health data Archives - InnoHEALTH magazine

India’s 1.4 Billion Health Data Mavericks:Awakening Awareness in a Nation that Takes it Easy

InnoHEALTH magazine digital team — Thu, 19 Oct 2023 06:38:56 +0000

Often, we place our trust in healthcare providers, assuming they will protect this sensitive information. But is trust alone sufficient in these turbulent digital waters?

In the rapidly evolving landscape of digitalization, where every online interaction leaves behind a trail of personal information, we find ourselves at a pivotal juncture. Our personal data, a highly sought-after asset in the digital era, is constantly in demand by various entities. However, within this frenzy of data collection lies an exceptionally intimate and personal treasure trove – our health data. As we embark on an innovative journey through India’s Digital Personal Data Protection Bill 2023, it becomes imperative for healthcare professionals to comprehend how this legislation may safeguard our most invaluable possession: our health data.

The Paradigm Shift:

Close your eyes for a moment and envision this scenario: you visit a doctor for a routine check-up, sharing your medical history, undergoing tests, and receiving a diagnosis. But have you ever paused to ponder what happens to that information once you leave the doctor’s office? In many instances, it transforms into a digital fragment, residing in a vast repository accessible to various parties. It could be used for research, become a tool for insurance companies, or, in the worst-case scenario, fall prey to malicious data breaches. Often, we place our trust in healthcare providers, assuming they will protect this sensitive information. But is trust alone sufficient in these turbulent digital waters?

Another distressing facet of this clandestine industry is the unauthorized access to health data by unscrupulous actors.

Data Protection Bill 2023: A Beacon of Hope:

The Digital Personal Data Protection Bill 2023 in India emerges as a beacon of hope in our mission to preserve the sanctity of our health data. Let’s embark on an enlightening journey to explore some of its key provisions and their potential impact on our lives:

Personal Consent: This legislation stipulates that personal data can only be processed for lawful purposes with explicit consent from the individual. In simpler terms, your health data remains concealed from prying eyes unless you choose to disclose it. This provision empowers you with newfound control over your data.
Data Accuracy and Security: The Bill places the responsibility on data fiduciaries, those who collect and process data, to maintain the integrity of the data, ensuring its security and deletion once its intended purpose is fulfilled. It establishes a fundamental principle: the safeguarding of your health data is paramount.
Individual Rights: Within this framework, you are granted the right to access information about how your data is being processed, the ability to correct inaccuracies, and a mechanism to address concerns. This provision fosters a culture of transparency and accountability, putting you in charge of your health data’s fate.
Cross-Border Data Transfer: In a world where data flows across borders rapidly, the Bill introduces regulations governing the transfer of personal data beyond India’s shores. This safeguard ensures that your health data doesn’t inadvertently end up in countries lacking robust data protection standards.
Data Breach Reporting: In the unfortunate event of a data breach that could jeopardize your well-being, data fiduciaries are obligated to report it to the Data Protection Board of India and directly inform you. This measure ensures timely awareness and empowers you to take corrective action.

Why Does it Matter?

Our health data, a digital reflection of our most private and intimate aspects, holds the potential to revolutionize medical research, enable personalized therapy, and potentially save lives. However, this promise is not without risks, especially in a society where data has become a valuable commodity. The Digital Personal Data Protection Bill 2023 acts as a formidable deterrent against the latent threats of health data misuse and breaches.

Unmasking the Shadows: Crimes in Health Data Industry in India

A formidable industry has thrived in the shadows of the digital world, operating away from the public eye. This shadowy domain revolves around the illicit exchange and exploitation of health data, a sector worth billions of dollars. It thrives on the unauthorized acquisition of individuals’ medical information, often without their knowledge.

For too long, India’s health data industry has functioned as a clandestine network. It’s a hidden realm where people’s private lives, medical conditions, treatments, and vulnerabilities are commodified and auctioned off to the highest bidder. This profession is rife with a range of undisclosed crimes, including data theft, sales, unauthorized access, and extortion.

One glaring example of these crimes involves the widespread sale of health data to insurance companies. Imagine a scenario where an individual, dealing with a severe illness, confides in their healthcare provider. Little do they know that this information could end up in the hands of insurance companies looking to deny coverage or inflate premiums. This surreptitious trade in health data not only jeopardizes individuals’ financial well-being but also erodes the trust placed in the healthcare system.

Digital Personal Data Protection Bill 2023 has the potential to shine a spotlight on this clandestine business, exposing its wrongdoings and guaranteeing the utmost respect and protection for individuals’ health data.

