healthcare data Archives - InnoHEALTH magazine

Data Protection Bill 2023: Advancing Indian Healthcare

InnoHEALTH magazine digital team — Fri, 20 Oct 2023 06:30:00 +0000

The unchecked processing of health data has the potential to encroach upon the fundamental right to privacy, which gains even greater importance in healthcare contexts.

Amidst the digital age, where personal data has become the cornerstone, safeguarding this precious asset takes center stage, especially in the realm of healthcare. The Digital Personal Data Protection Bill 2023, a pioneering legislative stride, holds the promise of reshaping the landscape of data security and privacy, particularly in the context of healthcare. Carved with meticulous attention to individual rights and the requisites of the digital healthcare domain, this bill presents a comprehensive framework that seeks to harmonize data processing necessities with the crucial need to shield personal health data. The term “personal data” holds significance, especially in healthcare, denoting any information tied to an individual’s identity or location. This sensitive information is subjected to processing for a multitude of purposes, ranging from the provisioning of medical services by both private healthcare providers and public health agencies.

The processing of personal health data fosters an understanding of patients’ preferences, which proves valuable for personalized medical care, targeted health interventions, and the generation of medical recommendations. However, the processing of such information also raises pertinent concerns, particularly concerning potential breaches in relation to law enforcement activities. The unchecked processing of health data has the potential to encroach upon the fundamental right to privacy, which gains even greater importance in healthcare contexts. The failure to ensure proper checks might expose individuals to adverse outcomes, including financial losses, damage to medical reputation, and the creation of unwarranted health profiles. In the current scenario, India’s healthcare sector grapples with the absence of a dedicated law addressing the safeguarding of personal health data. While the Information Technology Act of 2000 does impose certain limitations on the use of personally identifiable information, a specialized legislation specific to healthcare data protection remains lacking.

Building upon this foundation, in December 2019, the Lok Sabha received the Personal Data Protection Bill, 2019. Shaped by the Committee’s recommendations, this bill was subsequently referred to a Joint Parliamentary Committee, which released its findings in December 2021. However, a temporary withdrawal of the bill from parliamentary consideration occurred in August 2022. Notably, the healthcare community and the public were granted the opportunity to review and provide feedback on a draft legislation version in November 2022. Finally, marking a significant stride towards safeguarding healthcare data, the Digital Personal Data Protection Bill 2023 was officially introduced to Parliament in August 2023, warranting careful consideration in the context of healthcare’s digital transformation.

1. The Digital Personal Data Protection Bill 2023: A Paradigm Shift

Recognizing the urgency of the situation, the Indian government has taken a visionary step by introducing the Digital Personal Data Protection Bill 2023. This transformative legislation seeks to bridge the gap between the escalating demand for data-driven services and the imperative to safeguard individual privacy rights. Furthermore, the Digital Personal Data Protection Bill 2023 exercises jurisdiction over the processing of digital personal data within India, encompassing data collected through online channels or digitized from offline sources. Moreover, its scope extends beyond India’s borders to encompass data processing conducted outside the nation’s boundaries, particularly concerning the provision of goods or services within India.

The bill emphasizes that personal data can only be processed for lawful purposes with the explicit consent of the individual concerned. However, certain exceptions exist where consent might not be obligatory. These include instances of voluntary data sharing by individuals or data processing conducted by the State for purposes such as issuing permits, licenses, benefits, and services.

Under the provisions of the bill, Data Fiduciaries are obligated to uphold the accuracy and security of the data they process. They are further required to delete the data once its intended purpose has been fulfilled, thereby promoting responsible data management practices. The bill extends a range of rights to individuals, including the right to request the correction and erasure of inaccurate data, as well as providing a mechanism for addressing grievances related to data processing.

In addition, the bill grants the central government the authority to exempt government agencies from specific provisions, particularly in cases where such exemptions are deemed necessary for the security of the state, public order, or the prevention of offenses. To ensure compliance with the provisions of the bill, the central government will establish the Data Protection Board of India. This board will be entrusted with the task of adjudicating cases of non-compliance and ensuring the effective implementation of the bill’s regulations.

2. Forging a Resilient Data Ecosystem

The Digital Personal Data Protection Bill 2023 stands as a testament to India’s commitment to fostering a digital ecosystem that champions innovation while safeguarding individual rights and data security. With its comprehensive framework, the bill acknowledges the dynamic interplay between data processing and privacy, striking a harmonious balance that acknowledges the transformative potential of data-driven services while ensuring that individuals’ personal data is treated with respect and responsibility.

