Data breaches in healthcare are on the rise as the sector figures among the most lucrative targets on the radar of cyber criminals. An electronic health record fetches a high price on the Dark Web considering the huge wealth of exploitable and sensitive information it contains. According to HIT Consultant, personal health information is 50 times more valuable on the black market than financial information and stolen patient health records can fetch as much as $60 per record. For the healthcare organizations, too data breaches cost $380 per stolen record, more than twice the average global cost across all industries, according to the 2017 Cost of Data Breach Study conducted by IBM and Ponemon institute.
With hospitals and healthcare institutions in India increasingly digitizing their medical records and with security and privacy of these digital health records taking a center stage, its paramount to address some pertinent issues around the ownership, sharing, storage, access and privacy of the digital health data.
To address the questions around these areas and ensure security of patient data, Ministry of Health and Family Welfare (MoHFw), Government of India, has released in the public domain the draft for Digital Health Information in Healthcare Security Act (DISHA) and is inviting comments on it from the public by 21st April 2018. The act is aimed towards providing for electronic health data privacy, confidentiality, security and standardization.
MoHFw also plans to set up a nodal body in the form of ‘National Digital Health Authority’ as a statutory body for promotion/ adoption of e-Health standards, to enforce privacy & security measures for electronic health data, and to regulate storage & exchange of Electronic Health Records. It also mandates setting up ‘Health Information Exchanges’ by the Central Government for sharing of electronic health records.
Before I move to the key aspects under the act, here is what the draft defines as ‘Digital Health Data’ and ‘Sensitive Health-Related Information’.
What is Digital Health Data:
Digital Health Data is defined as an electronic record of health related information about an individual and shall include the following - (i) Information concerning the physical or mental health of the individual; (ii) Information concerning any health service provided to the individual; (iii) Information concerning the donation by the individual of any body part or any bodily substance; (iv) Information derived from the testing or examination of a body part or bodily substance of the individual; (v) Information that is collected in the course of providing health services to the individual; or (vi) Information relating to details of the clinical establishment accessed by the individual.
What is Sensitive Health-Related Information:
Sensitive health-related information’ means information, that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual, including but not limited to, one's physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion.
Key Aspects of the Act that a CISO Should Know:
- Ownership of Digital Health Data: The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitized.
- Rights of the Owner of Digital Health Data:
1) Right to privacy, confidentiality, and security of their digital health data.
2) Right to give or refuse consent for the generation, collection, storage and transmission of digital health data, with certain exceptions.
3) Right to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data.
4) Right to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form.
5) Right to be notified every time their digital health data is accessed by any clinical establishment.
6) Right to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members.
7) Right to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner.
8) Right not to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data.
9) Right to seek compensation for damages caused by a breach of digital health data.
- Responsibilities of Clinical Establishments:
1) The clinical establishment or Health Information Exchange shall hold such digital health data in trust for the owner. Any other entity who is in custody of any digital health data shall remain the custodian of such data.
2) A clinical establishment, health information exchange, State Electronic Health Authority and the National Electronic Health Authority, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner. Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.
3) Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.
4) The privacy, confidentiality and security of digital health data shall be ensured by taking all necessary physical, administrative and technical measures, that may be prescribed or specified, to ensure that the digital health data, collected, stored and transmitted by them, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.
5) Without prejudice to the above provisions, a clinical establishment or health information exchange shall ensure through regular training and oversight that their personnel comply with the security protocols and procedures as may be prescribed or specified under this act.
6) A clinical establishment, or a health information exchange, shall provide notice immediately, and in all circumstances not later than three working days to the owner, in such manner as may be prescribed under this Act, in case of any breach or serious breach of such digital health data.
- What is Breach of Digital Health Data:
Digital health data is said to be breached, if:
1) Any person generates, collects, stores, transmits or discloses digital health information in contravention to the provisions of Chapter II of this Act.
2) Any person does anything in contravention of the exclusive right conferred upon the owner of the digital health data.
3) Digital health data collected, stored or transmitted by any person is not secured as per the standards prescribed by the Act or any rules thereunder.
4) Any person damages, destroys, deletes, affects injuriously by any means or tampers with any digital health data.
- What is Serious Breach of Digital Health Data:
A serious digital health data breach shall be said to have taken place, if:
1) A person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently.
2) Any breach of digital health data occurs, which relates to information which is not anonymized or de-identified.
3) A breach of digital heath data occurs where a person failed to secure the data as per the standards prescribed by the Act or any rules thereunder.
4) Any person uses the digital health data for commercial purposes or commercial gain.
5) An entity, clinical establishment or health information exchange commits breach of digital health data repeatedly.
- Penalties for Breach/Serious Breach of Digital Health Data:
1) Any person or entity who commits a breach of digital health data shall be liable to pay damages by way of compensation to the owner of the digital healthcare data in relation to which the breach took place.
2) Any person who commits a serious breach of health care data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than five lakh of rupees.
3) Whoever, fraudulently or dishonestly, obtains the digital health information of another person, which he is not entitled to obtain under the Act from a person or entity storing such information shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than one lakh rupees; or both.
4) Whoever intentionally and without authorization acquires or accesses any digital health data shall be punished with imprisonment for a term, which shall extend from three years up to five years or fine, which shall be not less than five lakh rupees; or both.
- Liabilities of Management in Offences by Companies:
(Company means any body corporate and includes a clinical establishment, entity, firm or other association of individual.)
1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time when the contravention was committed, was in charge of and was responsible to the company, for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the contravention, and shall be liable to be proceeded against and punished accordingly. Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent the commission of such contravention.
2) Where a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer of the company shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.
Subscribe to our newsletter for all the latest updates and special offers.
Click Here To view archive additions