Digital Information Security Archives - InnoHEALTH magazine

How Crucial is DISHA Act for Healthcare Industry?

InnoHEALTH Magazine — Mon, 17 Dec 2018 08:56:22 +0000

“A journey of a thousand miles begins with a single step.” The Digital Information Security in Healthcare Act (‘DISHA’) is that firm first step taken by the Indian Government in the long journey to secure the healthcare data of patients in India. The question we need to ask ourselves is that Why DISHA is the need of the hour? Why do we need to safeguard the electronic health record in hospitals?

The draft of the act was made public in November 2017 by Ministry of Health and Family Welfare. The word ‘Disha’ means direction, the GoI has taken the first step in the direction of safeguarding the digital health record. For this InnovatioCuris has also taken the first step towards having a concrete discussion about ‘Challenges in the implementation and opportunities for making health sector DISHA and data protection ready’. There were panelists from various renowned government, private hospitals, and healthcare IT firms.

The first session was about the ‘Challenges in the implementation of DISHA’. The panelists were happy that InnovatioCuris has taken an initiative to critically discuss the challenges a hospital will face once the act becomes the law. All the panelists agreed that the act lacks various aspects. Few concerns that bother the clinicians are, that who will give the consent if the patient is unconscious.

The ambulances have the capability that it sends the health records from the ambulance to hospital before the patient reaches the hospital for doctors to study the emergency cases. In this scenario, what should be done if a patient denies the consent for sharing the data at a later stage? Should the clinical establishments discard the already shared health record or should they handover the same to the owner (in this case, patient) or what should be done. There are no set protocols defined in the act for such cases.

A question was put forward, does the patient has the authority to edit their health record, or can they view, who have seen their health record. A healthy discussion took place where we got to know that citizens of Estonia have chip cards, where one can see their health record and can also see the logs of who has accessed their health record. This made us realize, that India as a nation state can use Aadhar card as a mechanism, where we can log in into a portal and get to see health records.

The third challenge that came forward was interoperability of health records. As the record lies with the custodian, not the patient, editing and viewing of it can be done by the clinical establishments. The health record can be shared by the clinical establishments to another, but there is no standard on how to transfer it. Data integrity is a point of concern, which is not mentioned in the act.

One of the challenges that came into light was according to ‘Clinical Establishment Act Standards for Hospital[2]’ the hospital has to keep health information and statistics in respect of national programmes, notifiable diseases, and emergencies/disasters/epidemics and furnish the same to the district authorities in the prescribed formats and frequency. The question is what if the patient does not give consent. The proposed act should have a provision where the clinical establishments are liable to take the health data.

As we have unstructured healthcare facilities in India, the act should also empower the clinical establishments by various means to keep the data safe. As of now the DISHA is a proposed act, not a law and has lots of loopholes. It also lacks in many aspects discussed earlier. This is just a start and the government should take necessary steps to improve it.

The second panel discussed on ‘Opportunities for making health sector DISHA and data protection ready’. The panelist consisted of CIO of path labs, owners of healthcare IT firms, who shared relevant thoughts and comments. The panel started the discussion on why do we need the act and what are the benefits of the act. Panelist were grateful to the government to bring the act. They told that the clinical establishments will take steps to increase the safety of the health record.

The gaps in the technology for generation, storage and transmission will be lowered down. Sectors such as banking, financing and insurance have structured their data, but this lacks in healthcare. Detailed scope of security features are missing from the act, this would help the companies to design the software from the ground up by using security as an important consideration.

The imminent threat is in the software which are already in place and have not been patched or the system has not been upgraded. The good news is that many have an audit trail in built in their system, which track any CRUD(creation, read, update, delete) of the records. The discussion contributed a fruitful thought: Data at rest is not encrypted. The question that arises is what is preventing the healthcare IT companies to encrypt the data at rest.

One of the challenge in the DISHA is that, the owner of the data must be informed of any breach of the privacy or confidentiality of their digital health record within three days. But according to IBM report it takes on an average of 197 days to detect a breach[1]. How can the Healthcare IT companies safeguard the health record and let the owner know about the breach. The solution is to encrypt the tables in the database, but that might hamper the performance.

