If there is one industry in India that is way behind its global counterparts in IT adoption, it is healthcare. New data-based business models and newer compliance requirements may completely change its technology usage. A closer look at the emerging compliance requirements
Manohar Singh, a Mumbai-based retired bank employee, preferred to access his health information and medical history on his smartphone. He was also happy knowing that all his health data are being saved by the hospital or the clinics he visits. But on a fateful December evening, Singh got the shock of his life, when he turned on the TV channel to hear what he least expected. The news of a massive health data breach was announced, where medical records at a city-based diagnostic laboratory leaked. Notably, it was the EMRs (electronic medical records) that were leaked at the clinic where he was a frequent visitor.
In the incident mentioned above, Singh was not a lone victim. In one of the most heinous attacks in Indian healthcare system that took place in 2016 in Maharashtra, the leaked information comprised over 35,000 patients’ medical records. The diagnostic laboratory has close to 250 centers across Mumbai and over 10,000 collection points in various states in India.
We come across several such incidents of healthcare data breaches almost every other day (some even go unreported) and despite technology increasingly playing a role in nearly every processes in the healthcare system, from patient registration to data monitoring, from lab tests to self-care tools, time and again there have been serious breaches of health data. And each time it happens, there are some questions raised and some fingers pointed at people or at organizations, but rarely any concrete disincentive action is taken.
According to a FICCI-KPMG report, the Indian healthcare sector is expected to grow at 23% CAGR to USD 80 billion market by 2020. While technologies, such as Big Data, Artificial Intelligence (AI), the Internet of Things (IoT) and Blockchain are already underway in the healthcare system, we are increasingly living in a time when there is heightened threat to privacy and data protection.
Data leakages and need for compliance
While it is obvious that healthcare professionals will have to use computers on a routine basis and depend on them to process the data of a large number of patients, there will be increased susceptibility to hacking attempts and data theft. In this advanced digital age, several countries round the globe, including India, have realized that their laws have lagged far behind technological developments. Till date, there is hardly any regulatory control over data collection or processing from a privacy and data protection perspective. However, recent reports of data leakage in the healthcare sector compelled the government and healthcare providers to look into the necessity to have strict laws in place to protect confidential health data and improve patient care. It is here that compliance plays a key role.
Michael L. Smith, a legal expert and board certified in health law by The Florida Bar defines healthcare compliance as an ongoing process of meeting, or exceeding the legal, ethical, and professional standards applicable to a particular healthcare organization or provider. “Healthcare compliance requires healthcare organizations and providers to develop effective processes, policies, and procedures to define appropriate conduct, train the organization's staff, and then monitor the adherence to the processes, policies, and procedures,” he states in his company blog.
From Smith’s definition, it’s clear that compliance and ethics are not just legal requirements in healthcare; they are also critical components to safe, quality patient care. Regardless of the size or specialty of the practice or facility, all medical organizations face healthcare compliance concerns.
For example, healthcare CIOs increasingly use technology for analyzing, simplifying and applying algorithms to data collected from patients for further productive purposes. This practice is also duly included in the Clinical Establishments (Registration & Regulation) Act 2010, which mandates maintenance and provision of EMR for every patient by clinical establishments. Maintenance of data in electronic form provides several benefits to the hospitals for clinical establishment.
It also helps the government in analyzing mass data and formulating public policies. This implies having a strong data protection laws with sufficient deterrent against theft and hacking attempts.
In the Indian context, it is therefore interesting to see where we stand today in data protection, how the release of the draft Digital Information Security in Healthcare Act (DISHA) in March, 2018, and the draft of the Personal Data Protection (PDD) Bill, in July, 2018 can have a huge impact on the healthcare sector (once it comes to force) and what role it can have on the CIO/CISOs and other technology and security leaders in healthcare organizations.
The state of data protection: The story so far
The need for data security is recognized in Indian healthcare to save the data of patients from being misused or leaked. For example, under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, doctors are required to maintain confidentiality of all patients during various stages of the medical treatment and procedures and also of the information provided by them.
