DISHA Archives - InnoHEALTH magazine

Exclusive Interview with India's National Cybersecurity Coordinator

InnoHEALTH Magazine — Mon, 14 Oct 2019 05:23:08 +0000

Vision for cybersecurity: An exclusive interview with India’s National Cybersecurity Coordinator at Prime Minister’s Office

-Interviewed by Sachin Gaur, executive editor, InnoHEALTH Magazine

Lt General (Dr.) Rajesh Pant is an internationally recognized Cyber Security expert, presently tenanting the prestigious appointment of National Cyber Security Coordinator at the Prime Minister’s Office, India. General Pant brings to the table an interesting mix of military operations, academic excellence, corporate governance, and cybersecurity wisdom. Prior to this, he was the Head of the Army’s Cyber Training establishment for three years. He served in the Army Signals Corps for 41 years wherein he was awarded three times by the President of India for distinguished service of the highest order. He also served as the Chairman of Precision Electronics Ltd as a Governing Council Member of IETE (India). Sachin Gaur interviewed him on his viewpoint on India’s vision for cybersecurity.

Q. On behalf of InnoHEALTH Magazine, we congratulate you on your new assignment. For our readers, we would like you to share your short-term and long-term vision for Cybersecurity from national security perspective.
Short-term vision is to issue National Cyber Security Strategy 2020-25 early next year. Task force is working overtime on this by consulting all stakeholders. Long-term vision is to create an all-encompassing cyber vertical at the national level, to handle incident response, cybercrimes, legal issues and capacity building.

Q. We know that there are some fundamental technological shifts waiting to happen like 5G, and along-with it massive (Internet of Things) IoT deployments and especially use cases of connected healthcare. Can you share your views on the cybersecurity implications of the connected devices?
IoT security is a priority topic world over and this is because the limited security capabilities of these devices are also an afterthought. We need to work on a framework, to bring baselinesecurity through the manufacturers and developers of these devices. These devices are omnipresent in our lives, we find them in our home environment to industrial environments including hospitals. We have seen attacks in the past, where such devices are compromised to launch massive denial of service attacks to manipulate the workings of critical infrastructure.
Also, the issue of IoT security is multidimensional, from data security, privacy to device security. As we discuss this, there are multiple acts and bills pending in the Parliament on these topics. While the bills and acts will provide a framework, we need to also create awareness on both sides, supplier and consumer on the possible risks and mitigation strategies.

Q. What steps can be taken to improve the security in such connected devices?
When I say baseline security framework, it can be achieved in multiple ways.
As of today, most devices that we use including mobile phones, do not have a security testing certification. So, we can agree with the industry and look at important test cases and if they can do self-certification on such test cases.
For example: the device should not have weak default login credentials, it is sending data to a remote server and can be operated remotely. So, we can come up like a 5-star rating framework like that of the energy consumption but for the security of IoT devices basis what kind of tests they clear.
Industry bodies can agree on various levels of security and what it takes to achieve that level. Such a framework, when implemented, can provide confidence to consumers and users on the kind of device they are using vis-a-visthe use case they have at hand. So, they might use a higher security rating device in a use case where the stakes are high.
The other approach is to get the security testing done with notified agencies. Department of Telecom for example has announced mandatory security testing of network elements for telecom given telecom is a part of the critical infrastructure and security issuescannot be taken lightly.
Also, some of the emerging concepts in connected devices are missing in the various governing acts of the industrial connected devices. So, we also need to update our legal frameworks to cover software-based tempering of such devices and make the manufacturers and service providers accountable and proactive towards the security of the systems they provide.

Q. What are the threats that you foresee for the health sector?
There are three areas we see where health sector can be impacted:
First is the data breaches and ransomware attacks on healthcare data. As we know, among all the data, healthcare is the most sensitive and sought after by malicious actors. Outside of India, we have seen umpteen cases where ransomware has crippled the health system and it is only after paying the ransom the hospitals can start operation again. Timely backups and encryption of healthcare data during storage is a preventive measure that clinical establishments can take to mitigate the breach and ransomware attacks.
Second is the manipulation of connected devices. The topic of IoT and connected devices security, as discussed in the above sections, directly apply to the medical devices. Healthcare is a domain where attacks on such devices can be life threatening, especially when there are implantable devices. As we have the new Medical Device Regulation Act in India since 2018, we should also consider cyber security aspect in the devices which have a communication interface. For example, a pacemaker which has a communication interface can be manipulated remotely and the patient’s life is at risk.
Third is the manipulation of health system including the building management. We are probably not very far from the days when sophisticated attacks, as we see in the movies, on high security establishments by manipulating the building controls. The building management systems are very weak when it comes to security. Every hospital is a building and imagine what a false fire alarm would mean to patients in Intensive Care Unit. Or even loss of air conditioning or sudden spikes in electrical power.
There is a proposed act DISHA, Digital Information Security Healthcare Act, which might address some of the legal aspects of security in the healthcare setting. A lot needs to be done in this area, and we are on our way.

