Likewise, the global trends, the growth of the Internet in India is incredibly fast-paced, with an estimated addition of 10 million active users each month. Along with the increase in the number of users, the adoption rate of going digital by various stakeholders in our society is also growing exponentially. Unfortunately, this also increases our vulnerability to potential hacks or security breaches that come from individual hackers to organized groups to even attacks from nation states. Cybersecurity, thus, entails protection of our cyberspace, and all the critical infrastructures like banking and finance, defense, healthcare, manufacturing, nuclear reactors, and commercial facilities from being the target to any sort of attack, damage, misuse or act of espionage.
The healthcare industry is particularly vulnerable to cyber threats not least because of the minimal amount of investment they put in cybersecurity measures. Hospitals, insurance companies, pharmacies, developers/ owners of healthcare websites, manufacturers of medical devices, or handsets, or third-party vendors to which sensitive patient data gets shared; all represent a leaky pipeline through which hackers can enter a system and cause extensive damage. The types of attacks can include access to patient’s medical history, prescriptions, financial and personal details or using the Internet of Medical Things to disrupt implanted medical devices or devices like drug infusion pumps. Healthy cybersecurity practices have, therefore, never been more important than today when a ransomware attack like WannaCry has the potential to literally shut down a country’s (UK) National Health Service.
Where India stands today?
According to the International Telecommunication Union (ITU), a UN telecommunications agency, India ranked 23rd amongst 165 nations on the Global Cybersecurity Index (GCI) in 2017. GCI ranks nations for their commitment towards cybersecurity using various measures – legal, technical, organizational, capacity building, and cooperation. With the rapid rise in cyber threats, India’s growing investment in protecting its data is absolutely a positive development. Nevertheless, a quick look at the current status on cybersecurity and data protection laws in India highlights the gap we must fill in as we move towards complete digitizing of various infrastructures in the 21st century.
For instance, it was last in 2000 when the legal provisions related to cybersecurity were formulated in the Information Technology Act (ITA) when the nature of threats revolved only around viral or malware attacks. The ITA was later amended in 2008 and now deals with cyber crimes such as hacking, tampering, data or identity theft, cheating, phishing, etc. Sections 43 and 63–74 provide provisions for civil and criminal prosecution in case of different cyber offenses. The ITA requires entities holding private data of users to maintain specified security standards and provides provisions to users for airing grievances in case of the data breach.
India established its first cybersecurity policy – the National Cyber Security Policy (NCSP), in 2013, after much mayhem caused by Edward Snowden’s allegations of NSA snooping on India. The policy designated CERT-In (Indian Computer Emergency Response Team), a national nodal agency to respond to and analyze incidents of cybersecurity breaches. CERT-In provides alerts of cybersecurity incidents, conducts emergency measures for handling such incidents, coordinates necessary response activities and issues guidelines, etc., regarding cybersecurity measures. In the case of a data breach, an organization holding confidential user data must report to CERT-In promptly.
Healthcare specific provisions
While the above-mentioned regulations provide a general legal cybersecurity framework for all the organizations, no separate provisions are in place viz a viz the healthcare sector. India decided to fill in this gap last year when the Ministry of Health and Family Affair, the Government of India proposed the Digital Information Security in Healthcare Act (DISHA) and placed it in public domain on 21 March 2018 for comments by various stakeholders. DISHA aims to ensure reliability, data privacy, confidentiality, and security of digital health data. The act, applicable to entire India except for Jammu and Kashmir, establishes eHealth Authorities and Health Information Exchanges at the state and national levels while also outlining the guidelines on standardizing/ regulating the processes related to the collection, storing, transmission and use of digital health data (DHD) in India.
Accordingly, DHD means any electronic record of health-related information
- concerning the physical or mental health of a person
- on any health service provided to an individual
- on a donation of any body part of any bodily substance
- derived from testing or examination of a body part or bodily substance
- collected during providing health services
- relating to details of the clinical establishment accessed by a person
DISHA also specifies the rights of the owner of digital health data, outlines the purposes for which DHD can be collected and explicitly mentions all clinical establishments holding DHD to be duty-bound in maintaining privacy and confidentiality of the patient’s data. Importantly, DISHA touches upon what constitutes a breach of digital health data, compensation in the event of one happening and what punishments an individual or a company might face if convicted of a cybercrime.
The breach of data far more often in the healthcare sector compared to other sectors highlights the value of information stored in digital health records. It is, therefore, important that cybersecurity takes precedence for all the healthcare providers. Proactive measures include identifying likely targets, securing and updating systems in a timely manner, constant monitoring for malware or security breaches and reinforcing good user behavior among the employees. Similarly, the response to data breach incidents needs to be swift to minimize the extent of damage when a cybercrime occurs. Like the adage, ‘prevention is better than cure’, the healthcare providers also have a necessary task ahead of themselves to up their security measures in accordance with the current legal framework, before a patient’s data or the trust gets compromised.
About the author
Dr. Urvashi (Raheja) Bhattacharyya is a Senior Research Analyst at StudyMode. She indulges in machine-learning methods during office hours and enjoys writing about healthcare and education in her free time.