However, it failed to clearly define the time-line for accessing data of patients. It also failed to include URLs and IP addresses as sensitive information, something which is of paramount significance in the internet driven world today.
Certain sections of the Information Technology Act also provide a basic framework for the protection of personal information in India, but these suffer from a number of flaws. For example, Section 43(a) is applicable only to a ‘body corporate’ and leaves out individuals and legal entities like trusts or NGOs and many others from its purview.
To overcome some of these shortcomings, the government came out with ‘Electronic Health Records Standards for India’ in 2013. The provisions of this were further revised in February 2016. These standards safeguard patients’ data in many ways and require safeguarding of financial information of patients like bank account and credit/debit card details.
These standards also require healthcare providers to designate “a privacy officer (preferably external, may be internal) who will be responsible for implementing privacy policies, audit and quality assurance”.
It also has a provision for patients “to request a healthcare organization that holds their health records, to withhold specific information that he/she does not want disclosed to other organizations or individuals.”
DISHA: A step in the right direction
In March 2018, the government has put in place the draft of a new law that makes any breach punishable with up to five years’ imprisonment and a fine of INR 5 lakh. The new Digital Information Security in Healthcare Act (DISHA), as it is called, is expected to improve the existing data protection regime for personal health data in electronic form by introducing new provisions for privacy, confidentiality, security and standardization of Digital Health Data, and provides for the establishment of a National Digital Health Authority, a standard setting body, as well as Health Information Exchanges, which will act as a public repository of Digital Health Data.
Shuvankar Pramanick, CIO at Sir Ganga Ram Hospital believesthe draft DISHA bill is a big step forward in the healthcare industry. Once it becomes a law, it can bring complete standardization of healthcare – which is currently lacking in the country. However, there are certain specific concerns that first need to be addressed.
“One of the biggest challenges is interoperability of health records. As the record lies with the custodian, not the patient, editing and viewing of it can be done by the clinical establishments. In this case there can be a threat to data integrity, which is not mentioned in the act,” he mentions.
Also he notes, during an emergency, say when the patient is unconscious and the patient’s health records already reaches the hospital for doctors to study the emergency cases. “Now suppose the patient does not give the consent for sharing the data at a later stage? What could be done? Should the clinical establishments discard the already shared health record or should they handover the same to the patient, who is the owner of the data. There are no set protocols defined in the act,” states Pramanick.
At present, Digital Health Data is protected as “sensitive data” under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Any person who collects, handles, stores, discloses or transfers Digital Health Data is bound to follow the procedure laid down in law which, in essence, requires the person to obtain written permission from the owner of the Digital Health Data with respect to use of his/her information and use such information for legitimate business purposes for only as long as may be necessary to achieve the purpose.
DISHA introduces additional layers of protection for Digital Health Data. For example, it grants (i) the right to know the entities who may have access to the Digital Health Data and the recipients to whom the data is transmitted or disclosed; (ii) the right to require the individual’s explicit prior permission for each instance of transmission or use of the Digital Health Data; and (iii) the right to seek compensation for any damages caused by violation of the right. It also limits ability of businesses to commercialize Digital Health Data.
DISHA also regulates how businesses can use Digital Health Data. This has not found favor with some businesses who believe that the proposed law is excessive and imposes unreasonable restrictions on their ability to conduct their own businesses.
With the government inviting public comments on the draft, one of the noteworthy feedbacks received is the demand for creation of one State level adjudication authority and one Central level adjudication authority for data in general for better protection of data.
“While it is yet to be seen what will be the final shape of this new law, it is definitely a move in the right direction as it ensures protection of digital health data at every step, including at the time of their generation, collection, storage and transmission,” Gunjan Kumar, CIO & Head – New Initiatives at Regency Healthcare, a UP-based healthcare provider.
However, he believes as it is true for any law, unless implemented effectively, DISHA will not have the desired impact. “It will be pertinent to look at actual cases of data theft after DISHA is implemented and other emerging trends to revise and replenish this legislation from time to time,” says Kumar.