Q. Our readership consists of health experts all over the world. Any message for them?
We are at the cusp of a new age where we look to take advantage of Artificial Intelligence to Internet of Things. For such a knowledge economy to take off, health sector is at the center of it and health experts need to pay attention on what they are buying and how such systems are managed and operated. Through intervention of Ministry of Health & Family Welfare and responsible bodies such as National Accreditation Board of Hospitals & Healthcare Providers (NABH) of Quality Council of India, we plan to recommend a cyber audit and increased awareness of information security.
We would not want our hospitals and clinical establishments to be a prey for malicious actors. Rather we would want our experts to leverage technology to take the country to the next level in providing care to a wider population at a lower cost and of the highest quality.

The post Exclusive Interview with India's National Cybersecurity Coordinator appeared first on InnoHEALTH magazine.

The Vulnerability of Medical Institutions to Cyber Attacks

InnoHEALTH Magazine — Mon, 24 Jun 2019 10:39:58 +0000

McAfee’s researchers were able to modify the vital sign data in real-time providing false information to medical personnel by switching the heartbeat records from 80 beats a second to zero within five seconds. You would have woken up to news that Medstar patient records’ database was subject to ransom ware cyber attack and was asked to pay bitcoins. Unfortunately, the hospital did not have backup of medical records and in some cases, they had to turn away the patients. These incidents, unfortunately, are not stray incidents.

There are various technologies converging and a rapid increase in machine-to-machine communications. It is predicted that by 2025, most hospitals will have the ability to network connect more than 90% of their devices. However, many hospitals are yet to make their data security systems extremely robust. Data privacy and data security are the two important pillars that need urgent consideration. Just as financial data is loved by the cyber criminals, so is health data becoming a gold-mine with the cyber offenders. Specially so when the hospitals are run on legacy systems and there is no dedicated framework or surveillance on their own data.

Personally, identifiable data is an indicator of an individual, such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Several cyberattacks on medical institutions are initiated to extract the electronic health records (EHRs) of patients. These EHRs may contain their personal health information, medical history, diagnosis codes, billing information, etc., which can be exploited by the cyber offenders in various manners, for instance to get ransom from the medical institutions or to create fake IDs to buy medical equipment(s) or medication which can be resold or exclusively sold on prescription.

Take this example. On 12 May 2017, a global ransomware attack, known as WannaCry affected more than 200,000 computers in at least 100 countries. The ransomware attack also affected 80 out of 236 trusts (medical institutions under NHS) and further 603 primary care and other National Health Service (“NHS”) organisations were infected with the ransomware virus including 595 general practitioners. The trusts which were affected with WannaCry ransomware faced issues like patient appointments being cancelled, computers being locked out, diversion of patients from accidents and emergency departments, etc.

As reported in the investigation report on the WannaCry ransomware attack on NHS, published by the National Audit Office (“NAO”, an independent parliamentary body in the United Kingdom), all NHS organisations infected with the WannaCry virus had unpatched or unsupported Windows operating systems. NHS Digital (a national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England) informed the NAO that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), though there were no instances of the ransomware spreading via NHSmail (the NHS email system).

In India, as reported by multiple news agencies, last year in the month of June, the Mahatma Gandhi Memorial (a trust-run hospital) hospital, Mumbai (MGM Hospital) was affected by a similar cyber-attack where the hospital administrators found their systems locked and noticed an encrypted message by the attackers demanding ransom in Bitcoins to unlock it. It was reported that the MGM Hospital had lost 15 days’ data related to billing and patients’ history, though the hospital didn’t face any financial loss.

Once these cyber offenders have access to the EHRs, they hold the systems of the medical institutions hostage for ransom, by encrypting all the systems completely inaccessible and unusable for the victimised medical institutions. The vulnerability to such cyberattacks may account to various reasons, such as outdated digital infrastructure, medical personnel unaware or untrained about cyberattacks. Cyber offenders may gain access to medical institutions’ systems through various ways and sometimes as simple as (a) using a USB drive; (b) exploiting vulnerable or expired software, (c) stealing medical personnel’s mobile devices, (d) hacking email or (e) phishing, etc. It is time that our healthcare providers upgrade their technologies, networks, and understanding on this subject.

