digital health data Archives - InnoHEALTH magazine

Cybersecurity Trends, Challenges, and Threats in Healthcare

InnoHEALTH Magazine — Tue, 28 May 2019 06:57:20 +0000

Likewise, the global trends, the growth of the Internet in India is incredibly fast-paced, with an estimated addition of 10 million active users each month. Along with the increase in the number of users, the adoption rate of going digital by various stakeholders in our society is also growing exponentially. Unfortunately, this also increases our vulnerability to potential hacks or security breaches that come from individual hackers to organized groups to even attacks from nation states. Cybersecurity, thus, entails protection of our cyberspace, and all the critical infrastructures like banking and finance, defense, healthcare, manufacturing, nuclear reactors, and commercial facilities from being the target to any sort of attack, damage, misuse or act of espionage.

The healthcare industry is particularly vulnerable to cyber threats not least because of the minimal amount of investment they put in cybersecurity measures. Hospitals, insurance companies, pharmacies, developers/ owners of healthcare websites, manufacturers of medical devices, or handsets, or third-party vendors to which sensitive patient data gets shared; all represent a leaky pipeline through which hackers can enter a system and cause extensive damage. The types of attacks can include access to patient’s medical history, prescriptions, financial and personal details or using the Internet of Medical Things to disrupt implanted medical devices or devices like drug infusion pumps. Healthy cybersecurity practices have, therefore, never been more important than today when a ransomware attack like WannaCry has the potential to literally shut down a country’s (UK) National Health Service.

Where India stands today?

According to the International Telecommunication Union (ITU), a UN telecommunications agency, India ranked 23rd amongst 165 nations on the Global Cybersecurity Index (GCI) in 2017. GCI ranks nations for their commitment towards cybersecurity using various measures – legal, technical, organizational, capacity building, and cooperation. With the rapid rise in cyber threats, India’s growing investment in protecting its data is absolutely a positive development. Nevertheless, a quick look at the current status on cybersecurity and data protection laws in India highlights the gap we must fill in as we move towards complete digitizing of various infrastructures in the 21st century.

For instance, it was last in 2000 when the legal provisions related to cybersecurity were formulated in the Information Technology Act (ITA) when the nature of threats revolved only around viral or malware attacks. The ITA was later amended in 2008 and now deals with cyber crimes such as hacking, tampering, data or identity theft, cheating, phishing, etc. Sections 43 and 63–74 provide provisions for civil and criminal prosecution in case of different cyber offenses. The ITA requires entities holding private data of users to maintain specified security standards and provides provisions to users for airing grievances in case of the data breach.

India established its first cybersecurity policy – the National Cyber Security Policy (NCSP), in 2013, after much mayhem caused by Edward Snowden’s allegations of NSA snooping on India. The policy designated CERT-In (Indian Computer Emergency Response Team), a national nodal agency to respond to and analyze incidents of cybersecurity breaches. CERT-In provides alerts of cybersecurity incidents, conducts emergency measures for handling such incidents, coordinates necessary response activities and issues guidelines, etc., regarding cybersecurity measures. In the case of a data breach, an organization holding confidential user data must report to CERT-In promptly.

Also Read:
Cyber4Healthcare: An Issue of Today & Tomorrow
DISHA – Need of the hour

Healthcare specific provisions

While the above-mentioned regulations provide a general legal cybersecurity framework for all the organizations, no separate provisions are in place viz a viz the healthcare sector. India decided to fill in this gap last year when the Ministry of Health and Family Affair, the Government of India proposed the Digital Information Security in Healthcare Act (DISHA) and placed it in public domain on 21 March 2018 for comments by various stakeholders. DISHA aims to ensure reliability, data privacy, confidentiality, and security of digital health data. The act, applicable to entire India except for Jammu and Kashmir, establishes eHealth Authorities and Health Information Exchanges at the state and national levels while also outlining the guidelines on standardizing/ regulating the processes related to the collection, storing, transmission and use of digital health data (DHD) in India.