Personal Data Protection Bill paves a new path
As far as the draft of the Personal Data Protection (PDP) Bill, which came in July 2018 is concerned, experts mostly believe need for a comprehensive data protection regime has been finally recognized by the Government of India.
According to them, the Bill has been able to capture most of the concerns and discussions around data privacy and data protection in India. Further, through the Bill, the Expert Committee has attempted to plug the loopholes of the existing data protection regime in India and formulate a data protection law that will cater to the dynamic needs of the digitized Indian society.
While efforts for formulating the Bill have to be lauded, it must be noted that the Bill has to be refined further to clarify certain provisions, remove wide discretionary powers of the state and specify “appropriate mechanisms” for obtaining consent,” says Sheril Jose, AGM - Cyber Security, Emcure, a Pune-based healthcare organization.
“With data being one of the core assets of the digitized economy, the Bill has to be fine-tuned to maintain the delicate balance between an individual’s right to privacy and the ease of doing business in India and needs to be implemented properly,” Jose says adding that the success of the new law will depend on its effective implementation, adding that his organization is already evaluating and putting in place a blue print for all its employee data.
Creating a culture of compliance
“Right to Privacy, is a fundamental right that needs to be ‘protected’. In other words, patient data shouldn’t be compromised at any cost. It is necessary therefore, to create a culture that fosters free and fair digital economy that ensures empowerment, protection, progress and innovation and at the same time protecting the privacy of individual citizens,” said Subrata Bagchi, President - TCG Digital, a healthcare consultant firm.
If one looks at the personal data eco-system (by workshops conducted by Federal Trade Commission) one would see that the personal data is transacted and used by multiple players across the globe, namely, data collectors (telecom companies, healthcare service providers, utility companies, retail stores, internet, social media, etc.; data brokers, the personal data is then aggregated, analyzed and sold/commoditized by healthcare analytics, credit bureaus, ad networks, etc.; and data user, the customized data is used by banks, marketers, media, government, employers, etc.
“The release of the draft DISHA in March, 2018, and the draft of the Personal Data Protection Bill, in July, 2018 can have a huge impact on the healthcare sector and the way it looks at issues, such as compliance and data privacy, believes Bagchi, as he states, the above two draft bills, once legislated, would be aimed towards:
- providing autonomy of individuals
- creating a relationship of trust through transparency and active consent
- developing a legal and technical framework relative to data collection, storage, transmission and usage
- making data fiduciaries and data processors accountable
- providing remedies and penalties for unauthorized access and breaches
Additional responsibilities for CIO/CISOs
According to Bagchi, “The level responsibilities of the CIO and CISO will be heightened if their organization is a Data Fiduciary or a Data Processor. They will have to ensure that the data collected, stored, transmitted and archived/deleted have to be secured to prevent any unauthorized access or any breach.
The process starts from obtaining explicit consent from the data principal and could probably end with breach notification (though not a desired conclusion). Data transmission within India or cross border will require encryption. In this case, since the liabilities are high, the level of responsibilities will be also be enhanced.
“Healthcare firms should make compliance planning a priority, and designate a compliance officer and compliance committee and conduct internal monitoring and auditing,” he says.
Kumar adds, “CIOs will need to establish comprehensive programs addressing key data privacy areas. For example, limit who has access to personal data and make sure that access is authorized and reflects personnel changes that happen within an organization.”
“Once enforced, standards through well-publicized disciplinary guidelines and the more automated and integrated the program becomes, with the incorporation of existing business applications, audit, and compliance tools, the more effective, cost efficient, and preventive this program will become,” he states.
Pramanick concludes, once we get greater clarity and specifications, not only the vendors can design the software from the ground up by using security as an important consideration, the organizations and CIO/CISOs would also implement it based on specific guidelines, by patching or upgrading the software/system. It is a huge opportunity for the stakeholder to bring standards in the act.
It is no secret that unlike many Indian industries, such as banking, IT/ITES and insurance, where IT maturity is comparable to those industries in mature markets, healthcare is one area where India is way behind. Maybe, the new needs for compliance—what with health data being classified as ‘sensitive personal data’—will drive a new era in healthcare IT.