Regulatory bodies across the world have suggested / adopted guidelines and cybersecurity processes and controls which help the medical institutions to mitigate cyber risks and vulnerabilities. In this article, we will be primarily focusing on various safeguards and standards put in place by the European Union and India to deal with such cyberattacks.

SCENARIO IN EUROPE

As a part of the EU cybersecurity strategy, the European Commission standards to ensure necessary adopted the EU Network and Information Security Directive (“NIS Directive”) on 6 July 2016 and it came into force in August 2016. As the NIS Directive is an EU directive, every member state had to adopt a national legislation which would transpose the NIS Directive by 9 May 2018 and identify operators of essential services under the transposed law by 9 November 2018.

The NIS Directive has three major parts to it (a) national capabilities, (b) crossborder collaborations and (c) national supervision of the critical sectors including health.

(a) National Capabilities: The NIS Directive mandates every member state of the EU to have certain cybersecurity capabilities, e.g., it is a mandate for every member state to have a national Computer Security Incident Response Team (“CSIRT”).

(b) Cross Border Collaborations: The NIS Directive encourages collaborations between EU member states like the EU CSIRT network, the NIS cooperation group, ENISA etc.

(c) National Supervision of Critical Sectors: As per the NIS Directive, every member state shall supervise the cybersecurity of critical market sectors in their respective country including health sector.

Further, as a part of the NIS Directive the NIS cooperation group through ENISA has developed guidelines regarding (a) identification criteria of cyberattacks, (b) incident notification, (c) security requirements for Digital Signal Processors (DSPs), (d) mapping of operators of essential services (OES) security requirements for specific sectors including health and (e) audit and self-assessment frameworks for OESs and DSPs.

With a view to prescribe certain standards of safety and quality, three recognised EU standards organisations namely (a) the European Committee for Standardisation (CEN), (b) the European Committee for Electro-technical Standardization (CENELEC) and, (c) the European Telecommunications Standards Institute (ETSI) were set up. By setting common standards across EU, CEN, ETSI and CENELEC ensure protection of consumers, facilitate cross-border trade, ensure interoperability of goods/ products, encourage innovation and technological development, and include environmental protection and enable businesses to grow.

The General Data Protection Regulations (“GDPR”) specifically define ‘data concerning health’, ‘genetic data’ and ‘biometric data’ and regards them as ‘special category of data’. This means that parties who are processing special category of data shall comply with additional higher safeguards and process it legitimately. Recital 53 of the GDPR states that special categories of personal data which merit higher protection should be processed for health-related purposes only.

THE INDIAN SCENARIO

Personal medical/health information in India is regarded as sensitive personal information as per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (“Rules”).

The Indian legislature took an important step for addressing issues relating to cybersecurity when it amended the Information Technology Act, 2000 in 2008, through which they established an Indian Computer Emergency Response Team (CERT), a national agency for incident response. CERT is primarily responsible for handling cybersecurity incidents occurring in India and analysing information related to cybercrimes, but among other things CERT is also indulged in issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incident.

CERT-India has been entrusted with performing the following main functions (a) collecting, analysing and disseminating of information on cyber incidents, (b) forecasting and giving alerts on cybersecurity incidents, (c) laying down emergency measures for handling cyber security incidents, (d) coordinating cyber incident response activities, (e) issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents, and (f) performing any other functions relating to cybersecurity as may be prescribed.

CERT-India in the last five years or so has focused on making various institutions who are highly dependent on cyber/digital networks, i.e. are ‘cyber resilient’. Being cyber resilient allows these institutions to effectively anticipate the various threats and figure out the mechanisms of dealing with the cyberattacks. Anticipate, withstand, contain and recover are the 4 main contours of being cyber resilient.

Anticipate: Maintain a state of informed preparedness to forestall compromises of mission/ business functions from adversary attacks
Withstand: Continue essential mission/business functions despite successful execution of an attack by an adversary
Contain: Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyberattacks
Recover: Restore mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary
Evolve: To change missions/business functions and/or the supporting cyber capabilities, to minimize adverse impacts from actual or predicted adversary attacks

To strengthen the framework and ensure that reasonable security practices and procedures are followed, the Department of Information Technology introduced certain rules. The rules require each and every corporate body including medical institutions who collect sensitive personal information to have security measures as documented in their security policy/programme which is considered to be a reasonable security practice, keeping in mind the nature of their business and considering the fact that they are collecting sensitive personal information. One such international standard as recommended under the Rules is the IS/ISO/IEC 27001.

