The application of the latest technology in health, such as data analytics has improved healthcare delivery in India. The recent report by healthtech startup Practo revealed that about 5Cr. Indians used virtual healthcare services from March 1 to May 31, 2020. However, with faster tech adoption, healthcare data privacy and security are becoming a serious concern in India. As per the report by KPMG, cyber attacks in India have increased by 37% during the first quarter of 2020. This problem exists not only in India but in various corners of the world. Different regulations were adopted around the world to ensure protected health information (PHI), including the US Health Insurance Portability and Accountability Act (HIPAA).
HIPAA is a set of regulatory standards that define the lawful use, as well as disclosure of protected health information.
To improve data security and address data breaches in the healthcare sector, the Indian Government is working on the Digital Information Security in Healthcare Act (DISHA). It will be India’s equivalent to HIPAA. The new law aims to enforce the implementation of data security measures.
The term sensitive data refers to information that must be protected from unauthorized disclosure. It can be both in physical and electronic form.
This type of data is classified as sensitive and only authorized users can have access to it. The disclosure of such information is a serious breach of privacy, security, and confidentiality.
There are different types of sensitive data, including Personally identifiable information (or PII) and Protected health information (or PHI).
In most cases, cybercriminals try to exploit these types of sensitive data. Regulations, like the US HIPPA, aim to ensure that companies dealing with sensitive data comply with certain security requirements.
Personally identifiable information (PII)
PII refers to any information that can identify a specific person and deanonymize previously anonymous data.
Here are some examples of PII: the person’s name and surname, date of birth, home address, social security number, credit card number, etc.
Protected health information (PHI)
Healthcare providers, insurers, and other healthcare organizations are usually responsible for handling protected health information.
It is any medical information that can be used to identify an individual when providing health care services. For example, any data mentioned in the medical record, as well as conversations between doctors and nurses about treatment, etc. In addition to billing information, PHI also refers to any information that identifies the patient stored in the health insurance company’s computer system.
This classification includes a very wide variety of personal information and essential medical data. Here are more samples from this list:
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Internet protocol addresses
Full-face photos, etc.
Healthcare Data breaches in India
Despite benefits, the digitization of the health system led to a huge number of cyberattacks in this sector. Furthermore, India’s healthcare system was especially targeted during the Covid-2019 pandemic.
The research conducted in the frame of CPF’s e-Kawach program reveals that Indian hospitals and health facilities became victims of various cyberattacks. For example, Safdarjung Hospital in New Delhi has recently suffered a cyberattack. The hospital managed to restore its system quite quickly. However, no reports related to compromised data are available.
Additionally, according to the cybersecurity think tank CyberPeace Foundation and Autobot Infosec Private Ltd., 1.9 million cyberattacks occurred in the Indian healthcare industry as of November 2022. The attacks originated from Vietnam, Pakistan, and China, using 41,181 IP addresses.
The CyberPeace Foundation also informed that the attackers mainly hacked vulnerable internet-facing systems, such as old Windows server platforms.
HIPAA (Health Insurance Portability and Accountability Act)
The Health Insurance Portability and Accountability Act or HIPAA is a US federal law It was established by Congress in 1996. The goal was enhancing the efficiency of the US healthcare system by ensuring the healthcare data privacy and security.
The US Department of Health and Human Services regulates HIPAA compliance. It is enforced by the Office for Civil Rights.
All the companies in the US dealing with protected health information and their business associates worldwide have to ensure HIPAA compliance. These companies must implement physical, process and network security measures.
HIPAA’s two main components of healthcare data protection are as follows: the HIPAA Security Rule and the HIPAA Privacy Rule.
The HIPAA Security Rule
It concentrates on securing the process of creating, using, receiving, as well as maintaining electronic personal health information by HIPAA-covered entities. Standards for the physical, technical, and administrative handling of personal health information are outlined in the HIPAA Security Rule.
For proper protection of electronic personal health information, HIPAA Security Rule specifies a variety of safeguards. For instance, “access controls” aim to protect data from all the unauthorized users, while “audit controls” shows exactly who has accessed data. In this way, it can be possible to find out whether anyone violates security protocols.
The HIPAA Privacy Rule
This Rule defines exactly what personal health information can be used and disclosed to 3rd parties without having consent from the patient. The HIPAA Privacy Rule aims to protect the patient’s personal health information, such as medical records.
Despite numerous benefits, technological innovations also make healthcare data more vulnerable. To address this issue, a growing number of healthcare startups in India take security measures to protect sensitive patient data.
Docus is a successful example of healthcare startups that value the patient data privacy and security. It provides a platform where top Indian hospital doctors can collaborate with top doctors from the US and Europe to offer patients the best care. With HIPAA compliant platform, Docus ensures that the healthcare data is completely secure. All the information related to patients, including medical records, test results, and examinations, is securely stored on the platform.
DISHA (Data Integrity Security Act)
To regulate data privacy and security in India’s healthcare sector, the Ministry of Health and Family Welfare proposed a new bill: the Data Integrity Security Act or DISHA. It’s HIPPA’s counterpart, but hasn’t come into force yet.
With this law, the government aims to standardize digital healthcare data and maintain its patient data privacy and security. This can give people complete ownership of their healthcare information.
For instance, Indian patients undergo regular medical checkups, and the doctor enters all the results into their electronic health records. With DISHA, this information will be fully secure.
Here are the main 3 objectives of DISHA:
Establishing a national and a state digital health authority,
Ensuring the privacy and security of electronic health data,
Regulating the process of storing and exchanging electronic health records.
To achieve the first objective, DISHA proposes establishing the National Electronic Health Authority (NeHA ) and the State Electronic Health Authority (SeHA).
NeHA is the authority to formulate standards and operational guidelines for generating, collecting, as well as storing, and transferring the digital healthcare information.
SeHA monitors the compliance with DISHA requirements at the institutional level.
Moreover, DISHA aims to set up Health Information Exchanges. It will process, as well as transmit healthcare data between different medical facilities. The new law will also establish central and state adjudicating authorities. The goal is the investigation of complaints related to DISA breaches by NeHA and SeHA, clinical establishments, etc.
Further steps to improve healthcare data privacy and security in India
Listed below are the key steps to enhance healthcare data privacy and security in India:
Focusing on medical device security
Medical tech devices are becoming essential components of the healthcare sector in India. Ensuring medical device security is crucial, as these devices store sensitive l patient data.
Raising awareness about cybersecurity
Healthcare cyber crimes are highly prevalent in India. One of the main reasons is the lack of awareness about cybersecurity. Training the staff at various healthcare entities can help identify and report a cyber-threat in time. This can serve as an effective tool to prevent cyberattacks in the healthcare industry.
Regularly testing and assessing security risks
Regular testing and security risk assessment are essential elements of a robust cybersecurity infrastructure. Many healthcare centers in India are investing in the cybersecurity infrastructure. Despite this, they do not regularly assess risks and perform security testing.
Threat and mitigation-related information exchange
An integral part of creating an efficient cybersecurity ecosystem in the healthcare sector is sharing industry-specific threat information. On the healthcare industry platforms, it’s useful to discuss and share information about cyberattacks. So, working together can help develop a robust approach to ensure data privacy and security.
To conclude, with dynamic development of digital technologies, healthcare data security is turning into a a serious concern globally, as well as in India. DISHA is an essential step to ensure sensitive health information security in India. To improve data privacy and security it’s also essential to raise awareness and train the healthcare staff on key data security measures.