Another distressing facet of this clandestine industry is the unauthorized access to health data by unscrupulous actors. Medical records, often stored in digital repositories, become prime targets for hackers seeking to exploit vulnerabilities in security systems. These cybercriminals gain access to sensitive patient information, which can be used for identity theft, fraudulent insurance claims, or even sold on the black market.

Furthermore, healthcare institutions themselves are not immune to these crimes. Incidents of data breaches within hospitals and clinics are alarmingly common. Patient records, filled with personal identifiers, become the currency of the illicit health data trade. In many cases, these breaches go undisclosed, leaving patients unaware of the compromise of their personal information.

In a world where our health data is digitized and shared, the need for robust data protection measures becomes undeniable. This is precisely where the Digital Personal Data Protection Bill 2023 in India steps in as an agent of change. It has the potential to expose the shadowy actors in the health data industry, bringing them to justice and ensuring the privacy and dignity of individuals’ health data.

One of the key provisions of the Bill is its stringent stance on data breaches. It mandates that data fiduciaries promptly report breaches to the Data Protection Board of India and the affected individuals. This requirement ensures transparency and accountability in the event of a breach, making it significantly more challenging for wrongdoers to operate covertly.

In conclusion, India’s health data industry, shrouded in secrecy, has thrived for too long on the vulnerabilities of individuals and the absence of robust data protection measures. The Digital Personal Data Protection Bill 2023 has the potential to shine a spotlight on this clandestine business, exposing its wrongdoings and guaranteeing the utmost respect and protection for individuals’ health data. As custodians of health information, healthcare professionals must play a pivotal role in advocating for data privacy and urging the implementation of the Bill’s requirements. In doing so, we can pave the way for India’s genuine progress, where our most personal data is safeguarded, and the shadows of the health data industry are dispelled by the light of transparency and accountability. This is how India can truly thrive as a developed nation while preserving the well-being and dignity of its people.

“Composed by: Sagar Pandya is a highly accomplished professional with a Master’s degree in Software Technology and a decade long experience in the software industry, working with renowned multinational corporations, gaining expertise in latest technologies. He is also an author, known for his book “Tales of the Jungle: Fables of Indian Animals and Morals.”

The post India’s 1.4 Billion Health Data Mavericks:Awakening Awareness in a Nation that Takes it Easy appeared first on InnoHEALTH magazine.

WHO's First Guideline to Digital Health Interventions

InnoHEALTH Magazine — Wed, 31 Jul 2019 09:46:27 +0000

On 17th April 2019, WHO released a ‘new recommendations on 10 ways that countries can use digital health technology, accessible via mobile phones, tablets and computers, to improve people’s health and essential services’. Harnessing the power of digital technologies is essential for achieving universal health coverage, says WHO Director-General Dr. Tedros Adhanom Ghebreyesus. Ultimately, digital technologies are not ends in themselves; they are vital tools to promote health, keep the world safe, and serve the vulnerable.

Over the past two years, WHO systematically reviewed the evidence on digital technologies and consulted with experts from around the world. This guideline is a roadmap to research for global health so as to strengthen countries health systems. It is to be effective, sustainable and responsible.

“The use of digital technologies offers new opportunities to improve people’s health,” says Dr. Soumya Swaminathan, Chief Scientist at WHO. “But the evidence also highlights challenges in the impact of some interventions.” She adds: “If digital technologies are to be sustained and integrated into health systems, they must be able to demonstrate long-term improvements over the traditional ways of delivering health services.”

Dr. Oommen John, Senior Research Fellow, George Institute says, India is a hub for digital health innovations, however very few of these innovations have achieved the scale for impact within the health systems. It is important therefore to pause, reflect and use the WHO digital health guidelines as framework of the innovation ecosystem in India and help guide energy and enthusiasm of the start-ups to develop, evaluate and implement digital health innovations that can help achieve the universal health coverage.

The guideline encourages policy- makers and implementers to review and adapt to these conditions if they want digital tools to drive tangible changes and provides guidance on taking privacy considerations on access to patient data.

“Digital health is not a silver bullet,” says Bernardo Mariano, WHO’s Chief Information Officer. “WHO is working to make sure it is used as effectively as possible. This means ensuring that it adds value to the health workers and individuals using these technologies, takes into account the infrastructural limitations, and that there is proper coordination.”

Mr. Mariano also said: “Digital Health is the future of healthcare. As we take the big leap into digital health, we must ensure that it is people centric, delivers positive health outcomes, does no harm to people and it actually improves the healthcare system as a whole.”