Taking a step further, the Ministry of Health and Welfare has introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA”). One of the key purposes of DISHA is to ensure reliability, data privacy, confidentiality and security of digital health data. DISHA prescribes that the storage of digital health data so collected would be held in trust for the owner and the holder of such data would be considered as the custodian of data, thereby making such holder responsible to protect privacy, confidentiality and security of data.

To bring it all together:

Majority of the cyberattacks reported worldwide are caused due to reasons which sometimes are trivial and perhaps ignored more often, such as outdated Windows operating system patch, lack of proper antivirus or reasons such as phishing, lack of awareness among the people about cybersecurity, etc.

The EU, through GDPR has made data security an integral part of law and India is taking strong steps to set up a robust data protection and data security law. Various regulations, programmes, codes, standards, etc., discussed in this article are some key indicate steps that can be implemented.

Law is just one part to solve the issue. The real question is who is responsible for safety of our personal data, commercial data, data assets, etc.? We secure our houses with a lock, burglar alarms, video cams because the house owner wants to protect it. Similarly, individuals, organizations, healthcare personnel, hospitals and other institutions who collect health data for multiple reasons should be aware of various cyber-threats and must take steps to safeguard their networks and systems from such threats.

About the author:

Sharda Balaji is the founding partner of NovoJuris Legal, and along with being a qualified lawyer is also a company secretary and has been at the core of evolution of technology and IT laws in India.

Manas Ingle is a legal associate at NovoJuris Legal and works as a technology lawyer, where he deals with various legal projects relating

The post The Vulnerability of Medical Institutions to Cyber Attacks appeared first on InnoHEALTH magazine.

Cybersecurity Trends, Challenges, and Threats in Healthcare

InnoHEALTH Magazine — Tue, 28 May 2019 06:57:20 +0000

Likewise, the global trends, the growth of the Internet in India is incredibly fast-paced, with an estimated addition of 10 million active users each month. Along with the increase in the number of users, the adoption rate of going digital by various stakeholders in our society is also growing exponentially. Unfortunately, this also increases our vulnerability to potential hacks or security breaches that come from individual hackers to organized groups to even attacks from nation states. Cybersecurity, thus, entails protection of our cyberspace, and all the critical infrastructures like banking and finance, defense, healthcare, manufacturing, nuclear reactors, and commercial facilities from being the target to any sort of attack, damage, misuse or act of espionage.

The healthcare industry is particularly vulnerable to cyber threats not least because of the minimal amount of investment they put in cybersecurity measures. Hospitals, insurance companies, pharmacies, developers/ owners of healthcare websites, manufacturers of medical devices, or handsets, or third-party vendors to which sensitive patient data gets shared; all represent a leaky pipeline through which hackers can enter a system and cause extensive damage. The types of attacks can include access to patient’s medical history, prescriptions, financial and personal details or using the Internet of Medical Things to disrupt implanted medical devices or devices like drug infusion pumps. Healthy cybersecurity practices have, therefore, never been more important than today when a ransomware attack like WannaCry has the potential to literally shut down a country’s (UK) National Health Service.

Where India stands today?

According to the International Telecommunication Union (ITU), a UN telecommunications agency, India ranked 23rd amongst 165 nations on the Global Cybersecurity Index (GCI) in 2017. GCI ranks nations for their commitment towards cybersecurity using various measures – legal, technical, organizational, capacity building, and cooperation. With the rapid rise in cyber threats, India’s growing investment in protecting its data is absolutely a positive development. Nevertheless, a quick look at the current status on cybersecurity and data protection laws in India highlights the gap we must fill in as we move towards complete digitizing of various infrastructures in the 21st century.

For instance, it was last in 2000 when the legal provisions related to cybersecurity were formulated in the Information Technology Act (ITA) when the nature of threats revolved only around viral or malware attacks. The ITA was later amended in 2008 and now deals with cyber crimes such as hacking, tampering, data or identity theft, cheating, phishing, etc. Sections 43 and 63–74 provide provisions for civil and criminal prosecution in case of different cyber offenses. The ITA requires entities holding private data of users to maintain specified security standards and provides provisions to users for airing grievances in case of the data breach.

India established its first cybersecurity policy – the National Cyber Security Policy (NCSP), in 2013, after much mayhem caused by Edward Snowden’s allegations of NSA snooping on India. The policy designated CERT-In (Indian Computer Emergency Response Team), a national nodal agency to respond to and analyze incidents of cybersecurity breaches. CERT-In provides alerts of cybersecurity incidents, conducts emergency measures for handling such incidents, coordinates necessary response activities and issues guidelines, etc., regarding cybersecurity measures. In the case of a data breach, an organization holding confidential user data must report to CERT-In promptly.

