technology alone – comprehensive legal frameworks are essential to reinforce patient rights.

India’s regulatory landscape is evolving to address the challenges of health data protection. The Digital Personal Data Protection (DPDP) Act, 2023, is one such legislation that enshrines the right to privacy, ensuring that health data is protected from unauthorised access. The draft DPDP Rules, 2025, only strengthen this piece of legislation by placing stringent requirements on data fiduciaries to guard citizen data. Another critical piece of legislation, the Digital Information Security in Healthcare Act (DISHA), is expected to mandate the sharing of health data only with patient consent, further securing the landscape.

ABDM’s Health Data Management Policy aligns with national as well as global standards such as the European Union’s General Data Protection Regulation (GDPR). Going forward, learnings from implementation in diverse settings can inform future regulations and policies for balancing health data privacy and access to public goods.

Philanthropy and businesses drive digital health adoption. Securing health data is not just a technological challenge; it is a collective responsibility. While ABDM provides a strong foundation, its success depends on widespread adoption, particularly through private sector and philanthropic engagement.

Businesses, CSR initiatives and philanthropists can drive meaningful healthcare transformation by integrating ABDM into their programs. CSRs can lead the digitisation of charitable hospitals, support private provider networks or strengthen last-mile infrastructure to make secure, interoperable healthcare accessible to underserved populations. Aligning with ABDM also ensures long-term systemic impact rather than fragmented, short-term interventions. For businesses, adopting ABDM ensures DPDP Act compliance while enabling a data-first approach to optimise healthcare operations.

India’s digital health revolution, anchored by ABDM, is reshaping the healthcare landscape with secure, patient-centric systems. Yet, large-scale adoption requires multi-stakeholder collaboration. By joining forces with the government, private players, and philanthropic leaders can ensure India builds a truly inclusive, patient-centric digital health ecosystem.

(This is the third article in a six-part series exploring the importance of digital health in India)

Interview

Pillars of privacy-by-design framework

Decentralised data storage and informed consent ensure security and empower citizens, says Rahul Matthan, partner, Trilegal. Here, he discusses how ABDM’s decentralised approach and privacy-by-design framework enhances data security and empowers citizens, the transformative potential of digital health records, and the challenges and opportunities in driving interoperability and adoption of digital health solutions across India

ABDM adopts a decentralised approach, storing health data locally where it is generated rather than at a central or national level. How does this model enhance data security and empower citizens to manage their health information?

When data storage is decentralised, it reduces the surface area of attack. If a given data center or server is compromised it does not place all the data in the system at risk – just that which happens to be stored on that server. This significantly improves the data security in the system as a whole as compared to centralised storage where any data breach puts all the data at risk.

At the same time, if we can build robust pipes connecting these different stores of data, allowing the data to be pulled as and when required with the consent of the user, we will empower the user with the tools needed to manage their data, allowing them to transfer it from one data fiduciary to another at their discretion.

How does ABDM’s privacy-by-design framework, coupled with informed consent for data access, balance individual rights with the need for accessibility and trust in the healthcare system?

Data protection law stipulates that personal data should not be processed without the user’s consent. It, therefore, becomes critical to put in place measures to ensure that patients’ consent is obtained before data access requests are processed. ABDM’s approach ensures that personal health data is transferred only with the explicit consent of the individual. This mechanism not only respects individual autonomy but also protects sensitive personal information. The framework emphasises the principle of informed consent, which means individuals must fully understand the purposes for which their data will be used, the duration of its retention, and their ability to revoke consent if needed. To operationalise this, ABDM employs a digital consent artifact framework that incorporates these principles directly into its code. This ensures transparency and empowers users to make informed decisions about their data.

In addition to consent, ABDM’s privacy-by-design framework incorporates features such as an Anonymiser module, which allows health data to be aggregated and analysed without compromising individual identities.

What are the most impactful use cases for digital health data and records in transforming healthcare delivery?

The availability of medical records in digital form will make second opinions much easier to provide. Rather than repeating the tests, doctors will be able to get the information they need electronically. They will have new tools for diagnosis as they will be able to leverage historical trends in longitudinal data to identify causes of disease. Digital health data will also make it possible for telemedicine and other virtual medical services to be rolled out at scale. And, once anonymised, it can help in research.

But perhaps more important than anything else are the use cases we are yet to discover. After all, it is only when all medical data has been digitised and made available on an interoperable, easily accessible platform that we will discover its most impactful use cases.

What steps should India take to overcome challenges in ensuring inter-operability and driving the adoption of digital health solutions across diverse healthcare settings?

A major challenge to deploying digital health in the country is the low level of penetration of digital technology in the healthcare sector. While large hospitals and other medical service providers, particularly in the Tier I towns are digitally enabled, they often use bespoke, proprietary systems that are not easily interoperable with other systems. In the rural hinterland, most healthcare services are not digital and therefore cannot avail of the benefits of this system. Deploying digital solutions for health at a population scale in a country with the sort of diverse challenges that India faces will take considerable effort and investment.

As healthcare digitisation accelerates in India, what best practices and lessons can we draw from the digital health journeys of other nations?

In other countries, digital health systems have been built to address the specific requirements of insurance companies (to ease claims processing) and lawyers (to address medical liability). It is important to ensure that as we build our digital health systems, we ensure that they operate to serve the needs of the patients and the healthcare professionals who are treating them. We need to design our systems to provide them with the information they need promptly and to ensure that the system fits neatly into their workflows.

It is also important to build systems that make it possible for us to unlock the value in the data so that we can serve the needs of society as a whole, while at the same time preserving the privacy of individual patients.