Rajnish: Anindya welcome to the podcast and thanks for coming over.

Anindya: Thanks Rajnish and greetings to you and your listeners on world Energy Environment Week. I'm delighted to share my thoughts on the subject, but I would like to just place a key caveat that this should not be construed to be the views of Shell. Thank you.

Rajnish: My first question to you Anindya. How do you think a carbon price can help abate emissions?

Anindya: Yeah, that's a great question Rajneesh and there is a short answer and a slightly more evolved answer, so let me attempt both. The short answer is that greenhouse gas emissions carbon emissions have an externality, and the cost is borne by the society, and not necessarily by the emitter. Carbon pricing strives to place a cost on the emitter and thereby putting the sort of cost where the burden is. But if you sort of dig up a little deeper, the whole carbon pricing policy intervention is a clear nudge that Governments can give to various players across the economy on what they need to do. And there's various aspects that we should explore in this context, first is the competitive disadvantage of the first movers. There are companies right now who are contemplating climate action, but they find that such action involves costs which brings in a competitive disadvantage to them vis a vis with their competitors and therefore they do think twice before implementing major programs. A carbon pricing across a sector will ensure that all sector players are having the same level playing field and start taking the same steps and ideally this moves into an economy wide coverage, so I think that's very important to make sure that the early movers don't get disadvantaged. Secondly, there is a policy outlook signalling that this is very important. Companies right now are struggling to see what the pricing, carbon pricing or any compliance framework will look like in the coming years and decades. So, if the government can clearly indicate that this is going to be the carbon pricing methodology that the government will adopt and how it will progressively change over time, companies will be in a position to make the right technology choices back to green technology and make their investments that are well tested against such a carbon pricing regime. On the case on this case, also another aspect we need to talk about is resource mobilization. So carbon pricing of course also yields resources for the government whether it's a carbon tax or a market based mechanism like the ETS and the government, then can direct some of this to supporting new technologies. Green technologies that are not proven, for example, if it wants to support offshore wind or biofuels but also maybe use it to address the needs of just transition, so there are going to be sections of society which will be burdened by higher cost of the energy transition and some of this will be available for that. Another aspect I think we should also consider when talking about carbon pricing is globally various countries are adopting carbon pricing where there's tax or emissions traded systems and to make sure that there are no carbon leakages these countries are likely to impose a border adjustment mechanism as Europe is considering. So, if Indian companies have to operate or export into these markets then they'll have to demonstrate that they have carbon pricing domestically. So that's very important for Indian companies to achieve, I mean India has a huge trade with Europe for example of 36 or $37 billion and the part of that will get impacted by this. And the other advantage of integrating to global markets is that Indian players will have access to much deeper and wider markets for carbon offsets. For example, they are on the buy side or sell side.

Rajnish: So Anindya I agree with you, I think carbon prices are the talk of the day. Now the big question basically, which is there when you look in the case of India is should India go for a carbon tax or should it go for an emission based or a market based trading mechanism? What do you think are the pros and cons to the two and you refer to that while you're answering the earlier question?

Anindya: Yes, indeed, these are the two popular models which various countries have experimented with over the last several years. So, the advantage for India is that India can certainly benefit from the experiences of these countries and get sort of rich learnings out of it. Carbon tax in terms of implementation is perhaps much less complex, though politically less acceptable because it's it will be very transparently seen to be adding to the cost to the customers or taxpayers, as the case may be also, it needs to sit within the existing taxation framework and jurisdictional sensitivities, and I know Ernst & Young has already presented an analysis on how this can be done. As for emissions trading, there is a possibility that the existing market-based mechanisms for energy efficiency, which is the path scheme and the eCerts and the renewable energy, which is the RPO and RECs, could be brought under a carbon framework which could then be expanded to a functional emissions trading scheme. However, the complexities of the market design that address the needs of a progressive decarbonization without causing market failure needs to be carefully considered.

Rajnish: I agree with you Anindya, I think carbon taxes are easier and as you gave there are pros and cons to each of the approach. Now, given that we have a blank piece of paper in India as of this point of time, what would be your advice to our clients as to how they should think about this and go ahead?

Anindya: Indeed, that's a very important I think question to consider for countries so companies at this point in time as various regulatory changes are likely to happen in the coming future. Well, one can never be certain as to when a compliance framework for carbon will emerge in India, but we have seen a compliance framework in energy efficiency and renewable energy that was successfully implemented. We are also hearing of an RPO type framework for green hydrogen progressive Indian companies are already beginning their decarbonization journeys by implementing internal carbon pricing. CDP's annual report mentions 31 companies already having an internal common price or companies are signing up to the SBTI's or making commitments under RE 100 EP 100 EV 100 type commitments. But to ensure a sustainable future and a social license to operate, companies will need to transparently share their plans to adhere to carbon budgets available so as to achieve the climate action goals agreed by the international community such companies will withstand any shocks that could credibly arise from external carbon pricing, whether through taxes or market-based mechanism.