Also Read:
Cyber4Healthcare: An Issue of Today & Tomorrow
DISHA – Need of the hour

Healthcare specific provisions

While the above-mentioned regulations provide a general legal cybersecurity framework for all the organizations, no separate provisions are in place viz a viz the healthcare sector. India decided to fill in this gap last year when the Ministry of Health and Family Affair, the Government of India proposed the Digital Information Security in Healthcare Act (DISHA) and placed it in public domain on 21 March 2018 for comments by various stakeholders. DISHA aims to ensure reliability, data privacy, confidentiality, and security of digital health data. The act, applicable to entire India except for Jammu and Kashmir, establishes eHealth Authorities and Health Information Exchanges at the state and national levels while also outlining the guidelines on standardizing/ regulating the processes related to the collection, storing, transmission and use of digital health data (DHD) in India.

Accordingly, DHD means any electronic record of health-related information

concerning the physical or mental health of a person
on any health service provided to an individual
on a donation of any body part of any bodily substance
derived from testing or examination of a body part or bodily substance
collected during providing health services
relating to details of the clinical establishment accessed by a person

DISHA also specifies the rights of the owner of digital health data, outlines the purposes for which DHD can be collected and explicitly mentions all clinical establishments holding DHD to be duty-bound in maintaining privacy and confidentiality of the patient’s data. Importantly, DISHA touches upon what constitutes a breach of digital health data, compensation in the event of one happening and what punishments an individual or a company might face if convicted of a cybercrime.

Marching ahead

The breach of data far more often in the healthcare sector compared to other sectors highlights the value of information stored in digital health records. It is, therefore, important that cybersecurity takes precedence for all the healthcare providers. Proactive measures include identifying likely targets, securing and updating systems in a timely manner, constant monitoring for malware or security breaches and reinforcing good user behavior among the employees. Similarly, the response to data breach incidents needs to be swift to minimize the extent of damage when a cybercrime occurs. Like the adage, ‘prevention is better than cure’, the healthcare providers also have a necessary task ahead of themselves to up their security measures in accordance with the current legal framework, before a patient’s data or the trust gets compromised.

About the author

Dr. Urvashi (Raheja) Bhattacharyya is a Senior Research Analyst at StudyMode. She indulges in machine-learning methods during office hours and enjoys writing about healthcare and education in her free time.

The post Cybersecurity Trends, Challenges, and Threats in Healthcare appeared first on InnoHEALTH magazine.

AI and Cybersecurity in Digital Healthcare

InnoHEALTH Magazine — Wed, 24 Apr 2019 09:07:46 +0000

All day all round we keep hearing the buzzwords such as Artificial Intelligence (AI), Machine Learning (ML), deep learning cybersecurity, etc. But do we really know what these are? Should we really be bothered and aware of how these can change the healthcare industry? To answer and brainstorm on such questions, the InnovatioCuris team gathered on a beautiful Saturday morning on 6 April 2019 in one of India & premier institutions in Hospital and Health Management, Indian Institute of Health Management Research (IIHMR), Delhi.

The meeting witnessed some very eminent and influential speakers from around the healthcare sector. The former Enforcement Director (ED) Karnal Singh who has investigated many high- profile cases graced the meeting as the Chief Guest.

Innovation is exciting and there are more innovations happening in the private sector, and with increasing technology come increased risks. With the rapidly growing technology, ranging from wireless devices such as mobile phones, tablets, and laptops to smart refrigerators, cars, and even medical devices like pacemakers, etc., it seems that the growing connections around us are difficult to detect. Therefore, the risk that comes together in operating within this brave, new and a connected world is high.

Shri Karnal Singh shared his expert viewpoint on the impact and importance of artificial intelligence, connected healthcare and need for cybersecurity in healthcare. How the digitization of healthcare is important and the rural and urban divide of same. He also insisted on the improvement of infrastructure and facilities available in the rural healthcare industry. In addition, he discussed the gap between the medical industry and government institutions where the research is needed and that we adopt mostly from our partnering and supporting foreign countries and how a change in mindset and adoption of new and improved technology can enhance the Indian healthcare. The future of healthcare is on the Internet and the Internet is vulnerable. Technology is the solution and it will come whether we want it or not. Therefore, the need of the hour is OUR PREPAREDNESS. We should welcome and be prepared for the connected network of healthcare.