It is a ‘Living Guideline’ i.e. it will be updated regularly as new evidence becomes available. This Guideline has been completed under the newly formed section at the WHO: Norms and Standards section in the WHO. This Guideline has been regarding: Reproductive Health & Research and has four outcomes:

Health systems to have health data for accountability
Helping health workers to work efficiently
For tracking medical commodities to provide services
Making sure health coverage for all

Since it is a developing guideline and is meant to be stringent based on evidence alone; it is a path finder for a whole gamut of health issues. For each recommendation, a summary of the evidence on the positive and the negative effects has been provided.

Dr. Garrett Mehl, Scientist, Digital Innovation and Research, WHO says: “Digital interventions depend heavily on the context and ensuring appropriate design. This includes structural issues in the settings where they are being used, available infrastructure, health needs they are trying to address, and the ease of use of the technology itself.” Importantly, it must be noted that: “Digital health interventions are not sufficient on their own.”

The guideline recommendations about telemedicine, which allows people living in the remote locations to obtain health services by using mobile phones, web portals, or other digital tools. WHO points out that this is a valuable complement to face-to-face- interactions, but it cannot replace them entirely. It is also important that consultations are conducted by qualified health workers and that the privacy of individuals’ health information is maintained. The guideline emphasizes the importance of reaching vulnerable populations, and ensuring that digital health does not endanger them in any way.

Trusted Exchange Framework and Common Agreement (TEFCA)

On 19th April 2019, US Department of Health and Human Resources (HHS’) announced the next steps in advancing operability of health information by opening up the second draft of the Trusted Exchange Framework and Common Agreement (TEFCA) for public comment. TEFCA, would support the full, network-to-network exchange of health information nationally. Specifically, the documents being released for comments are: (1) a second draft of the Trusted Exchange Framework (TEF), (2) a second draft of the Minimum Required Terms and Conditions (MRTCs) for trusted exchange, and (3) a first draft of a Qualified Health Information Network (QHIN) Technical Framework. These documents will form the basis of a single Common Agreement that QHIN’s and their participants may adopt. This Common Agreement will create baseline technical and legal requirements for sharing electronic health information on a nationwide scale, across disparate networks.

“The seamless, interoperable exchange of health information is the key piece of building a health system that empowers patients and providers and delivers better care at a lower cost,” said HHS Secretary Alex Azar. “The 21st Century Cures Act took an important step towards this goal by promoting a national framework and common agreement for the trusted exchange of health information. We appreciate the comments and input from stakeholders so far and look forward to continued engagement.”

In developing a TEFCA that meets industry’s needs, HHS’ Office of the National Coordinator (ONC) for Health Information Technology focused on three high-level goals:

Provide a single “on-ramp” to nationwide connectivity
Ensure electronic information securely follows you when and where it is needed; and
Support nationwide scalability for network connectivity

ONC will maintain the TEF, while a non-profit, industry-based organization, known as the Recognized Coordinating Entity (RCE), will be awarded funds to develop, update, implement, and maintain the Common Agreement. Through this effort, ONC will define the minimum required terms and conditions needed to bridge the current differences among data sharing agreements that are preventing the flow of electronic health information. The industry-based RCE will be tasked with developing additional required terms and conditions necessary to operationalize the Common Agreement and meet the interoperability requirements of the 21st Century Cures Act.

“The updated Trusted Exchange Framework and Common Agreement we issued today considered more than 200 comments we received on our previous draft and reflects extensive work with our federal partners,” said Don Rucker, National Coordinator for Health Information Technology. “The future Common Agreement, made possible by the steps we take today, will provide the governance necessary to meet the interoperability demands of diverse stakeholders, including patients, healthcare providers, and health plans.”

The drafts released are responsive to stakeholder comments by making key changes to the draft requirements that health information networks who choose to participate would have to follow. These changes include updating the purposes for which information can be exchanged, adding a “push” method of data exchange, adding a technical framework for QHIN’s, and extending timelines for participating entities to implement changes that will be required by the Common Agreement.

These changes will help improve the flow of information between networks where needed and appropriate. In public health settings, for example, “reporting from providers is a foundational capability for effective public health action,” said Chesley Richards, Deputy Director for Public Health Scientific Services at the Centers for Disease Control and Prevention & that “The TEFCA will not only strengthen this capability, but will create the ability for timely and true bi-directional information sharing that is essential for responding to public health threats and epidemics.”

Designed to fill the gaps that currently impede the secure and appropriate flow of health information and to continue to enable the progress that has already been made in the private sector, the success of TEFCA depends on coordination with the private sector. “We expect that the implementation of the Trusted Exchange Framework and the Common Agreement, will bring us all that much closer to achieving the administration’s goals of nationwide interoperability,” said Dr. Rucker.