Back to podcast

Podcast transcript: Why there is a need for more data privacy and protection in healthcare

17 min | 31 July 2023

In conversation with:

Lalit Kalra
EY India Cybersecurity Partner and Data Privacy Leader

Pallavi: Hello, this is Pallavi, welcoming you to a new series of EY India Insights podcast on 'Gateway to data privacy and protection'. In today's episode, we explore the data privacy regime in healthcare. Joining us is our esteemed guest, Lalit Kalra, Cybersecurity Partner and Data Privacy Leader at EY India.

With over 17 years in the field, Lalit has been instrumental in assisting numerous clients in strengthening their data privacy and cybersecurity frameworks, specifically within the healthcare and technology sector. Welcome to our podcast, Lalit.

Lalit: Thank you for inviting me to the podcast, Pallavi. It is a pleasure to be here.

Pallavi: To start with, Lalit, what would you say are the advantages and risks associated with digitization of health data?

Lalit: Just like there are pros and cons for every technology that we embrace, so is the case with healthcare and digitization in healthcare. From a patient’s or doctor’s perspective, there have been many advancements that we have seen in technology in healthcare. We know of hospitals where robotic surgeries are happening, where there is a strong emphasis on telemedicine, people are talking about digital personal healthcare – that is how technology is taking the healthcare industry to a new level.

But at the same time, with digitization, a lot of personal data gets collected. From one perspective, it puts the control in the hands of the patient; it gives them the assurance that their reports or the information that they share with the healthcare provider or doctors is available whenever they need it. They no longer have to carry all the reports or maintain all the records (including prescriptions), nor do these have to be managed in hard copy any longer. Everything is available in the hospital management system (HMS).

But at the same time, because there are huge amounts of personal data, it is the first point for (cyber) attackers and hackers. Traditionally, the healthcare sector has not been in the forefront of putting controls that would safeguard systems from external cybersecurity attacks or for that matter, even internal attacks. But due to occurrence of a few (cyber) attacks on healthcare providers in the last few years, the industry is implementing cyber controls and preventive tools.

From an advantage perspective, it (digitization) improves the efficiency of a hospital and reduces cost. At the same time, it enables personal healthcare for a patient. As data gets collected, the risk essentially is misuse of data. There have been numerous cases wherein healthcare data was misused and people were getting random calls for blood donations. Till now, we have seen digital harm; but with health data coming into the picture, it may lead to physical harm. That is an area that people are scared of . There is a need to prevent external hackers from getting access and also ensure that internal users or the people who may not be aware about security but have access to data know how they handle that information. This is what the hospital industry is concerned about.

Pallavi: Could you also explain the key clauses of India's Digital Information Security in Healthcare Act, popularly known as DISHA? What steps can healthcare providers take to comply with it?

Lalit: DISHA is not a law yet. It was initially proposed in 2017 and some changes were suggested. Around 2020, a revised version of DISHA came in. The focus of DISHA is to ensure that the data collected has consent of the data owner and holds the data controller, or in this case, hospitals or doctors, accountable for what happens with the data. It is in line with the HIPAA (Health Insurance Portability and Accountability Act) of the US, which mandates organizations to implement certain controls to safeguard data being captured and processed. Essentially, it talks about consent. It talks about identifying risks in the systems which help you process personal data in healthcare; notifications that need to be sent in case of a breach; conducting risk assessment to ensure that the data is always protected; periodic management reporting that is to be done by the data controller or the entity to ensure that they are ahead with respect to the data that they are collecting.

From the perspective of compliance with DISHA, the healthcare industry has a lot of legacy systems and along with that they also have medical equipment which collects personal data and integrates that with some of the latest technologies to ensure that the data is aggregated in one place and then processed. From a healthcare perspective, the legacy systems would need to be upgraded to ensure that there is a provision of consent for processing the data. The personal data that gets collected, what is its purpose? For how long are you going to retain it? Who will have access to it? Which third parties will have access? How will that information be processed? All these aspects need to be identified to ensure there are appropriate controls implemented to safeguard personal data.

The healthcare officer or the privacy personnel in the organization have a view of what is happening in the data. So, the next step is to create a framework on managing healthcare data within the organization. Then it can be rolled out across the organization or across the hospital to ensure that every individual understands the type of data being processed and to implement controls like technological people-level control or process-level changes which are required to safeguard personal data.

Pallavi: Considering the current stage of the data privacy Bill, do you expect that it will introduce additional safeguards for patient healthcare data?

Lalit: The Personal Data Protection Bill that the government is working on is likely to be an overarching law above the existing regulations which are there in an industry. It aims to provide an overarching framework that other laws will typically align with.

(The Bill) gives freedom to organizations and regulators to inculcate and embed the specific laws into the privacy framework. The controls that the Bill talks about would be similar to what DISHA recommends, but it will add additional controls in terms of data principle rights, where the data can be stored, conducting periodic audits, and adopting additional technical controls. In a way, it may add additional safeguards and give more comfort to the people that the healthcare provider which is processing their data is compliant with a standard or a nationalized data privacy law.