An interesting session on the basic concepts of AI was the icing on the cake. It acquainted the participants with AI emphasizing on the fact that one should not get bogged down by the technology. Instead, one should focus on the use cases of it and there lies the innovation.

Often, the terms “digital health” evoke images of smartwatches or apps that can process the health data and can give a readout of parameters like heart rate, blood pressure, etc. That is a part of digital health, to be sure, but today we also focus on a newer aspect called “Precision Health” and the session “Prerequisite and journey of India to offer (precision) healthcare to all: Powered by Digital, Genetics, and AI” offered a far more expansive vision for digital health technologies, genetics and AI.

Precision medicine is an emerging approach of medicine which focuses on the cause of an illness, and not addressing the symptoms alone. Precision medicine may not be very well- known as Personalized Medicine. But they are the same. It takes into consideration individual variability in genes, environment, and lifestyle for each person.

Precision healthcare improves efficiency and accuracy to healthcare treatments. With precision healthcare, doctors can potentially develop targeted and precise treatment and therapies for masses as well as for an individual. This can improve patient treatment to large populations in countries like ours.

It’s based on evidence and data which comes from a series of medical tests on a patient. Thus, the data is its most important aspect. Very soon, along with genome sequencing and health sensors data coupled with the growing amount of Big Data, patient data will create large data sets of valuable information which can be used for more tailored treatments. But as an individual, a physician is not equipped to manually analyze these newly available data sets, which is where the advanced technologies such as AI come into picture.

The challenge that the clinicians see in the adoption of AI is the gap between the technical person and a clinician in regard to understanding the implementation of “normal reference values”. For example: If the normal value of hemoglobin for a person staying at planes (say Delhi NCR) is 13.5, the value 17.5 is perfectly normal at Ladakh. Is that incorporated in the AI system? Something that works in the USA might not work in India. The doctor or a clinician will have a great role to play in case of developing the AI as he/she can only give the correct inputs for the training sets.

With the new wave of digitization, medical records have seen a paradigm shift in the healthcare industry. As a result, the healthcare industry is witnessing an increase in the absolute volume of data in terms of complexity, diversity, and timeliness. Since the healthcare experts look for every possible way to lower the costs while improving the care process, delivery and management, and so is the aim of InnovatioCuris (IC), big data emerges as a persuasive solution with a promise to transform the healthcare industry. This paradigm shift from reactive to proactive healthcare may result in an overall reduction in healthcare costs and gradually may lead to economic growth. The above-stated and many more discussion points were there that became the part of the very interactive and interesting second session on “Mitigating data security and privacy challenges for digital healthcare in India”.

Data transmission is also an important aspect of implementing technology and safeguarding it. The Digital Information Security in Healthcare Act (DISHA) is one such step taken by the Indian Government in the long journey to securing the healthcare data of patients in India.

One of the biggest challenges is the lack of availability of data in a democratic manner and it’s all in silos in short data interoperability is a huge challenge. The major concerns that the clinicians have at the moment regarding the implementation of DISHA act are that it says that no court shall entertain any complaint unless made by the Central Government or central data authority, state data authority or the person affected and there would be times when PIL (public interest litigation) is there on the data security as well. The challenges will always pertain but what we need to do is to have trust in the law and protection by it. Major challenges regarding data security or cybersecurity, in hospitals or the clinical establishments, is that we do not have implemented laws that may protect our data. With the hope that they are definitely going to come, we can only stay prepared with our changed mindsets.

The post AI and Cybersecurity in Digital Healthcare appeared first on InnoHEALTH magazine.

How Crucial is DISHA Act for Healthcare Industry?

InnoHEALTH Magazine — Mon, 17 Dec 2018 08:56:22 +0000

“A journey of a thousand miles begins with a single step.” The Digital Information Security in Healthcare Act (‘DISHA’) is that firm first step taken by the Indian Government in the long journey to secure the healthcare data of patients in India. The question we need to ask ourselves is that Why DISHA is the need of the hour? Why do we need to safeguard the electronic health record in hospitals?

The draft of the act was made public in November 2017 by Ministry of Health and Family Welfare. The word ‘Disha’ means direction, the GoI has taken the first step in the direction of safeguarding the digital health record. For this InnovatioCuris has also taken the first step towards having a concrete discussion about ‘Challenges in the implementation and opportunities for making health sector DISHA and data protection ready’. There were panelists from various renowned government, private hospitals, and healthcare IT firms.