As the bill navigates its path through legislative processes, it not only addresses the pressing concerns of the present but also lays the groundwork for India’s digital future. The careful considerations embedded within the bill signal a broader vision that extends beyond immediate challenges, towards a landscape where data protection becomes an inherent part of the digital fabric. The bill’s emphasis on clarity, accessibility, and inclusivity through the SARAL approach and gender recognition represents a forward-looking perspective, one that envisions an empowered society driven by progressive values.

3. Indian Vision 2047: Pioneering a Data-Driven Destiny

In the grand tapestry of India’s journey, the Digital Personal Data Protection Bill 2023 finds resonance with the broader Indian Vision 2047, a dream of India’s future characterized by prosperity, inclusivity, and technological prowess. As we inch closer to 2047, the nation envisions a harmonious blend of tradition and innovation, where technology and data serve as enablers, not disruptors, of societal progress.

The bill aligns seamlessly with this visionary trajectory. By providing a roadmap for data governance that places individual rights and accountability at the forefront, it propels India towards a future where data is not just a commodity, but a valuable asset that contributes to the collective growth. As India aims to become a global leader in emerging technologies, the bill’s emphasis on reasonable security measures and privacy-conscious practices will fortify its stance on the international stage.

4. A Multifaceted Approach: Navigating the Salient Features

The Digital Personal Data Protection Bill 2023 encompasses a spectrum of salient features that underscore its transformative potential:

– Balancing Act: Data Processing and Privacy Rights

At the heart of the bill lies a delicate equilibrium: the recognition of individuals’ rights to protect their personal data and the necessity of processing such data for legitimate purposes. By establishing obligations for Data Fiduciaries – the entities entrusted with data processing – the bill aims to ensure responsible data handling.

– Guardians of Privacy: Protecting Digital Personal Data

A cornerstone of the bill is the protection of digital personal data, referring to data that can identify an individual. This protection is realized through a matrix of measures, including the delineation of Data Fiduciaries’ obligations in data processing operations and the definition of rights and duties for Data Principals, ensuring a symmetrical approach to data management.

– Dissuasion through Financial Penalties

The bill institutes a mechanism of financial penalties for breaches of data rights, duties, and obligations. This proactive approach not only serves as a deterrent but also underscores the seriousness with which data security breaches are regarded.

The bill aligns seamlessly with this visionary trajectory. By providing a roadmap for data governance that places individual rights and accountability at the forefront, it propels India towards a future where data is not just a commodity, but a valuable asset that contributes to the collective growth.

5. Principles for the Digital Age: Safeguarding Data in a Rapidly Changing Landscape

To navigate the intricate dance between data processing and privacy, the bill is guided by seven foundational principles:

– Consented, Lawful, and Transparent Use of Personal Data

The principle of consent forms the bedrock of data processing under the bill. Personal data can only be processed with explicit and informed consent, ensuring transparency and empowerment for individuals.

– Purpose Limitation: Defining Data Usage Boundaries

The principle of purpose limitation emphasizes that data can only be used for the purpose specified at the time of obtaining the Data Principal’s consent. This mitigates the risk of data being used beyond its intended scope.

– Data Minimization: Collecting What’s Necessary

Data minimization emphasizes the collection of only the amount of personal data necessary to serve the specified purpose. This principle curtails data hoarding and promotes responsible data collection practices.

– Data Accuracy: Ensuring Precision and Reliability

Accurate data is vital for informed decision-making. The principle of data accuracy mandates that personal data must be correct, updated, and devoid of errors.

– Storage Limitation: Respecting Data Lifecycle

The principle of storage limitation advocates for the storage of data only as long as it is needed for the specified purpose. This safeguards against unnecessary retention of sensitive information.

– Reasonable Security Safeguards: Fortifying Data Protection

In an era of sophisticated cyber threats, the bill enshrines the principle of reasonable security safeguards, compelling Data Fiduciaries to implement robust security measures to prevent data breaches.

– Accountability: A Pillar of Data Governance

Accountability is a cornerstone of the bill, manifesting through mechanisms of adjudication for data breaches and penalties for non-compliance with its provisions. This ensures that entities remain accountable for their data management practices.

6. Innovative Legislative Approach: Navigating Complexity with Clarity

The Digital Personal Data Protection Bill 2023 introduces an innovative legislative approach that not only comprehensively addresses data security but also enhances accessibility and comprehension:

– SARAL Approach: Simplifying the Legal Lexicon

Embodying the spirit of simplicity, accessibility, rationality, and actionability, the SARAL approach forms the foundation of the bill. By employing plain language and illustrative examples, the bill bridges the gap between complex legal jargon and everyday understanding.