Accordingly, DHD means any electronic record of health-related information

concerning the physical or mental health of a person
on any health service provided to an individual
on a donation of any body part of any bodily substance
derived from testing or examination of a body part or bodily substance
collected during providing health services
relating to details of the clinical establishment accessed by a person

DISHA also specifies the rights of the owner of digital health data, outlines the purposes for which DHD can be collected and explicitly mentions all clinical establishments holding DHD to be duty-bound in maintaining privacy and confidentiality of the patient’s data. Importantly, DISHA touches upon what constitutes a breach of digital health data, compensation in the event of one happening and what punishments an individual or a company might face if convicted of a cybercrime.

Marching ahead

The breach of data far more often in the healthcare sector compared to other sectors highlights the value of information stored in digital health records. It is, therefore, important that cybersecurity takes precedence for all the healthcare providers. Proactive measures include identifying likely targets, securing and updating systems in a timely manner, constant monitoring for malware or security breaches and reinforcing good user behavior among the employees. Similarly, the response to data breach incidents needs to be swift to minimize the extent of damage when a cybercrime occurs. Like the adage, ‘prevention is better than cure’, the healthcare providers also have a necessary task ahead of themselves to up their security measures in accordance with the current legal framework, before a patient’s data or the trust gets compromised.

About the author

Dr. Urvashi (Raheja) Bhattacharyya is a Senior Research Analyst at StudyMode. She indulges in machine-learning methods during office hours and enjoys writing about healthcare and education in her free time.

The post Cybersecurity Trends, Challenges, and Threats in Healthcare appeared first on InnoHEALTH magazine.

Digital Information Security in Healthcare Act on Cards

InnoHEALTH Magazine — Tue, 28 Aug 2018 05:25:53 +0000

Cognizant of fact that the data breach incidents have deluged various sectors, including highly personal and sensitive data on individual’s health profile, the Union government is all set to create a new narrative in the health sector by unveiling its plan for digital health security act.

The draft act has been placed in open for stakeholders’ take on that. The proposed legislation is harsh on prowling data poachers with stringent punishment that entails five years imprisonment and a fine of Rs. five lakhs.

The purpose of the Act is to provide for electronic health data privacy, confidentiality, security and standardization and provide for the establishment of National Digital Health Authority and health information exchanges and such other matters.

Digital Information Security in Healthcare Act will be an Act to provide for establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto. This Act may be called Digital Information Security in Healthcare Act (DISHA) and it extends to the whole of India except the State of Jammu and Kashmir.

The Act shall come into force on such date as the Central Government may, by notification, appoint; and different dates may be appointed for different States and for different provisions of this Act.

The draft Digital Information in Healthcare Security Act (DISHA) makes it clear that any health data including physiological, physical & medical records, sexual orientation, history and biometric information are the property of the person who it pertains to.

The Act also talks about a health information exchange, a National eHealth Authority and a State Electronic Health Authority. These three authorities shall be duty-bound to protect the privacy, security, and confidentiality of the owner’s digital health data.

It says the owners have the right to privacy, security, and confidentiality of their digital health data. The owners have the right to give or refuse consent for generation and collection of such data. Under the proposed Act, the National eHealth Authority of India (NeHA) will be established by the union government. It will have a full-time Chairperson; a member secretary; equivalent to the rank of Joint Secretary to the Government of India. Four full-time members will be appointed by the union government. And these will be from health informatics, public health, law and public policy.

Four ex-officio members, not less than the rank of Joint Secretary will also be there.

The NeHA or its representative shall have the right to inspect all such records or access the premises, including virtual premises of the health information exchange or exchanges at any time.

The draft specifically says the rights of the owner of digital health data: an owner shall have the right to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted in such form and manner as may be prescribed under this Act. An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities, subject to the exceptions provided in Section 29 of the Act.

[vc_single_image image=”4574″ img_size=”500×300″ alignment=”center”]

Digital health data, whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the central government.