The first session was about the ‘Challenges in the implementation of DISHA’. The panelists were happy that InnovatioCuris has taken an initiative to critically discuss the challenges a hospital will face once the act becomes the law. All the panelists agreed that the act lacks various aspects. Few concerns that bother the clinicians are, that who will give the consent if the patient is unconscious.

The ambulances have the capability that it sends the health records from the ambulance to hospital before the patient reaches the hospital for doctors to study the emergency cases. In this scenario, what should be done if a patient denies the consent for sharing the data at a later stage? Should the clinical establishments discard the already shared health record or should they handover the same to the owner (in this case, patient) or what should be done. There are no set protocols defined in the act for such cases.

A question was put forward, does the patient has the authority to edit their health record, or can they view, who have seen their health record. A healthy discussion took place where we got to know that citizens of Estonia have chip cards, where one can see their health record and can also see the logs of who has accessed their health record. This made us realize, that India as a nation state can use Aadhar card as a mechanism, where we can log in into a portal and get to see health records.

The third challenge that came forward was interoperability of health records. As the record lies with the custodian, not the patient, editing and viewing of it can be done by the clinical establishments. The health record can be shared by the clinical establishments to another, but there is no standard on how to transfer it. Data integrity is a point of concern, which is not mentioned in the act.

One of the challenges that came into light was according to ‘Clinical Establishment Act Standards for Hospital[2]’ the hospital has to keep health information and statistics in respect of national programmes, notifiable diseases, and emergencies/disasters/epidemics and furnish the same to the district authorities in the prescribed formats and frequency. The question is what if the patient does not give consent. The proposed act should have a provision where the clinical establishments are liable to take the health data.

As we have unstructured healthcare facilities in India, the act should also empower the clinical establishments by various means to keep the data safe. As of now the DISHA is a proposed act, not a law and has lots of loopholes. It also lacks in many aspects discussed earlier. This is just a start and the government should take necessary steps to improve it.

The second panel discussed on ‘Opportunities for making health sector DISHA and data protection ready’. The panelist consisted of CIO of path labs, owners of healthcare IT firms, who shared relevant thoughts and comments. The panel started the discussion on why do we need the act and what are the benefits of the act. Panelist were grateful to the government to bring the act. They told that the clinical establishments will take steps to increase the safety of the health record.

The gaps in the technology for generation, storage and transmission will be lowered down. Sectors such as banking, financing and insurance have structured their data, but this lacks in healthcare. Detailed scope of security features are missing from the act, this would help the companies to design the software from the ground up by using security as an important consideration.

The imminent threat is in the software which are already in place and have not been patched or the system has not been upgraded. The good news is that many have an audit trail in built in their system, which track any CRUD(creation, read, update, delete) of the records. The discussion contributed a fruitful thought: Data at rest is not encrypted. The question that arises is what is preventing the healthcare IT companies to encrypt the data at rest.

One of the challenge in the DISHA is that, the owner of the data must be informed of any breach of the privacy or confidentiality of their digital health record within three days. But according to IBM report it takes on an average of 197 days to detect a breach[1]. How can the Healthcare IT companies safeguard the health record and let the owner know about the breach. The solution is to encrypt the tables in the database, but that might hamper the performance.

It is a huge opportunity for the stakeholder to bring standards in the act. DISHA might have only completed its first round of comments from the public and stakeholders, it can be expected that the revisions made based on the feedback will churn out a more refined version of the act. In any case, it is evident from the draft that the government has really pushed to provide additional security, privacy and confidentiality for individuals, with respect to their digital health record.

The post How Crucial is DISHA Act for Healthcare Industry? appeared first on InnoHEALTH magazine.

India EU Collaboration in Health Sector

InnoHEALTH Magazine — Fri, 16 Nov 2018 06:55:18 +0000

India EU collaboration in Health sector, startup opportunities, and challenges.

In this session, the panel provides insights on market development in India, including examples of reverse innovations from India to Europe and back along with legal and IPR challenges.

InnovatioCuris and InnovatioCuris Foundation for Healthcare and Excellence started with a vision of bringing down the healthcare delivery cost and improving the quality of care.

Some of the panelists represented EU member states or the EU entities and also from India on the panel. Their inputs were key in shaping up the cooperation between EU and India. Hence, Their inputs and early support has been key in shaping up the innovation ecosystem between the two regions.

Prof. Paul Lillrank (moderator) presented his keynote by giving insights of his ideas and implementations in the organization for which he is the chairman (Aalto Health Platform). Explained how the world famous, ARAVIND EYE CARE model was chosen and implemented by his student in Finland who studied ARVIND EYE CARE in Tamil Nadu. Stressed on technology circulation instead of technology transfer, as the later is only one directional flow. He felt India is the most innovative place in the world with the land full of opportunities.