It is a huge opportunity for the stakeholder to bring standards in the act. DISHA might have only completed its first round of comments from the public and stakeholders, it can be expected that the revisions made based on the feedback will churn out a more refined version of the act. In any case, it is evident from the draft that the government has really pushed to provide additional security, privacy and confidentiality for individuals, with respect to their digital health record.

The post How Crucial is DISHA Act for Healthcare Industry? appeared first on InnoHEALTH magazine.

Digital Information Security in Healthcare Act on Cards

InnoHEALTH Magazine — Tue, 28 Aug 2018 05:25:53 +0000

Cognizant of fact that the data breach incidents have deluged various sectors, including highly personal and sensitive data on individual’s health profile, the Union government is all set to create a new narrative in the health sector by unveiling its plan for digital health security act.

The draft act has been placed in open for stakeholders’ take on that. The proposed legislation is harsh on prowling data poachers with stringent punishment that entails five years imprisonment and a fine of Rs. five lakhs.

The purpose of the Act is to provide for electronic health data privacy, confidentiality, security and standardization and provide for the establishment of National Digital Health Authority and health information exchanges and such other matters.

Digital Information Security in Healthcare Act will be an Act to provide for establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto. This Act may be called Digital Information Security in Healthcare Act (DISHA) and it extends to the whole of India except the State of Jammu and Kashmir.

The Act shall come into force on such date as the Central Government may, by notification, appoint; and different dates may be appointed for different States and for different provisions of this Act.

The draft Digital Information in Healthcare Security Act (DISHA) makes it clear that any health data including physiological, physical & medical records, sexual orientation, history and biometric information are the property of the person who it pertains to.

The Act also talks about a health information exchange, a National eHealth Authority and a State Electronic Health Authority. These three authorities shall be duty-bound to protect the privacy, security, and confidentiality of the owner’s digital health data.

It says the owners have the right to privacy, security, and confidentiality of their digital health data. The owners have the right to give or refuse consent for generation and collection of such data. Under the proposed Act, the National eHealth Authority of India (NeHA) will be established by the union government. It will have a full-time Chairperson; a member secretary; equivalent to the rank of Joint Secretary to the Government of India. Four full-time members will be appointed by the union government. And these will be from health informatics, public health, law and public policy.

Four ex-officio members, not less than the rank of Joint Secretary will also be there.

The NeHA or its representative shall have the right to inspect all such records or access the premises, including virtual premises of the health information exchange or exchanges at any time.

The draft specifically says the rights of the owner of digital health data: an owner shall have the right to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted in such form and manner as may be prescribed under this Act. An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities, subject to the exceptions provided in Section 29 of the Act.

[vc_single_image image=”4574″ img_size=”500×300″ alignment=”center”]

Digital health data, whether identifiable or anonymized, shall not be accessed, used or disclosed to any person for a commercial purpose and in no circumstances be accessed, used or disclosed to insurance companies, employers, human resource consultants and pharmaceutical companies, or any other entity as may be specified by the central government.

The draft says that the insurance companies shall not insist on accessing the digital health data of persons who seek to purchase health insurance policies or during the processing of an insurance claim.

The Act is clear on the ownership of digital health data. The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitized. A clinical establishment or Health Information Exchange shall hold such digital healthcare data referred to in sub-section (1) in trust for the owner.

A health information exchange shall maintain a register in such form and manner as may be prescribed by the central government, containing all details of the transmission of the digital health data between a clinical establishment and health information exchange, and between health information exchanges inter se.

In cases, where access to digital health data is necessary for investigation into cognizable offenses, or for the administration of justice, such access may be granted to an investigating authority only with the order of the competent court.

All clinical establishments and health information exchanges shall maintain a register in a digital form to record the purposes and usage of digital health data accessed within the meaning of this section, in such form and manner, as may be specified by the NeHA.

A clinical establishment, health information exchange, State Electronic Health Authority and NeHA, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.

Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.

The Central Adjudicatory Authority shall sit at New Delhi and the State Adjudicating Authorities shall ordinarily sit at the State Capitals.

The Adjudicating Authority shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908) but shall be guided by the principles of natural justice and, subject to the other provisions of this Act, the Adjudicating Authority shall have powers to regulate its own procedure.

The Central Adjudicating Authority and State Adjudicatory Authorities shall, for the purposes of this Act, have the same powers as are vested Volume 3 | Issue 3 | July-September 2018 65 in a civil court under the Code of Civil Procedure, 1908 (5 of 1908) while trying a complaint in respect of the following matters, namely:

(a) Discovery and inspection
(b) Enforcing the attendance of any person, including any officer of a Clinical establishment or a health information exchange and examining him on oath
(c) Compelling the production of records
(d) Receiving evidence on affidavits
(e) Issuing commissions for examination of witnesses and documents
(f) Any other matter which may be prescribed by the Central Government

All persons so summoned shall be bound to attend in person or through authorized agents, as the Adjudicating Authority may direct, and shall be bound to state the truth upon any subject respecting which they are examined or make statements and produce such documents as may be required.

Every proceeding under this section shall be deemed to be a judicial proceeding within the meaning of Section 193 and Section 228 of the Indian Penal Code (45 of 1860).

No civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which the Central Adjudicatory Authority or the State Adjudicatory Authority is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.

Any person aggrieved by any decision or order of the Central Adjudicatory Authority may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Adjudicatory Authority to him on any question of law or fact arising out of such order.

Provided that the High Court may if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days.

“Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs 5 lakhs. Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the court, as it deems fit as compensation,” the draft says.

It has proposed to set up a nodal body in the form of “National Digital Health Authority” through an Act of Parliament as a statutory body for promotion/adoption of eHealth standards, to enforce privacy & security measures for electronic health data, and to regulate storage & exchange of electronic health records. The terms “dishonesty” and “fraudulently” shall have the same meaning as assigned to them under the Indian Penal Code, 1860. Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than Rs. 5 lakhs. Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation.

Compensation for serious breach of digital health information (1) a person or an entity committing a serious breach of digital health information shall be liable to pay damages by way of compensation to the owner of the digital health data in relation to which the breach took place. (2) Where any compensation has been awarded under sub-section (2) of section 37, it shall be taken into account when determining the claim made by the person affected. The penalty for failure to furnish information, return or failure to observe rules and directions, etc.

Like if any person required under this Act or any rules made thereunder, fails to furnish any information or document or books or returns or reports etc., within the time specified, to NeHA, or the State Electronic Health Authority, as the case may be, shall be liable to a penalty of minimum Rs. 1 lakh and Rs. 10,000 for each day during which such failure continues subject to a maximum of one crore rupees.

Obtaining the digital health information of another person: Whoever, fraudulently or dishonestly, obtains the digital health information of another person, which he is not entitled to obtain under the Act from a person or entity storing such information shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than Rs. 1 lakh; or both.

Data theft: Whoever intentionally and without authorization acquires or accesses any digital health data shall be punished with imprisonment for a term, which shall extend from three years up to five years or fine, which shall be not less than Rs. 5 lakhs; or both.

No court shall take cognizance of any offense punishable under this Act or any rules or regulations made thereunder, save on complaint made by the central government, State Government, the NeHA, State Electronic Health Authority, or a person affected. No court inferior to that of a Court of Sessions shall try any offense punishable under sections 38, 41 and 42 of this Act.

The draft says where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time when the contravention was committed, was in charge of and was responsible to the company, for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the contravention, and shall be liable to be proceeded against and punished accordingly. Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent the commission of such contravention.

Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officers of the company, such director, manager, secretary or other officers of the company shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.

Note: There are many other rules and provisions in the draft and details have been posted by the Health Ministry in public domain for reactions. This article has touched a few points to highlight basic features.

The post Digital Information Security in Healthcare Act on Cards appeared first on InnoHEALTH magazine.