– Gender Inclusivity: Pioneering Recognition

Acknowledging the need for gender inclusivity, the bill pioneers the use of “she” in parliamentary law-making. This small yet significant change recognizes women’s representation and underscores the bill’s commitment to progressive ideals.

7. Empowering Individuals: Unveiling Rights for the Digital Era

Central to the bill’s narrative is the empowerment of individuals in the digital era. The bill grants individuals a series of rights that facilitate control over their personal data:

– Right to Access Information

The right to access information about processed personal data equips individuals with the ability to understand how their data is being used.

– Right to Correction and Erasure

The right to rectify and erase data ensures that individuals can rectify inaccuracies and, if necessary, have their data expunged.

– Right to Grievance Redressal

The bill prioritizes individual concerns by providing the right to address grievances related to data processing.

– Right to Nominate a Representative

Recognizing the practicalities of life, the bill grants individuals the right to designate a representative who can exercise their data rights in case of incapacitation or death.

8. Enforcement and Accountability: The Role of Data Fiduciaries

The bill entrusts Data Fiduciaries with significant responsibilities to ensure data protection:

– Ensuring Security Safeguards

Data Fiduciaries are mandated to institute security safeguards to avert data breaches, safeguarding the sanctity of personal data.

– Mandatory Reporting of Breaches

The bill requires Data Fiduciaries to promptly report personal data breaches to both affected individuals and the Data Protection Board. This timely reporting facilitates swift action in the event of a breach.

– Erasure of Data

Ensuring that data isn’t held indefinitely, Data Fiduciaries are required to delete personal data once it is no longer necessary for the stated purpose.

9. Future Route: India’s Digital Resilience

Looking ahead, the Digital Personal Data Protection Bill 2023 lays the foundation for a resilient digital landscape. It recognizes that data-driven progress is not an end in itself, but a means to enhance citizens’ lives, facilitate business innovation, and strengthen the nation’s position in the global arena. With a holistic approach encompassing rights, obligations, principles, and innovative measures, the bill charts a course that propels India towards a data-savvy future.

As we envision India in 2047, a nation that has harnessed the power of data without compromising on ethics and privacy emerges. Through a judicious balance of rights and responsibilities, the bill empowers citizens, safeguards sensitive information, and fosters a culture of data respect. This culture, in turn, nurtures an environment where startups flourish, research thrives, and citizens confidently participate in the digital economy.

In embracing the Digital Personal Data Protection Bill 2023, India not only lays a sturdy foundation for data protection but also champions a broader narrative of trust, transparency, and technological progress. By weaving together the strands of individual rights, innovation, and responsible data handling, India’s digital destiny is poised to flourish, embodying the principles of the bill and the aspirations of Indian Vision 2047.

As we envision India in 2047, a nation that has harnessed the power of data without compromising on ethics and privacy emerges.

10. Challenges and Issues

While the Digital Personal Data Protection Bill 2023 presents a forward-thinking and comprehensive approach to data security and privacy, its successful implementation is not without its challenges. As India endeavors to navigate the complexities of the digital landscape, several issues must be addressed to ensure that the bill’s transformative vision is realized effectively.

– Balancing Innovation and Regulation

The rapid pace of technological innovation often outpaces regulatory frameworks. Striking the right balance between encouraging innovation and safeguarding data privacy requires constant vigilance. Regulatory measures must be adaptable enough to accommodate emerging technologies while maintaining the integrity of personal data.

– Data Localization vs. Cross-Border Flow

The bill raises a crucial dilemma surrounding data localization. While localized data storage can enhance security, it might hinder the seamless flow of data across borders, impacting global business operations. Striking a balance between safeguarding data and facilitating international trade remains a challenge.

– Compliance Complexity

With a diverse range of entities falling under the purview of the bill, ensuring uniform compliance across industries of varying sizes and complexities can be challenging. Smaller enterprises might struggle to meet the same standards as larger corporations, leading to potential disparities in data protection.

– Technological Adaptation

Implementing robust security measures and adopting data protection practices require technological readiness. Smaller businesses and organizations might face challenges in acquiring the necessary technology and expertise to comply with the bill’s security mandates.

– Data Breach Preparedness

The bill’s emphasis on mandatory reporting of data breaches highlights the importance of preparedness in the face of cyber threats. However, not all entities possess the resources to swiftly detect and respond to breaches, potentially leading to delayed reporting and exacerbating the consequences.

– Strain on Resources

For sectors such as healthcare, which handle sensitive patient data, ensuring data protection can place additional strain on already resource-constrained institutions. The bill’s obligations might necessitate significant financial investments, potentially affecting the quality and accessibility of healthcare services.