General Data Protection Regulation (GDPR), One Year On

It is a very recent piece of legislation in the European Union and the European Economic Area regions (continuation to the previous article on GDPR in InnoHEALTH volume 3 issue 1 Jan-Mar 2018). The GDPR was adopted on 14th April 2016, and became enforceable on 25th May 2018. As the GDPR is a regulation and not a directive, it is directly binding and applicable, but does provide flexibility for certain aspects of the regulation to be adjusted by individual member states. the UK granted royal assent to the Data Protection Act 2018 on 23rd May 2018, which contains equivalent regulations and protections as the GDPR.

After the first year of implementation of the GDPR over 200,000 cases have been reported. European data protection agencies have issued fines in excess of 55 million Euros for GDPR breaches since it was enforced last May, but this seems to be just the tip of the iceberg, thus making a strong possibility that enormous number of GDPR breaches are occurring but probably are yet going unreported. An assessment from the European Data Protection Board (EDPB) which is made up of regulators across the region, found that, in the first nine months, there were 206,326 cases reported under the new law from the supervisor authorities in 31 countries in the European Economic Area. One thing that has changed since the implementation of the GDPR is the massive increase in the reported number of incidents and more importantly that the companies have been reporting themselves to the data commissioner over the past year. The main emphasis under the GDPR Regulation is that companies must notify the regulators very quickly once the company losses any personal data. Consequently, of the breaches huge fines can be levied on the companies if they are found to have not done what they should have done to protect the personal data or specifically be able to display that they did all they could to clean up after the breach occurred in the first place.

Considering the developments all around the world, in terms of guidelines and regulations, specifically relating to the digital health, it is only right & more essential to emphasize the pressing need for India to have specific laws too for this area as practice carries on while laws don’t exist, which will result in exponential damage in the coming times.

About the author

Sapna Singh is a lawyer with years of experience in Telehealth law research. She possesses Diploma in Hospital Administration from India; Masters of Law in Intellectual Property Rights from US; Masters of Science in Telemedicine & ehealth from UK.

The post WHO's First Guideline to Digital Health Interventions appeared first on InnoHEALTH magazine.

Hackers Target Patients' Sensitive Health Data

InnoHEALTH Magazine — Mon, 29 Jul 2019 10:53:06 +0000

With more and more hospitals and health care facilities moving their infrastructure to Cloud-enabled Internet of Things (IoT) environment including India, hackers find patients’ sensitive health data their next big bet to make quick money. Is there a way out?

In May 2017 when WannaCry ransomware cyber attack took down hospitals across the United Kingdom, causing them to lose access to patient sensitive health data, the world took notice. Hospitals and clinics were forced to turn away patients in large numbers, including those suffering from serious ailments during the cyber attack.

In the last two years, the growing breed of hackers has brought to the fore a seemingly worrisome possibility: What if critical patient data is hacked and healthcare providers are asked to “pay to get a life back” because ransomware can attack life-supporting medical devices?

The threat is real, especially at a time when health care facilities the world over, including in India, are installing Cloud-based Internet of Things (IoT) devices to make sense of critical health data. Billed as the Internet of Medical Things, this network is made up of smart, connected devices that automatically collect, process, and digitally relay information from the physical world through a shared network infrastructure.

When it comes to India, technological advancements are redefining products and enabling customization of services in the healthcare industry across the spectrum. Not just private hospitals but government health care facilities in India are now exploring how to leverage New- Age technologies like Robotics, Blockchain, 3D printing and artificial intelligence.

In such a scenario, Indian hospital needs more attention and preparedness for handling cyber threats like ransomware and malware attacks that may compromise sensitive patients’ data as is happening all over the world. According to global cyber security firm Check Point’s 2019 Security Report, networked medical devices give healthcare professionals the ability to be much more accurate with their treatment regimens, far more efficient in administering care, and way quicker collecting and responding to biomedical information.

With hospitals adopting New-Age technologies to make sense of patients’ data for quick analysis and charting out the future course of treatment, it becomes critical to safeguard the patients’ data.

Ransomware today accounts for 85 per cent of the malware in the healthcare industry. As the IoT ecosystem expands, so does the attack surface for cyber criminals.

In other words, the more hospitals rely on connected technology in our day-to-day lives, the more vulnerable these become to the cyber threats that are increasingly tailored to exploit vulnerabilities and security design flaws in IoT devices at healthcare facilities.

In a recent blog post, Salwa Rafee, IBM Security Industry Leader (Public Sector) says that new cybersecurity threats are emerging in healthcare almost daily.

“Today, hackers target medical and IoT devices that provide, transmit, and access confidential data because they can exploit the fact that most manufacturers did not consider cybersecurity when designing those devices,” she writes.

All of this increases vulnerability to ransomware. Many healthcare providers are forced into paying to get their data back.