The draft says that the insurance companies shall not insist on accessing the digital health data of persons who seek to purchase health insurance policies or during the processing of an insurance claim.

The Act is clear on the ownership of digital health data. The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitized. A clinical establishment or Health Information Exchange shall hold such digital healthcare data referred to in sub-section (1) in trust for the owner.

A health information exchange shall maintain a register in such form and manner as may be prescribed by the central government, containing all details of the transmission of the digital health data between a clinical establishment and health information exchange, and between health information exchanges inter se.

In cases, where access to digital health data is necessary for investigation into cognizable offenses, or for the administration of justice, such access may be granted to an investigating authority only with the order of the competent court.

All clinical establishments and health information exchanges shall maintain a register in a digital form to record the purposes and usage of digital health data accessed within the meaning of this section, in such form and manner, as may be specified by the NeHA.

A clinical establishment, health information exchange, State Electronic Health Authority and NeHA, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.

Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.

The Central Adjudicatory Authority shall sit at New Delhi and the State Adjudicating Authorities shall ordinarily sit at the State Capitals.

The Adjudicating Authority shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908) but shall be guided by the principles of natural justice and, subject to the other provisions of this Act, the Adjudicating Authority shall have powers to regulate its own procedure.

The Central Adjudicating Authority and State Adjudicatory Authorities shall, for the purposes of this Act, have the same powers as are vested Volume 3 | Issue 3 | July-September 2018 65 in a civil court under the Code of Civil Procedure, 1908 (5 of 1908) while trying a complaint in respect of the following matters, namely:

(a) Discovery and inspection
(b) Enforcing the attendance of any person, including any officer of a Clinical establishment or a health information exchange and examining him on oath
(c) Compelling the production of records
(d) Receiving evidence on affidavits
(e) Issuing commissions for examination of witnesses and documents
(f) Any other matter which may be prescribed by the Central Government

All persons so summoned shall be bound to attend in person or through authorized agents, as the Adjudicating Authority may direct, and shall be bound to state the truth upon any subject respecting which they are examined or make statements and produce such documents as may be required.

Every proceeding under this section shall be deemed to be a judicial proceeding within the meaning of Section 193 and Section 228 of the Indian Penal Code (45 of 1860).

No civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which the Central Adjudicatory Authority or the State Adjudicatory Authority is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.

Any person aggrieved by any decision or order of the Central Adjudicatory Authority may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Adjudicatory Authority to him on any question of law or fact arising out of such order.

Provided that the High Court may if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days.

“Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs 5 lakhs. Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the court, as it deems fit as compensation,” the draft says.

It has proposed to set up a nodal body in the form of “National Digital Health Authority” through an Act of Parliament as a statutory body for promotion/adoption of eHealth standards, to enforce privacy & security measures for electronic health data, and to regulate storage & exchange of electronic health records. The terms “dishonesty” and “fraudulently” shall have the same meaning as assigned to them under the Indian Penal Code, 1860. Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs. 5 lakhs. Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation.

Compensation for serious breach of digital health information (1) a person or an entity committing a serious breach of digital health information shall be liable to pay damages by way of compensation to the owner of the digital health data in relation to which the breach took place. (2) Where any compensation has been awarded under sub-section (2) of section 37, it shall be taken into account when determining the claim made by the person affected. The penalty for failure to furnish information, return or failure to observe rules and directions, etc.

Like if any person required under this Act or any rules made thereunder, fails to furnish any information or document or books or returns or reports etc., within the time specified, to NeHA, or the State Electronic Health Authority, as the case may be, shall be liable to a penalty of minimum Rs. 1 lakh and Rs. 10,000 for each day during which such failure continues subject to a maximum of one crore rupees.

Obtaining the digital health information of another person: Whoever, fraudulently or dishonestly, obtains the digital health information of another person, which he is not entitled to obtain under the Act from a person or entity storing such information shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than Rs. 1 lakh; or both.