– Consent Management

The principle of informed consent forms the bedrock of the bill. However, managing consent in a way that is understandable and accessible to all individuals, regardless of their digital literacy, can be a challenge. Ensuring genuine informed consent in an increasingly complex digital landscape remains a concern.

– Regulatory Bottlenecks

The establishment of a regulatory authority, the Data Protection Board, is critical for the bill’s effective enforcement. However, challenges might arise in terms of the board’s capacity, resources, and expertise, potentially leading to delays in addressing complaints and breaches.

– International Cooperation

Data flows transcend national boundaries, requiring international cooperation to effectively address data protection concerns. Harmonizing India’s data protection regulations with international standards while respecting its sovereignty poses a complex challenge.

– Ongoing Technological Evolution

Technology continues to evolve at an unprecedented pace, constantly reshaping the digital landscape. The bill must remain flexible enough to accommodate future advancements, ensuring that it remains relevant and effective in addressing new challenges.

11. Navigating the Path Ahead

The exponential growth of digital technology has fundamentally altered the way we interact, communicate, and conduct business. As data flows through interconnected networks, a new paradigm of opportunities has emerged, presenting innovations across sectors, including healthcare. The healthcare industry, a prime beneficiary of digitization, has witnessed the evolution of electronic health records, telemedicine, and AI-driven diagnostics, promising enhanced patient care and accessibility to medical services.

However, this rapid digital transformation brings to the forefront a critical challenge: the security and privacy of personal data. As healthcare services become increasingly digitized, sensitive patient information, once stored in traditional medical files, is now housed in digital databases. The potential for unauthorized access, data breaches, and misuse of personal information has escalated, necessitating a comprehensive legislative response.

“Composed by: Dr. Rajeev Kumar is currently working as an Assistant Professor in the Centre for Innovation and Technology at the Administrative Staff College of India, Hyderabad, Telangana, India.”

“Dr. Satyanarayana V. Nandury Adviser is currently working as an Adviser in the Centre for Innovation and Technology at the Administrative Staff College of India, Hyderabad, Telangana, India.”

“Prof. Raees Ahmad Khan is currently working as a Professor in the Department of Information Technology at the Babasaheb Bhimrao Ambedkar University (A Central University), Lucknow, Uttar Pradesh, India.”

The post Data Protection Bill 2023: Advancing Indian Healthcare appeared first on InnoHEALTH magazine.

How Blockchain can help improve care outcomes in India

InnoHEALTH magazine digital team — Wed, 16 Jun 2021 08:48:52 +0000

“Hyderabad Based StaTwig has built a Blockchain based supply chain monitoring system to monitor the distribution of the Covid vaccines.”

As India deals with one of the largest pandemics in recent history there have been many instances of leveraging technology for better management of crises. A good example is the usage of analytics for daily and weekly trends. Also, the backbone of our Covid Management strategy has been the Arogya Setu App which leverages analytics, mobility and APIs to help authorities with track and trace of infected patients.

Hyderabad Based StaTwig has built a Blockchain based supply chain monitoring system to monitor the distribution of the Covid vaccines. As most manufacturers are from Hyderabad this has really helped the organisation build its product around areas like monitoring cold chain (cold storage) for the vaccine. It also helps track fake and expired vaccines as the distributed ledger system used by the Blockchain is immutable, hence it is very easy to check the pedigree of the vaccines and prevent any mischief.

“Healthcare data is complex – in part due to the non-linear nature of diagnosis and treatment, and also due to differing healthcare standards across regions in the world.”

In addition to these Blockchain has many advantages that can be leveraged in India. One of those is data sharing. With US spending upwards of USD 93 Billion over the last five years in just data sharing costs. Healthcare data is complex – in part due to the non-linear nature of diagnosis and treatment, and also due to differing healthcare standards across regions in the world. Additionally, data privacy and other related laws can make healthcare information difficult to access and share. So much so that in many countries, including India, a patient may not have complete access to his/her medical record!

Considering that the next paradigm shift in healthcare is expected to come from the adoption of digital technologies – whether for patient experience or improved efficiency of hospital tasks – it is important to address current challenges around data sharing and access, lest they become hurdles to progress. In that context, block chain could be a savior for the industry.

For starters, blockchain allows all types of data to be integrated into the chain. This means one can add not just doctor prescriptions and treatment records but also nutrition information, fitness data, and recordings from medical devices (such as for blood pressure and diabetes patients) by patients themselves.

“blockchain allows all types of data to be integrated into the chain. This means one can add not just doctor prescriptions and treatment records but also nutrition information, fitness data, and recordings from medical devices (such as for blood pressure and diabetes patients) by patients themselves.”