Attackers are getting more sophisticated, organized and less obvious as they attempt to snare staff and administrators with rapidly changing tools.

Therefore, security training and guidance is critical to minimize staff exposure to phishing attacks and malware intrusion, as is reasserting policy and penalties for staff with bad intentions.

Tech giant Microsoft which aims to transform the healthcare sector through effective use of analytics- driven insights decoding the complex data available, is very seriously looking at securing the data.

For David Houlding, Principal Healthcare Programme Manager, Industry Experiences at Microsoft, healthcare is drowning in data. “Every patient brings a record that could span decades, with x-rays, MRIs, and other data that can affect every decision. Providers and payers bring their own collateral to the table. Skills, policies, and certifications are just the start,” he said in a blog post recently.

Global cyber security leader Sophos has also found that the healthcare industry in India is the most vulnerable and weak while implementing cyber security solutions for protecting IT infrastructure.

“The ‘State of Endpoint Security’ in Indian hospital needs more attention and preparedness for handling cyber threats like ransomware and malware attacks,” emphasizes Sunil Sharma, Managing Director Sales at Sophos India and SAARC, adding that more and more advanced cyber threat actors are turning their attention to attacks against the healthcare sector.

The attacks are growing exponentially across the world. In July last year, the personal health data of 1.5 million people, almost a quarter of the Singapore’s population, including the details of the city-state’s Prime Minister Lee Hsien Loong, was hacked. The hackers broke into the government health database in a deliberate, targeted and well-planned attack. The hack compromised patients’ names, identity card (NRIC) number, address, gender, race and dates of birth.

Following the hack, SingHealth temporarily banned staff from accessing the Internet on all 28,000 of its work computers. According to IBM’s Rafee, finding the right security staff also poses many challenges to a healthcare organization. “Security is a competitive field and attracting the right talent with limited resources has proven to be difficult. Expanding your applicant pool to people with more diverse backgrounds is effective,” she advises.

Not just Singapore, Hong Kong’s Department of Health became the next big victim of a cyber attack after its computers were hit by ransomware which left data inaccessible. In the meantime, the fifth annual Healthcare Breach Report published by Bitglass has found that total number of records exposed in the healthcare sector globally rose to 11.5 million in 2018. On average, nearly 40,000 people were affected per breach, which is more than double the average number affected in 2017.

Is there any full-proof remedy against such malicious activities?

Sophos says that healthcare business needs to move from traditional security software like antivirus and deploy sophisticated security solutions. “Given the speed at which IT threats are evolving and becoming more persistent and coordinated, it is a deep concern to see the adoption of the next- generation predictive technologies. While we all do our best to assure the integrity and confidentiality of sensitive data, the methods we use leave us with a staggering number of false positives and logs to manage.

“It is important for organizations to keep up in this dynamic world of IT threats. Organizations need effective anti-ransomware, anti-exploit, and deep learning technology to stay secure,” Sharma emphasizes. Transparency is key. Reporting details of a breach to the public quickly and efficiently is now a requirement. “No organization wants the perception that they don’t disclose information that should be reported timely. I believe the public, and your patients, understand the risk that any organization is likely to be hacked or attacked at some level,” says Rafee.

Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years. “However, the growth in hacking and IT incidents does deserve special attention. As such, healthcare organizations must employ the appropriate technologies and cybersecurity best practices if they want to secure the patient data within their IT systems,” said Rich Campagna, CMO of Bitglass. As you read this, an unauthorized user accessed a “limited number” of employee email accounts at UConn Health (branch of the University of Connecticut), compromising personal data of more than 326,000 patients.

The US Department of Health and Human Services (HHS) reported that organisations paid out more than $28 million in settlement fees in 2018 – an all-time high in healthcare breach enforcement activity. “In October, the US health insurance provider agreed to pay a whopping $16 million and introduce “substantial corrective action” following a series of cyber-attacks that led to the largest US health data breach in history,” said HHS. The Cloud environment has changed the way companies manage, store and share their data, applications and workloads. Along with a wide range of benefits, though, the Cloud infrastructure also introduces a new, fertile and attractive environment for attackers who crave the enormous amount of available computing resources and sensitive data it holds.“

While we consider the cloud to be an organization’s weakest link, threats posed to them via their employee’s mobile and IoT devices are also to be taken seriously as one of many attack vectors from which sensitive data can be stolen or leveraged to launch an attack,” informs Check Point. As cyber attacks grow and hackers aim patients’ data to make quick money, what patients are carefully watching is how well the healthcare providers are prepared to respond, mitigate future threats and move forward.

