Need for Data Security Recognised in Indian Healthcare

The healthcare sector in India, as per reports, accords great importance to data protection; at the same time, there seem to be flaws that could cause much damage.

Indian business newspaper The Hindu Business Line reports- “The need for data security is recognised in Indian healthcare to save the data of patients from being misused or leaked. For example, under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, doctors are required to maintain confidentiality of all patients during various stages of the medical treatment and procedures and also of the information provided by them .”

The report further says- “However, it failed to clearly define the time-line for accessing data of patients. It also failed to include URLs and IP addresses as sensitive information, something which is of paramount significance in the internet driven world today…Certain sections of the Information Technology Act also provide a basic framework for the protection of personal information in India, but these suffer from a number of flaws.”

It’s further added- “To overcome some of these shortcomings, the government came out with ‘Electronic Health Records Standards for India’ in 2013. The provisions of this were further revised in February 2016. These standards safeguard patients’ data in many ways and require safeguarding of financial information of patients like bank account and credit/debit card details..These standards also require healthcare providers to designate “a privacy officer (preferably external, may be internal) who will be responsible for implementing privacy policies, audit and quality assurance”… It also has a provision for patients “to request a healthcare organisation that holds their health records, to withhold specific information that he/she does not want disclosed to other organisations or individuals.””

In a world where data breaches happen so rampantly, it’s really important that users and consumers remain bothered about data security. People today want their medical history and their health information to be made available on their phone. They want their hospitals to save all data pertaining to their health. But then, when news of data breaches spread around, people obviously start worrying.

The Business Line report elaborates- “In a serious breach of data safety, the health data of about 35,000 people in a pathology laboratory in Maharashtra was leaked in 2016. Notably, it was the EMRs (electronic medical records) that were leaked. As we use computers on a routine basis and depend on them to process the data of a large number of patients, we are increasingly susceptible to hacking attempts and data theft.”

The report further says- “‘Big Data Analytics’ is the new buzzword in the field of healthcare with data analysis being used by healthcare providers to record, share and study a number of parameters associated with diseases, their types and demography…In healthcare, IT is being increasingly used today for analysing, simplifying and applying algorithms to data collected from patients for further productive purposes…This practice is also duly included in the Clinical Establishments (Registration & Regulation) Act 2010, which mandates maintenance and provision of EMR for every patient by clinical establishments. Maintenance of data in electronic form provides several benefits to the hospitals for clinical establishment.”

Those in the healthcare sector ought to understand that it’s really important to have strong data protection laws, with emphasis on having sufficient deterrent against all kinds of criminal activities. There needs to be an objective attempt at understanding where things are, as regards data protection.
The Government of India has also put in place the draft of a new law- the Digital Information Security in HealthCare Act (DISHA)- which makes all breaches punishable with imprisonment of up to five years and a fine of up to ₹5 lakh. The act also seeks to redefine personal data of patients and accords importance to “informed consent” of individuals and to obtaining explicit consent before transfer and use of digital health data. It’s just in the draft stage and let’s hope that when it’s passed as a law and when it gets implemented, it takes data protection to great heights.