Over time the presence of such longitudinal patient data means caregivers can better interpret disease symptoms and prescribe effective treatment that is customized to work for the patient. Currently, doctors rely on data from treating different patients to prescribe medication. The chances of success for such medication are about 50%. In many cases, doctors wait for feedback from patients to change the medication. With availability of longitudinal patient data, doctors would know in advance what treatments are more likely to suit a patient in line with his/her health history. There are more advantages of leveraging Blockchain for specific use cases. I am listing some of them below

Data and Cyber Security – Increasingly healthcare organisations are coming under stack from very sophisticated hackers. Data breaches have resulted in many public health records being put up on the dark web as well as on public domains.
Post-Operative Care- One of the areas of concerns in healthcare remains the adherence of the patient to the post-operative care instructions. While the physician can give the instructions, the adherence to them remains a big issue.
Health Insurance Contracts- Health Insurance is its ascendancy in India and we see instances of increased coverage. The Health Insurance contracts are the key to providing care and making sure that the provisions of the contracts have been met
Clinical Trials – Blockchain can help accelerate the research and speed to market for clinical drugs and vaccines

I think we have made a start but most Blockchain initiatives are still in the POC stage in Healthcare. But earlier this year the government of healthcare launched the document on the Blockchain Strategy for India. I had the opportunity to comment on some of the key recommendations of the strategy. I also laid out some of the key recommendations on how Blockchain can be implemented in the healthcare ecosystem. Some of them are listed below:-

Incentive for the adoption of Blockchain- Help healthcare organisations adopt Blockchain with incentives in the form of tax breaks and help with technical adoption
Standards for Blockchain for healthcare- Clarity of the position in case of draft data privacy bill and DISHA
Legality of Smart Contract- Clarity on Smart Contracts and how they can be implanted in healthcare
Industry – Academia- Push academia to move into emerging areas like Blockchain. Engineering colleges are still teaching redundant technologies and not focusing on emerging ones

In conclusion, I believe healthcare can immensely benefit from Blockchain. The need of the hour is to provide the necessary guidance and standards both from policy, technology and processes for its implementation and development.

“Dr Vikram Venkateswaran is a doctor turned technologist. He is the founder of Healthcare India, a research and analysis think tank that works in the public health space. “

The post How Blockchain can help improve care outcomes in India appeared first on InnoHEALTH magazine.

Exclusive Interview with India's National Cybersecurity Coordinator

InnoHEALTH Magazine — Mon, 14 Oct 2019 05:23:08 +0000

Vision for cybersecurity: An exclusive interview with India’s National Cybersecurity Coordinator at Prime Minister’s Office

-Interviewed by Sachin Gaur, executive editor, InnoHEALTH Magazine

Lt General (Dr.) Rajesh Pant is an internationally recognized Cyber Security expert, presently tenanting the prestigious appointment of National Cyber Security Coordinator at the Prime Minister’s Office, India. General Pant brings to the table an interesting mix of military operations, academic excellence, corporate governance, and cybersecurity wisdom. Prior to this, he was the Head of the Army’s Cyber Training establishment for three years. He served in the Army Signals Corps for 41 years wherein he was awarded three times by the President of India for distinguished service of the highest order. He also served as the Chairman of Precision Electronics Ltd as a Governing Council Member of IETE (India). Sachin Gaur interviewed him on his viewpoint on India’s vision for cybersecurity.

Q. On behalf of InnoHEALTH Magazine, we congratulate you on your new assignment. For our readers, we would like you to share your short-term and long-term vision for Cybersecurity from national security perspective.
Short-term vision is to issue National Cyber Security Strategy 2020-25 early next year. Task force is working overtime on this by consulting all stakeholders. Long-term vision is to create an all-encompassing cyber vertical at the national level, to handle incident response, cybercrimes, legal issues and capacity building.

Q. We know that there are some fundamental technological shifts waiting to happen like 5G, and along-with it massive (Internet of Things) IoT deployments and especially use cases of connected healthcare. Can you share your views on the cybersecurity implications of the connected devices?
IoT security is a priority topic world over and this is because the limited security capabilities of these devices are also an afterthought. We need to work on a framework, to bring baselinesecurity through the manufacturers and developers of these devices. These devices are omnipresent in our lives, we find them in our home environment to industrial environments including hospitals. We have seen attacks in the past, where such devices are compromised to launch massive denial of service attacks to manipulate the workings of critical infrastructure.
Also, the issue of IoT security is multidimensional, from data security, privacy to device security. As we discuss this, there are multiple acts and bills pending in the Parliament on these topics. While the bills and acts will provide a framework, we need to also create awareness on both sides, supplier and consumer on the possible risks and mitigation strategies.