About the author

Meenakshi Iyer is a New Delhi-based freelance journalist covering health, technology and latest innovations. With more than 15 years of experience, she has worked with top media publications in the country.

The post Hackers Target Patients' Sensitive Health Data appeared first on InnoHEALTH magazine.

The Vulnerability of Medical Institutions to Cyber Attacks

InnoHEALTH Magazine — Mon, 24 Jun 2019 10:39:58 +0000

McAfee’s researchers were able to modify the vital sign data in real-time providing false information to medical personnel by switching the heartbeat records from 80 beats a second to zero within five seconds. You would have woken up to news that Medstar patient records’ database was subject to ransom ware cyber attack and was asked to pay bitcoins. Unfortunately, the hospital did not have backup of medical records and in some cases, they had to turn away the patients. These incidents, unfortunately, are not stray incidents.

There are various technologies converging and a rapid increase in machine-to-machine communications. It is predicted that by 2025, most hospitals will have the ability to network connect more than 90% of their devices. However, many hospitals are yet to make their data security systems extremely robust. Data privacy and data security are the two important pillars that need urgent consideration. Just as financial data is loved by the cyber criminals, so is health data becoming a gold-mine with the cyber offenders. Specially so when the hospitals are run on legacy systems and there is no dedicated framework or surveillance on their own data.

Personally, identifiable data is an indicator of an individual, such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Several cyberattacks on medical institutions are initiated to extract the electronic health records (EHRs) of patients. These EHRs may contain their personal health information, medical history, diagnosis codes, billing information, etc., which can be exploited by the cyber offenders in various manners, for instance to get ransom from the medical institutions or to create fake IDs to buy medical equipment(s) or medication which can be resold or exclusively sold on prescription.

Take this example. On 12 May 2017, a global ransomware attack, known as WannaCry affected more than 200,000 computers in at least 100 countries. The ransomware attack also affected 80 out of 236 trusts (medical institutions under NHS) and further 603 primary care and other National Health Service (“NHS”) organisations were infected with the ransomware virus including 595 general practitioners. The trusts which were affected with WannaCry ransomware faced issues like patient appointments being cancelled, computers being locked out, diversion of patients from accidents and emergency departments, etc.

As reported in the investigation report on the WannaCry ransomware attack on NHS, published by the National Audit Office (“NAO”, an independent parliamentary body in the United Kingdom), all NHS organisations infected with the WannaCry virus had unpatched or unsupported Windows operating systems. NHS Digital (a national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England) informed the NAO that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), though there were no instances of the ransomware spreading via NHSmail (the NHS email system).

In India, as reported by multiple news agencies, last year in the month of June, the Mahatma Gandhi Memorial (a trust-run hospital) hospital, Mumbai (MGM Hospital) was affected by a similar cyber-attack where the hospital administrators found their systems locked and noticed an encrypted message by the attackers demanding ransom in Bitcoins to unlock it. It was reported that the MGM Hospital had lost 15 days’ data related to billing and patients’ history, though the hospital didn’t face any financial loss.

Once these cyber offenders have access to the EHRs, they hold the systems of the medical institutions hostage for ransom, by encrypting all the systems completely inaccessible and unusable for the victimised medical institutions. The vulnerability to such cyberattacks may account to various reasons, such as outdated digital infrastructure, medical personnel unaware or untrained about cyberattacks. Cyber offenders may gain access to medical institutions’ systems through various ways and sometimes as simple as (a) using a USB drive; (b) exploiting vulnerable or expired software, (c) stealing medical personnel’s mobile devices, (d) hacking email or (e) phishing, etc. It is time that our healthcare providers upgrade their technologies, networks, and understanding on this subject.

Regulatory bodies across the world have suggested / adopted guidelines and cybersecurity processes and controls which help the medical institutions to mitigate cyber risks and vulnerabilities. In this article, we will be primarily focusing on various safeguards and standards put in place by the European Union and India to deal with such cyberattacks.

SCENARIO IN EUROPE

As a part of the EU cybersecurity strategy, the European Commission standards to ensure necessary adopted the EU Network and Information Security Directive (“NIS Directive”) on 6 July 2016 and it came into force in August 2016. As the NIS Directive is an EU directive, every member state had to adopt a national legislation which would transpose the NIS Directive by 9 May 2018 and identify operators of essential services under the transposed law by 9 November 2018.

The NIS Directive has three major parts to it (a) national capabilities, (b) crossborder collaborations and (c) national supervision of the critical sectors including health.

(a) National Capabilities: The NIS Directive mandates every member state of the EU to have certain cybersecurity capabilities, e.g., it is a mandate for every member state to have a national Computer Security Incident Response Team (“CSIRT”).

