India’s healthcare market is constantly undergoing changes. It is set to grow to USD 55 billion by 2020 – among the highest developed markets worldwide, according to a report by McKinsey.

To boost digital health-related services, India is encouraging health-tech start-ups in this field.

As of now, there are about 2,975 start-ups for digital healthcare solutions in India. And, they are increasing in number, year over year.

A growing healthcare market is quite impressive for India as it is expected to bring new medical technologies, generate more job opportunities and improve treatment levels for us.

But these also bring risks, as it can be more challenging in healthcare IT to prevent the disclosure of personally identifiable and critical information of every individual.

healthcare data regulation india

The healthcare organizations use technology to process high profile data of a large number of patients on a routine basis.

The more the data that is processed online, the higher susceptibility to hacking and data theft there is.

This is why this industry needs to be handled with greater responsibility.

Also read: Why data security is the biggest concern of healthcare and how to fix it?

Though India has been working on the healthcare data privacy and security bill since 2018, the bill hasn’t come into effect yet.

It is of utmost importance to protect the sensitivity of health information through robust data protection law to maintain the trust and confidence of the individual patients.

So, what is stated in the healthcare data protection bill in India, and what is the current legal framework for this? Let’s find out!

Healthcare data protection law in India – under progress

Data security in healthcare IT
Source: Pixabay

The Ministry of Health and Family Welfare placed the draft for Digital Information Security in Healthcare Act (DISHA) with an aim to secure the healthcare sector data in India, giving people complete ownership of their health data.

For example, if you go for a medical checkup at your doctor, and the doctor places the results into an electronic health record (EHR), that information is completely protected by DISHA as it is placed within the healthcare system.

“Before the Acronis implementation, there was a huge risk that malware could take down our company. Now, with Acronis, I can say that we’ve done everything possible to protect our data from an attack.” CIO, high performance manufacturing company.
Read details in a report by Forrester.
[ninja_form id=2]

Digital Information Security in Healthcare Act Objective

DISHA proposes three main objectives:

  1. Setting up digital health authority at national and state levels
  2. Enforcing privacy and security measures for electronic health data, and
  3. Regulating storage and exchange of electronic health records

The draft further also provides details on the establishment of National and State Electronic Health Authorities (NeHA and SeHA).

In effect, it would provide extensive data protection to Indian subjects, as well as govern the data portability.

So, overall, DISHA mostly prevents healthcare providers from sharing any piece of sensitive information. Thus, it makes it too hard to share information.

However, the setting up of this law is still awaited. But how long? And till then, wouldn’t that put the privacy of a patient at risk?

Given the size of the population in the country, it is pertinent to have a strong data protection law in India.

Also read: Why just SSL won’t protect you?

How health data is regulated in India today?

The data security and privacy are the responsibility of the entity that holds the data. If in case, a data breach happens, the entity could be penalized for the same.

As of now, the enterprises in India are not bound to inform their end customers, or other individuals of a data breach as that happens, excluding banks that are compelled to inform the Reserve Bank of India (RBI) within six hours of a data breach.

In the Indian healthcare industry, the need to implement data security is recognized to not reveal the information of patients and to be only revealed if it is required by the law.

According to the Indian Medical Council Regulations, 2002, physicians must maintain confidentiality related to individual or domestic life that is entrusted by patients during various stages of their medical attendance and procedures.

However, this law purely fails to outline the limit for accessing information of patients.

Further, it also fails to count the IP addresses and other online personally identifiable information as sensitive personal information, which is of utmost importance in an internet-driven world.

What more? Let’s dive a little deeper into this.

In India, each healthcare provider uses different combinations to identify patients. This makes the entire process more complicated.

Comprehensively, there are two types of patient’s information: patient’s identification information and patient’s health information.

Both are taken care of by different departments and information systems, increasing the complexity of the whole information.

The patients, on the other hand, don’t have ownership of their medical information. Plus, there are various third-party administrators involved throughout the whole ecosystem.

These providers also have control on the health data locally.

The technologies these providers use to let the healthcare providers share data is making the data prone to various forms of malware, cyberattacks, and ultimately, leading to severe data breaches.

Also read: Microsoft confirms Windows ‘BlueKeep’ attack

Evolving responsibilities of the security leaders

There is plenty of sensitive information of patients that make healthcare an interesting target for attackers.

Earlier this year, a report confirmed that there have been millions of records stolen and sold in the healthcare sector.

The medical record is an identity thief’s dream as they contain valuable information like date of birth, place of birth, credit card information, address, emails, and more.

To overcome these shortcomings, the security heads in healthcare organizations need to ensure the security of the data collected, stored, shared and archived or deleted to prevent data breach.

To ensure that, they need to rely on Cybersecurity experts to streamline the overall process.

disha act india

Besides this, they will also need to establish programs that address key data privacy areas as well as use advanced technology and services while developing an efficient and adaptive security infrastructure by using security as an important element.

The security leaders must re-design the system based on the specific guidelines. As the law approaches, it is a huge opportunity for CIO/CISOs to bring standards in it.

Also read: 12 cybersecurity measures to instantly protect your business data

There are many other industries that too have security threats, but when it comes to healthcare IT, India is way behind.

A sound governance system is important to effectively manage such complexities in the healthcare network, that will drive a new age in healthcare IT.

How do you address this challenge? Do you use a data backup and security solution? Let us know in the comment section.

“Acronis is directly responsible for saving our company 1200 hours per year for IT operations staff in backup and recovery workflows.” CIO, high performance IT company.
Read details in a report by Forrester.
[ninja_form id=1]