Q. What steps can be taken to improve the security in such connected devices?
When I say baseline security framework, it can be achieved in multiple ways.
As of today, most devices that we use including mobile phones, do not have a security testing certification. So, we can agree with the industry and look at important test cases and if they can do self-certification on such test cases.
For example: the device should not have weak default login credentials, it is sending data to a remote server and can be operated remotely. So, we can come up like a 5-star rating framework like that of the energy consumption but for the security of IoT devices basis what kind of tests they clear.
Industry bodies can agree on various levels of security and what it takes to achieve that level. Such a framework, when implemented, can provide confidence to consumers and users on the kind of device they are using vis-a-visthe use case they have at hand. So, they might use a higher security rating device in a use case where the stakes are high.
The other approach is to get the security testing done with notified agencies. Department of Telecom for example has announced mandatory security testing of network elements for telecom given telecom is a part of the critical infrastructure and security issuescannot be taken lightly.
Also, some of the emerging concepts in connected devices are missing in the various governing acts of the industrial connected devices. So, we also need to update our legal frameworks to cover software-based tempering of such devices and make the manufacturers and service providers accountable and proactive towards the security of the systems they provide.

Q. What are the threats that you foresee for the health sector?
There are three areas we see where health sector can be impacted:
First is the data breaches and ransomware attacks on healthcare data. As we know, among all the data, healthcare is the most sensitive and sought after by malicious actors. Outside of India, we have seen umpteen cases where ransomware has crippled the health system and it is only after paying the ransom the hospitals can start operation again. Timely backups and encryption of healthcare data during storage is a preventive measure that clinical establishments can take to mitigate the breach and ransomware attacks.
Second is the manipulation of connected devices. The topic of IoT and connected devices security, as discussed in the above sections, directly apply to the medical devices. Healthcare is a domain where attacks on such devices can be life threatening, especially when there are implantable devices. As we have the new Medical Device Regulation Act in India since 2018, we should also consider cyber security aspect in the devices which have a communication interface. For example, a pacemaker which has a communication interface can be manipulated remotely and the patient’s life is at risk.
Third is the manipulation of health system including the building management. We are probably not very far from the days when sophisticated attacks, as we see in the movies, on high security establishments by manipulating the building controls. The building management systems are very weak when it comes to security. Every hospital is a building and imagine what a false fire alarm would mean to patients in Intensive Care Unit. Or even loss of air conditioning or sudden spikes in electrical power.
There is a proposed act DISHA, Digital Information Security Healthcare Act, which might address some of the legal aspects of security in the healthcare setting. A lot needs to be done in this area, and we are on our way.

Q. Our readership consists of health experts all over the world. Any message for them?
We are at the cusp of a new age where we look to take advantage of Artificial Intelligence to Internet of Things. For such a knowledge economy to take off, health sector is at the center of it and health experts need to pay attention on what they are buying and how such systems are managed and operated. Through intervention of Ministry of Health & Family Welfare and responsible bodies such as National Accreditation Board of Hospitals & Healthcare Providers (NABH) of Quality Council of India, we plan to recommend a cyber audit and increased awareness of information security.
We would not want our hospitals and clinical establishments to be a prey for malicious actors. Rather we would want our experts to leverage technology to take the country to the next level in providing care to a wider population at a lower cost and of the highest quality.

The post Exclusive Interview with India's National Cybersecurity Coordinator appeared first on InnoHEALTH magazine.

Cybersecurity Business Evangelist

InnoHEALTH Magazine — Thu, 27 Jun 2019 07:27:18 +0000

Healthcare data breaches have risen nearly every year from 2010 through 2019 and the cybersecurity risks jeopardize hundreds of millions of patients records. Although physical theft used to be the data breach method of choice, now hacking has become the most prevalent method. This partly stems from more information being stored electronically and network servers becoming a more attractive hacking target.

However, much like the rest of the world, healthcare organizations are shifting work to cloud services in order to improve accessibility and patient care. The migration of these workloads and moving valuable information such as PHI (personal health information) and PII (personally identifiable information) to the cloud has also led to cyber criminals taking a particular interest in the industry. Having shifted workloads to the cloud, healthcare organizations have highly connected systems that run the risk of being deeply affected even if the attack takes place on smaller,partial systems. In other words, a cyber attack in one place could bring down the entire system. In May2017, the WannaCry ransomware attack forced multiple hospitals across the United Kingdom to turn away ambulances transporting patients and cancel surgeries that were within minutes of starting. Even basic processes like admitting patients and printing wrist bands were compromised.