Pallavi: As India focuses on the digital public goods (DPGs) in healthcare, which rely heavily on digitized data, what measures or safeguards should be implemented to protect this data?

Lalit: The healthcare industry is moving towards digital care for patients. It is moving towards digital telemedicine. We are seeing a lot of video consultation happening. At the same time, equipment is being created to help healthcare providers personalize healthcare plans and monitor them remotely. All the digital smartwatches that we wear collect a lot of data. In many developed nations, hospitals have actually started relying on the information that gets collected from a smart device and (looking at ways) to utilize that for regular monitoring. For example, a pacemaker can send real time data to a doctor who can monitor the dosage that needs to be given to the patient based on the reading that the pacemaker gives.

With that in mind, the healthcare provider or the industry has a long way to go before it can be in a comfortable zone. From an organizational perspective, it starts with how you safeguard the data that is being stored in the equipment and servers of the organization? Controls will be needed at different layers. You will have the perimeter layer, the application layer, and other layers where you have to put technological controls.

The next level of concern that would start coming in is the medical equipment. Right now, a lot of those are legacy. There are very few controls which can be implemented on those, but those are connected to IP and to some of the systems by way of integrations and data sharing. Those are the weak spots in the entire lifecycle and which need to be protected. Organizations need to identify controls and implement them in weak spots; on medical equipment specifically.

Pallavi: In light of the recent COVID data breach, concerns have been raised about the adequacy of data security measures in India, despite existing laws. What are your thoughts on this matter?

Lalit: The government came out in its support and said there was no breach. And that is a statement which typically we have to rely on. India is essentially on the global lineup as one of the top five countries in terms of cyberattacks. The digitization happening in India is at a faster rate compared to the technological controls being implemented within the healthcare ecosystem. Laws need to be strengthened further to ensure that the culprits or organizations which are not following the relevant practices are penalized and that they implement relevant controls. From a legal perspective, there is still a long way for the organizations to go.

In terms of the private industry, for healthcare, the organizations are still working towards controls. But in terms of the government space, they have a long way to go in terms of how personal data is handled, who all have access to that information, and what technological controls are to be implemented across the organization. The breach at AIIMS was a classic example of what can happen in case the healthcare ecosystem is not handled properly. Although there was no impact on patient care, many of the systems were not available for long, which impacted the efficiency and cost from an organizational perspective.

Pallavi: What are your insights into the potential benefits and risks associated with the use of generative AI in healthcare data?

Lalit: Generative AI is the buzzword in today's world. From a usage perspective, we have seen several scenarios. Google came up with studies where, based on the data it is collecting, AI is able to tell you whether you are susceptible to a heart attack or susceptible to some forms of cancer. From a usage perspective, there are limitless use cases that are applicable. From a gen AI perspective, how many of those would actually be put to use is something that we all will have to wait and watch.

I am actually a huge fan of the benefits that (gen) AI can bring in terms of how the data is handled, what are the models, and the use cases that you can create? The entire telemedicine medicine industry would actually change if (gen) AI use cases were actually put to better use. The digital care that happens with (gen) AI coming into the picture will go to the next level. Today, for example, many people are going into depression or facing mental stress. Generative AI can play a critical role in identifying those and ensuring that those people get the right support as and when it is needed.

In terms of risks, yes, it is a technology which comes with its pros and cons. It will have to be protected. People are talking about regulated and ethical AI. There aren‘t any specific regulations at present that have been created and enforced on usage of AI across healthcare or across the industry at large. We will have to wait and see how AI usage and AI development is regulated.

It certainly poses a lot of risks in terms of data handling, access, models, and where does it stop in terms of decision making (because one of the critical use cases in healthcare for Gen AI is the decision-making)? How much would you rely on AI for automated decision-making? Which is the line of prescription that has to be defined and to be given to a patient? All these would take some time before being actually put to use. But yes, certainly, there is a need for control and ethical AI and regulated AI before it is put to practical use.

Pallavi : Thank you, Lalit, for all those insights and for sparing the time to share all these insights on data privacy regime in the healthcare sector.

Lalit : Thank you, Pallavi, it is a pleasure.

Pallavi : On that note, we come to the end of this episode. If you would like us to explore other such topics on data privacy, please do leave us some suggestions that you would like us to deep dive into. Thanks for listening in. Goodbye for now.

Back to podcast

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

EY | Assurance | Consulting | Strategy and Transactions | Tax

About EY

EY is a global leader in assurance, consulting, strategy and transactions, and tax services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EYG/OC/FEA no.

ED MMYY

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

Topics

General

People

Back to podcast

Podcast transcript: Why there is a need for more data privacy and protection in healthcare

17 min | 31 July 2023

Back to podcast

Welcome to EY.com

Topics

General

People

Trending

Back to podcast

Podcast transcript: Why there is a need for more data privacy and protection in healthcare

17 min | 31 July 2023

Back to podcast