As Indian healthcare system embraces digital and other advanced technologies, there is increasing concern among security experts on the patient data privacy and data security. There are instances of breach, for example in December 2016 almost 35,000 patient records were hacked into from a diagnostic lab in Mumbai. With new concepts like connected care, the experts feel that without the right security laws it is a matter of time before such incidents repeat themselves.
It is not that we don’t have laws for information privacy and protection. For example
- Section 43(a) and section 72 of the Information Technology Actprovide the broad framework for the protection of personal information in India.
- Section 43(a) along with the sensitive personal information rules– which lay down the compliances that need to be observed by an entity that collects or stores or otherwise deals with sensitive information such as passwords, financial information, health conditions, sexual orientation, medical records and biometric records – mandates corporates to take reasonable procedures to protect sensitive personal data or information and section 72 protects personal information from unlawful disclosure in a breach of contract.
- It is pertinent to note that section 43(a) applies only to a ‘body corporate’, defined as “a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.”
(Source: The Wire, https://thewire.in/102349/without-data-security-and-privacy-laws-medical-records-in-india-are-highly-vulnerable/)
So while these mays may seem to offer guidelines to private hospitals, they don’t cover most government hospitals. There are global implications of Patient information protection. There are a number of laws enacted to regulate the privacy of information in the US for example.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. Apart from HIPAA there are a variety of states, like Massachusetts 201 CMR 17, with relevant laws. The laws in US are robust and apply to big and small hospital chains. In 2012 $100 ,000 fine was imposed on Phoenix Heart Surgery, a 5 member practice, for violations of HIPAA Security Rules. The analysis found that the practice didn’t document that it supplied HIPAA training to workers failed to implement policies and procedures to defend info, failed to conduct risk analysis, and didn’t obtain agreements.
Though not a government regulation, the Payment Card Industry Data Security Standard is a crucial and very particular sector security standard that applies to the usage and archiving of credit\debit card information. Something similar needs to be implemented for India as well
Similarly the European Union has a similar guidelines on patient data security.
Therefore providing proper security of patient info is in fact a cost efficient practice, when looked at with regards to the cost of a breach. External threats, such as hackers – threats, like loss of assets or documents – Internal abuse, like access by Company Associates or Internal Revenue Staff are also key reasons for data leaks. For businesses, this is known for businesses, like practices or rehabilitation applications, this set of processes or may be in that the form of a procedure check-list.
There is a constant effort to create a framework that would reduce the risk for loss of healthcare data. Most corporates have applied the Enterprise Governance Risk Compliance (eGRC). In eGRC, organizations will develop a Risk framework to measure the maturity of danger control Items. The lower the level of maturity, the expectation is that compensating controls would exist and/ or an effort would be in process to improve the level of maturity of those controls. This could probably provide some directions to the larger hospitals. Earlier this year the Government in India released standards for patient data security and privacy. It’s a step in the right direction as most care systems building their Electronic Medical Records can incorporate robust security standards.
In smaller practices, the following steps should be applied
- A check-list or set of processes should be introduced when new health workers are brought on and reviewed periodically for updates in requirements and changes in processes.
- Administration of confidentiality statements – Providing copies of requested medical record should be documented
- Secure filing and maintenance of health files should be encouraged
- Periodic Inventorying and controlling your stresses Technology assets –
- Utilization of social networking- Policies to clearly laydown the risk in handling sensitive information
- The process for destruction of files should be clear and workable inside the working environment of the staff.
- Clean Desk policies as well as clearly marked locked bins to home documents to be shredded are important directives
- Periodic self-assessments of those policies will provide assurance as well as documentation for regulators.
Patient data security is a key area of concern going forward. While we may have ideas on how to solve the issues around access to care, increasing quality of healthcare and managing costs, this should not come at the cost of patient data privacy. As we build the healthcare system of tomorrow let us also build a security system that can help protect against internal and external threats.