Data theft: Whoever intentionally and without authorization acquires or accesses any digital health data shall be punished with imprisonment for a term, which shall extend from three years up to five years or fine, which shall be not less than Rs. 5 lakhs; or both.

No court shall take cognizance of any offense punishable under this Act or any rules or regulations made thereunder, save on complaint made by the central government, State Government, the NeHA, State Electronic Health Authority, or a person affected. No court inferior to that of a Court of Sessions shall try any offense punishable under sections 38, 41 and 42 of this Act.

The draft says where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time when the contravention was committed, was in charge of and was responsible to the company, for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the contravention, and shall be liable to be proceeded against and punished accordingly. Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent the commission of such contravention.

Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officers of the company, such director, manager, secretary or other officers of the company shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.

Note: There are many other rules and provisions in the draft and details have been posted by the Health Ministry in public domain for reactions. This article has touched a few points to highlight basic features.

The post Digital Information Security in Healthcare Act on Cards appeared first on InnoHEALTH magazine.

National Medical Commission Bill Faces Rough Weather

InnoHEALTH Magazine — Thu, 09 Aug 2018 09:46:50 +0000

The Government has approved a slew of amendments to the National Medical Commission (NMC) Bill. According to the official sources, these Amendments to the NMC Bill come in the backdrop of its consideration in Lok Sabha and subsequently being referred to the Department Related Parliamentary Standing Committee (DRPSC). The Union Cabinet chaired by Prime Minister Mr. Narendra Modi has approved these changes.

The Government has considered the recommendations made by the Standing Committee in its report tabled in the House on 20th March 2018 and general feedback, particularly the views of medical students and practitioners regarding certain provisions of the Bill.

Also Read: One Government Medical College in Each State

Having considered the common demand by the students not to subject them to an additional licentiate exam for getting a license to practice, the Cabinet has approved that the final MBBS examination would be held as a common exam throughout the country and would serve as an exit test to be called the National Exit Test (NEXT). Thus, the students would not have to appear in a separate exam after MBBS to get the license to practice. NEXT would also serve as the screening test for doctors with foreign medical qualifications to practice in India.

Provision of Bridge course for AYUSH practitioners to practice modern medicine removed: the provision dealing with bridge course for AYUSH practitioners to practice modern medicine to a limited extent has also been removed. It has been left to the state governments to take necessary measures for addressing and promoting primary health care in rural areas.

Fee regulation for 50% seats in private medical institutions and deemed universities: the maximum limit of 40% seats for which fee would be regulated in private medical institutions and deemed universities has been increased to 50% seats. Further, it has been clarified that the fee would also include all other charges taken by the colleges.

The number of nominees from States and UTs in NMC increased from 3 to 6: responding to the demands from states to increase their representation in the NMC, the nominees of States and UTs in the NMC have been increased from 3 to 6. The NMC will comprise of 25 members of which at least 21 will be doctors. Monetary penalty for a medical college non-compliant with the norms replaced with provision for different penalty options.

Also Read: An Interaction with J.P. Nadda on Health Plan

Another major concern gathered during the discussion with stakeholders was the wide range of monetary penalty, ranging from one half to ten times the annual fee recovered from a batch, to be imposed in a graded manner on a medical college non-compliant with the norms. The clause has been replaced with a provision which provides different options for the warning, reasonable monetary penalty, reducing intake, stoppage of admission leading up to the withdrawal of recognition. Stringent punishment for unqualified medical practitioners or quacks: the government is concerned about the quality and safety of health care being made available to the citizens and the need to act strictly against unqualified practitioners or quacks. The punishment for any unauthorized practice of medicine has been made severe by including a provision for an imprisonment of up to one year along with a fine extending up to Rs. 5 lakhs.

On the other hand, country’s apex body of doctors Indian Medical Association (IMA), which has been on a nationwide march from 25th February 2018 to deprecate the current form of the NMC Bill, protested in Delhi in the last week of March 2018 and held Mahapanchayat at Delhi’s Indira Gandhi Stadium.