The number of ransomware and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk.One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.

A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cyber criminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it fora longer period of time.

Data breaches cost the healthcare industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.

The continued under investment in cybersecurity has left many so exposed that they are unable to even detect cyber attacks when they occur. While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.

As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in healthcare is on the rise.

“So, What is Wrong With the Picture?”

The base question to ask is “Who would be interested in hacking patient data?” It is precisely this attitude together with the rat eat which healthcare refreshes its technology that exposes healthcare organizations to a high risk of cyber-attack. The fact that makes the industry appealing to hackers: ransom for money;denial of service for malice and money; stealing confidential data;compromising data; identity theft and compromising devices. The scale of disruption and impact to busy healthcare settings already operating at capacity caused by a cyber-attack needs no explanation. The reality covers the four main domains:

Leadership: Ownership of the issue
Culture/Staff responsibility/awareness: Training and awareness of cybersecurity and its related implications
Policies and procedures: Understanding of business continuity processes and incident response procedures
General cybersecurity knowledge: Use of fundamental security processes that are currently followed within the organization to mitigate security breaches, e.g., use of USB, on- and off-boarding processes, password policies,organizational asset register,and so on.

The Challenges
The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Consequently, many common threats continue to be problematic in healthcare, including:

Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of healthcare organizations.
Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from the users.
Encryption blind spots: While encryption is critical for protecting the health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
Employee error: Employees can leave healthcare organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.

Another growing threat in healthcare security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems.

How are Hackers Achieving this, You Would Ask?

Hackers usually access information in one of two ways. They can try‘social hacking’, which means tricking a human being into giving oversensitive information or security credentials which in turn allows access to sensitive information. This could happen by tricking either someone who works directly for the provider, or an outside contractor. An unsophisticated example could be, ‘Hi, I am an IT provider for your company, and I need to carry out some maintenance, could you please provide these sensitive details for me?’. The second way is brute force:directly attacking a security system.

Once Hackers Get Access to The Data, What Do They Do with It?

In some cases, hackers access sensitive data, extract it, and lock it off. They can then sell it back to the company. If the company does not have backups, buying it back is probably the only viable option. The alternative is for them to lose all records of their patients which they will never be able to replace.Another possibility, is hackers stealing data and selling it to the public. The information may be sold to criminal groups on the dark web who wish to use sensitive information for blackmail or fraud purposes.

What Can the Healthcare Industry Do to Mitigate Cyber Threats?

The industry must realize that cybersecurity is human-centric. Gaining insight into the users’ behavior, for example, or the flow of data in and out of the organization improves risk response.

Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all people on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated regularly.

Furthermore, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.

In Simple Terms: How Do We Improve Cybersecurity?

Due to the significant financial impact of data breaches in healthcare, health informatics and other professionals need to play an important role in ensuring that medical organizations remain secure. Individual healthcare organizations can improve their cybersecurity by implementing the following practices:

Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
Maintain good computer habits: New employee on boarding should include training on best practices for computer use, including software and operating system maintenance.
Use a firewall: Anything connected to the internet should have a firewall.
Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations must consider storing this backed-up information away from the main system if possible.
Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Healthcare employees should not only use strong passwords, but ensure they are changed regularly.
Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

How to Defend Against the Growing Threat?
Deterrence, prevention, detection and response all have their place.

Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything.

Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly detection methods are particularly good for these purposes, as are rule-based detection mechanisms.

Security information and event management or log management tools can augment data collection efforts.

In addition to deploying technology tools to help defend against and detect intrusions, it’s important to formally define roles and responsibilities for incident response. Organizations need to document procedures that specify what the response team should do if there’s an incident and test those procedures periodically.

It’s not just one technology, it is multiple technologies in order to repel these highly sophisticated and organized attacks. That includes deploying SIEM, as well as multi factor authentication to enter critical systems.

The Internet is increasingly a swamp. It’s no longer sufficient to just look at standard security logs. You need integrated security information event management that brings together network logs, users log, application logs and server logs, and looks for non obvious associations.

In Conclusion

To improve cybersecurity in health care, organizations need to hire informatics professionals who not only collect, manage and leverage data, but protect it as well. In addition, health data professionals need to on a continuous basis develop new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.We know that reaching 100% security against cyber attacks is not realistic but, with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.

About the author

Kris Seeburn is an enterprise trainer and a member of Advisory Board of The New Security Foundation, Member of The American College of Forensic Examiners & Institute of Forensics Science

The post Cybersecurity Business Evangelist appeared first on InnoHEALTH magazine.