(b) Cross Border Collaborations: The NIS Directive encourages collaborations between EU member states like the EU CSIRT network, the NIS cooperation group, ENISA etc.

(c) National Supervision of Critical Sectors: As per the NIS Directive, every member state shall supervise the cybersecurity of critical market sectors in their respective country including health sector.

Further, as a part of the NIS Directive the NIS cooperation group through ENISA has developed guidelines regarding (a) identification criteria of cyberattacks, (b) incident notification, (c) security requirements for Digital Signal Processors (DSPs), (d) mapping of operators of essential services (OES) security requirements for specific sectors including health and (e) audit and self-assessment frameworks for OESs and DSPs.

With a view to prescribe certain standards of safety and quality, three recognised EU standards organisations namely (a) the European Committee for Standardisation (CEN), (b) the European Committee for Electro-technical Standardization (CENELEC) and, (c) the European Telecommunications Standards Institute (ETSI) were set up. By setting common standards across EU, CEN, ETSI and CENELEC ensure protection of consumers, facilitate cross-border trade, ensure interoperability of goods/ products, encourage innovation and technological development, and include environmental protection and enable businesses to grow.

The General Data Protection Regulations (“GDPR”) specifically define ‘data concerning health’, ‘genetic data’ and ‘biometric data’ and regards them as ‘special category of data’. This means that parties who are processing special category of data shall comply with additional higher safeguards and process it legitimately. Recital 53 of the GDPR states that special categories of personal data which merit higher protection should be processed for health-related purposes only.

THE INDIAN SCENARIO

Personal medical/health information in India is regarded as sensitive personal information as per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (“Rules”).

The Indian legislature took an important step for addressing issues relating to cybersecurity when it amended the Information Technology Act, 2000 in 2008, through which they established an Indian Computer Emergency Response Team (CERT), a national agency for incident response. CERT is primarily responsible for handling cybersecurity incidents occurring in India and analysing information related to cybercrimes, but among other things CERT is also indulged in issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incident.

CERT-India has been entrusted with performing the following main functions (a) collecting, analysing and disseminating of information on cyber incidents, (b) forecasting and giving alerts on cybersecurity incidents, (c) laying down emergency measures for handling cyber security incidents, (d) coordinating cyber incident response activities, (e) issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents, and (f) performing any other functions relating to cybersecurity as may be prescribed.

CERT-India in the last five years or so has focused on making various institutions who are highly dependent on cyber/digital networks, i.e. are ‘cyber resilient’. Being cyber resilient allows these institutions to effectively anticipate the various threats and figure out the mechanisms of dealing with the cyberattacks. Anticipate, withstand, contain and recover are the 4 main contours of being cyber resilient.

Anticipate: Maintain a state of informed preparedness to forestall compromises of mission/ business functions from adversary attacks
Withstand: Continue essential mission/business functions despite successful execution of an attack by an adversary
Contain: Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyberattacks
Recover: Restore mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary
Evolve: To change missions/business functions and/or the supporting cyber capabilities, to minimize adverse impacts from actual or predicted adversary attacks

To strengthen the framework and ensure that reasonable security practices and procedures are followed, the Department of Information Technology introduced certain rules. The rules require each and every corporate body including medical institutions who collect sensitive personal information to have security measures as documented in their security policy/programme which is considered to be a reasonable security practice, keeping in mind the nature of their business and considering the fact that they are collecting sensitive personal information. One such international standard as recommended under the Rules is the IS/ISO/IEC 27001.

Taking a step further, the Ministry of Health and Welfare has introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA”). One of the key purposes of DISHA is to ensure reliability, data privacy, confidentiality and security of digital health data. DISHA prescribes that the storage of digital health data so collected would be held in trust for the owner and the holder of such data would be considered as the custodian of data, thereby making such holder responsible to protect privacy, confidentiality and security of data.

To bring it all together:

Majority of the cyberattacks reported worldwide are caused due to reasons which sometimes are trivial and perhaps ignored more often, such as outdated Windows operating system patch, lack of proper antivirus or reasons such as phishing, lack of awareness among the people about cybersecurity, etc.

The EU, through GDPR has made data security an integral part of law and India is taking strong steps to set up a robust data protection and data security law. Various regulations, programmes, codes, standards, etc., discussed in this article are some key indicate steps that can be implemented.

Law is just one part to solve the issue. The real question is who is responsible for safety of our personal data, commercial data, data assets, etc.? We secure our houses with a lock, burglar alarms, video cams because the house owner wants to protect it. Similarly, individuals, organizations, healthcare personnel, hospitals and other institutions who collect health data for multiple reasons should be aware of various cyber-threats and must take steps to safeguard their networks and systems from such threats.