The IMA has strongly opposed the draft Bill that seeks to replace the Medical Council of India with a new body, claiming it will cripple the medical profession. “The bill, which has the potential to adversely alter the course of medical education and healthcare delivery in India, will also make irrevocable damage if passed in its current form,” IMA’s General Secretary Dr. R N Tandon had said. IMA’s National President, Dr. Ravi Wankhedkar had said, vehemently opposing the commission, IMA has organized a march across India.

Informatively, IMA, a self-regulating body run by doctors, has over 1,725 local branches across the country and has held simultaneous yatras across the country to generate awareness among masses. Earlier this month, the IMA had organized a cycle rally across India with an aim to sensitize the masses about the issue. According to the Bill, the government can fix the fee for only 40 percent of the seats in private medical colleges.

Also Read: Ten Crore Poor People to Get Health Insurance

“As the remaining 60 percent of seats does not come under the guidelines, the colleges shall be charging the higher fee. This clause is paradoxical in nature and makes it pro-rich reservation system,” Dr. Tandon had said.

“If functional, this means that the present ratio of 15 percent allotted to private and deemed universities for charging high fees stands augmented to the entire 60 percent which itself is a real travesty of its kind,” he added. The IMA is also opposing the clause in the bill which calls for allowing practitioners of traditional medicine system to pursue modern medicine.

The post National Medical Commission Bill Faces Rough Weather appeared first on InnoHEALTH magazine.

DISHA – Need of the hour

InnoHEALTH Magazine — Mon, 16 Apr 2018 04:18:00 +0000

Digital Information Security in Healthcare Act (DISHA) is proposed by the Indian government to secure e-Health data.

The act:

The Act mandates the clinical establishments to secure the digital health data and defines functions of the new regulatory bodies at the center and state level except the State of Jammu and Kashmir. Clinical establishments here means, any hospital, clinic, dispensary, etc., be it public or private.

Setup:

National Electronic Health Authority (NEHA) and State Electronic Health Authority (SEHA) will be setup as the governing bodies to formulate standards, operational guidelines and protocols for the generation, collection, storage and transmission of the digital health data for this Act. It will also ensure data protection and prevent breach or theft of digital health data. It will establish data security measures for all stages of generation, collection, storage and transmission of digital health data, which will at least include access controls, encrypting and audit trails.

Digital Health Data:

Digital health data comprises of one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus (HIV) status, Sexually Transmitted Infections treatment, and abortion etc;

The required health data can be obtained by consent from the owner, thus informing them the purpose of collection, identity of the recipients to whom the health data may be transmitted or disclosed, identity of the recipients who may have access to the data on a “need to know” basis.

Major points:

As per the draft, the owners have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data.

The Act also lists down factors affecting data transmission as to who can transmit, how they can transmit and monitoring data transmission. The Act further lists down the guidelines on accessing this data, with regards to who can access, how they can access and purpose of data access by various entities.

Penalties in contravention of serious breach of healthcare data shall be punishable with imprisonment, which shall extend from three to five years; or fine, which shall not be less than five lakh of rupees.

There are many debatable points that arise from this Act such as the technical measures a clinical establishment should take, standardization of data security, measures to be taken in times of breach, training and capacity building of the clinical establishment, best practices of data collection and storages.

The clinical establishments might be worried on implementing the Act, as they might lack the technical resources to bring the robust solutions. On the other hand the security industry in the country might be looking to engage clinical establishments and respond to this situation by providing cost effective solutions and safeguarding the privacy of the patient.

To implement the Act, clinical establishment might need hand holding. However, we appreciate the efforts of the government to propose this Act and safeguard the interest of patients and citizens.

Would you be interested in joining a workshop on discussing, opportunities and challenges in implementing DISHA, send us your interest on info@innovatiocuris.com

The post DISHA – Need of the hour appeared first on InnoHEALTH magazine.