How Crucial is DISHA Act for Healthcare Industry?

InnoHEALTH Magazine — Mon, 17 Dec 2018 08:56:22 +0000

“A journey of a thousand miles begins with a single step.” The Digital Information Security in Healthcare Act (‘DISHA’) is that firm first step taken by the Indian Government in the long journey to secure the healthcare data of patients in India. The question we need to ask ourselves is that Why DISHA is the need of the hour? Why do we need to safeguard the electronic health record in hospitals?

The draft of the act was made public in November 2017 by Ministry of Health and Family Welfare. The word ‘Disha’ means direction, the GoI has taken the first step in the direction of safeguarding the digital health record. For this InnovatioCuris has also taken the first step towards having a concrete discussion about ‘Challenges in the implementation and opportunities for making health sector DISHA and data protection ready’. There were panelists from various renowned government, private hospitals, and healthcare IT firms.

The first session was about the ‘Challenges in the implementation of DISHA’. The panelists were happy that InnovatioCuris has taken an initiative to critically discuss the challenges a hospital will face once the act becomes the law. All the panelists agreed that the act lacks various aspects. Few concerns that bother the clinicians are, that who will give the consent if the patient is unconscious.

The ambulances have the capability that it sends the health records from the ambulance to hospital before the patient reaches the hospital for doctors to study the emergency cases. In this scenario, what should be done if a patient denies the consent for sharing the data at a later stage? Should the clinical establishments discard the already shared health record or should they handover the same to the owner (in this case, patient) or what should be done. There are no set protocols defined in the act for such cases.

A question was put forward, does the patient has the authority to edit their health record, or can they view, who have seen their health record. A healthy discussion took place where we got to know that citizens of Estonia have chip cards, where one can see their health record and can also see the logs of who has accessed their health record. This made us realize, that India as a nation state can use Aadhar card as a mechanism, where we can log in into a portal and get to see health records.

The third challenge that came forward was interoperability of health records. As the record lies with the custodian, not the patient, editing and viewing of it can be done by the clinical establishments. The health record can be shared by the clinical establishments to another, but there is no standard on how to transfer it. Data integrity is a point of concern, which is not mentioned in the act.

One of the challenges that came into light was according to ‘Clinical Establishment Act Standards for Hospital[2]’ the hospital has to keep health information and statistics in respect of national programmes, notifiable diseases, and emergencies/disasters/epidemics and furnish the same to the district authorities in the prescribed formats and frequency. The question is what if the patient does not give consent. The proposed act should have a provision where the clinical establishments are liable to take the health data.

As we have unstructured healthcare facilities in India, the act should also empower the clinical establishments by various means to keep the data safe. As of now the DISHA is a proposed act, not a law and has lots of loopholes. It also lacks in many aspects discussed earlier. This is just a start and the government should take necessary steps to improve it.

The second panel discussed on ‘Opportunities for making health sector DISHA and data protection ready’. The panelist consisted of CIO of path labs, owners of healthcare IT firms, who shared relevant thoughts and comments. The panel started the discussion on why do we need the act and what are the benefits of the act. Panelist were grateful to the government to bring the act. They told that the clinical establishments will take steps to increase the safety of the health record.

The gaps in the technology for generation, storage and transmission will be lowered down. Sectors such as banking, financing and insurance have structured their data, but this lacks in healthcare. Detailed scope of security features are missing from the act, this would help the companies to design the software from the ground up by using security as an important consideration.

The imminent threat is in the software which are already in place and have not been patched or the system has not been upgraded. The good news is that many have an audit trail in built in their system, which track any CRUD(creation, read, update, delete) of the records. The discussion contributed a fruitful thought: Data at rest is not encrypted. The question that arises is what is preventing the healthcare IT companies to encrypt the data at rest.

One of the challenge in the DISHA is that, the owner of the data must be informed of any breach of the privacy or confidentiality of their digital health record within three days. But according to IBM report it takes on an average of 197 days to detect a breach[1]. How can the Healthcare IT companies safeguard the health record and let the owner know about the breach. The solution is to encrypt the tables in the database, but that might hamper the performance.

It is a huge opportunity for the stakeholder to bring standards in the act. DISHA might have only completed its first round of comments from the public and stakeholders, it can be expected that the revisions made based on the feedback will churn out a more refined version of the act. In any case, it is evident from the draft that the government has really pushed to provide additional security, privacy and confidentiality for individuals, with respect to their digital health record.

The post How Crucial is DISHA Act for Healthcare Industry? appeared first on InnoHEALTH magazine.