About the author:

Sharda Balaji is the founding partner of NovoJuris Legal, and along with being a qualified lawyer is also a company secretary and has been at the core of evolution of technology and IT laws in India.

Manas Ingle is a legal associate at NovoJuris Legal and works as a technology lawyer, where he deals with various legal projects relating

The post The Vulnerability of Medical Institutions to Cyber Attacks appeared first on InnoHEALTH magazine.

Integrating Technologies to Better Healthcare

InnoHEALTH Magazine — Wed, 17 Apr 2019 09:57:49 +0000

Age and disease demographics are changing rapidly across the globe. The number of people above 65 years is expected to double and constitute nearly 17% of the world population by 2050. The chronic disease incidence rate is expected to rise to 57% by 2020. These figures highlight the need to enhance the quality and efficiency of care with quick response time to health-related emergencies.

Ideas that cut across medicine, biological and engineering sciences, material design, and system innovations are converging to address these challenges. The shift is going to be from legacy products like pacemaker and imaging systems to wearables for general fitness tracking and gait monitoring. Taking a step further, researchers are now developing and testing more focused miniaturized bioelectronic devices for recording and analyzing health data for detecting determinants of health and for medical interventions.

In diagnostics, non-invasive bioelectronic skin sensors that measure analytes in biofluids like saliva, tears, and sweat are showing promising results in assessing stress levels and detecting conditions like diabetes and cystic fibrosis. Researchers from the All India Institute of Medical Sciences (AIIMS) and Indian Institute of Technology (IIT) Delhi have developed a biosensor for detecting glucose in saliva samples for diabetes detection. The results can directly be viewed on the user’s smartphone. Many such studies are now underway in India.

Also Read: Healthy Lives: Everyone, Everywhere

Conductive gels and patch sensors resembling fashion accessories are also being developed to record cardiac, brain and muscle activity which could complement the traditional blood analysis and clinical examinations. Mechano-acoustic skin sensors that measure speech patterns and internal body sounds, like swallowing, are being explored to quantitatively measure the impact of rehabilitation in patients, such as those recovering from a stroke.

In treatment, miniscule implants placed inside the body can cross the blood-brain barrier and deliver the drug directly at the target site, even in hard-to-reach internal organs. Such devices have shown promising results in laboratory settings in reducing side effects and toxicity while increasing overall drug efficacy. This could also ensure patient compliance, a step further to the recently approved digital pill, especially in patients on long care and those with compromised cognition.

Certain implants can also electrically stimulate cardiac or brain tissues to treat conditions like irregular heartbeat, certain motor disorders, and cognitive impairments. Other implants like artificial retina and cochlear implants, restore functionalities of damaged tissues. These interventions, being referred to as ‘Bioceuticals’, could restructure conventional therapeutic options for more efficient outcomes.

In India, a lot of work has now started in this sphere. Results from a few studies have started trickling in, with most of them in development or early stages of testing. Research findings in the journal Scientific Reports by researchers from IIT Kharagpur earlier this year reported bio impedimetric analysis of cancer cells that efficiently distinguishes their aggressiveness by measuring electric field impedance in laboratory conditions. In another study published in the journal Sensors earlier this year, researchers at IIT Delhi developed a novel low-cost prosthesis based on sensors to enable normal gait kinematics, i.e. motion analysis, for lower limb amputees.

IIT Kharagpur is setting up a Bioelectronics Innovation Laboratory that aims to develop battery-free implantable miniaturized engineering systems for treatment of brain, nerve, muscle or spinal cord disorders by restoring missing neural functions. The proposed coin-sized implant will be powered wirelessly and will combine brain activity testing like electrical simulation, bio-potential recording and neuro-chemical sensing for use in rehabilitation and prosthesis.

Also Read: India’s First Smartphone Insertable Cardiac Monitor

Round-the-clock data collected from bioelectronic devices could replace the present time-point investigations and lead to better management of the health condition of patients. In addition, data from multiple people can help develop artificial intelligence algorithms and predictive tools. Such tools have already started showing analytic performance similar, and sometimes better than manual inspection by a specialist physician. In countries like India, that suffer from a shortage of qualified doctors in remote areas, such devices have immense potential. However, data standardization, data security, and privacy protection must be addressed and regulated before rolling out such interventions.

In the next few years, health monitoring, neural prosthetics, and biochemical prosthetics are expected to drive major developments in this space. Although the monitoring devices have already started testing the market in niche patient segments, it may take the implants another 5-10 years to reach health centers as they make their way through developmental and regulatory checkpoints.

The post Integrating Technologies to Better Healthcare appeared first on InnoHEALTH magazine.