Molshree Pandey, currently working on communicable diseases and finding ways to collaborate stakeholders in a much more efficient way. Conducts and concentrate on boot camps, road shows in Denmark, presentations to many companies; connecting and opening pathway to better delivery of care in India as well as Denmark. Insisted on modification of products according to the country.

Ankit Bahl compared the way of delivering care and implementing in 2 countries Estonia of 1.2 million populations with India of 1.2 billion populations. Estonian healthcare developments:

-Have S.E.Z for Pharmaceuticals, diagnostic companies in Estonia
-Worlds first biobank which Is commercialized too!
-97% of their patient prescriptions are made online for better access for both patients as well as stakeholder handling it.

Only three things can’t be made online in Estonia 1.marriage 2. Divorce 3. Trade property. Haha!! Introduced E ambulance in Estonia! They call E-Estonia and are also working towards to achieve it!

Iris Ohrn, A kind of matchmaker and identifies companies, investors which would benefit mutually. She observed similar challenges in India as well as Sweden in terms of the cost of healthcare.

K Gopalan, Works for the betterment of healthcare ecosystem of underprivileged. India is a big corridor for the scope of solutions. The focus needs to be on Primary health care, an example is vatsalya which is trying to provide subsidized private care. Promoted SANKALP, which is a form of the network of healthcare stakeholders.

Identification of right partners and right market recognition is required. IPR (very important) during technology transfer is at-most concerned.

As GDPR in EU, likewise, we need in India too. Shared her views on DISHA Act
DISHA:
– Setting up central and state organizations
– Ensuring trust in the system
– Recognition of ‘RIGHT TO RECTIFY’ by the patients is becoming important
Differences in DISHA and GDPR should be studied,
Example: right to forget/Erase isn’t there in DISHA

The post India EU Collaboration in Health Sector appeared first on InnoHEALTH magazine.

DISHA – Need of the hour

InnoHEALTH Magazine — Mon, 16 Apr 2018 04:18:00 +0000

Digital Information Security in Healthcare Act (DISHA) is proposed by the Indian government to secure e-Health data.

The act:

The Act mandates the clinical establishments to secure the digital health data and defines functions of the new regulatory bodies at the center and state level except the State of Jammu and Kashmir. Clinical establishments here means, any hospital, clinic, dispensary, etc., be it public or private.

Setup:

National Electronic Health Authority (NEHA) and State Electronic Health Authority (SEHA) will be setup as the governing bodies to formulate standards, operational guidelines and protocols for the generation, collection, storage and transmission of the digital health data for this Act. It will also ensure data protection and prevent breach or theft of digital health data. It will establish data security measures for all stages of generation, collection, storage and transmission of digital health data, which will at least include access controls, encrypting and audit trails.

Digital Health Data:

Digital health data comprises of one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus (HIV) status, Sexually Transmitted Infections treatment, and abortion etc;

The required health data can be obtained by consent from the owner, thus informing them the purpose of collection, identity of the recipients to whom the health data may be transmitted or disclosed, identity of the recipients who may have access to the data on a “need to know” basis.

Major points:

As per the draft, the owners have the right to privacy, confidentiality, and security of their digital health data and the right to give or refuse consent for generation and collection of such data.

The Act also lists down factors affecting data transmission as to who can transmit, how they can transmit and monitoring data transmission. The Act further lists down the guidelines on accessing this data, with regards to who can access, how they can access and purpose of data access by various entities.

Penalties in contravention of serious breach of healthcare data shall be punishable with imprisonment, which shall extend from three to five years; or fine, which shall not be less than five lakh of rupees.

There are many debatable points that arise from this Act such as the technical measures a clinical establishment should take, standardization of data security, measures to be taken in times of breach, training and capacity building of the clinical establishment, best practices of data collection and storages.

The clinical establishments might be worried on implementing the Act, as they might lack the technical resources to bring the robust solutions. On the other hand the security industry in the country might be looking to engage clinical establishments and respond to this situation by providing cost effective solutions and safeguarding the privacy of the patient.

To implement the Act, clinical establishment might need hand holding. However, we appreciate the efforts of the government to propose this Act and safeguard the interest of patients and citizens.

Would you be interested in joining a workshop on discussing, opportunities and challenges in implementing DISHA, send us your interest on info@innovatiocuris.com

The post DISHA – Need of the hour appeared first on InnoHEALTH magazine.