India's Proposed Healthcare Data Security Law: The ReactionProposal Includes Breach Notification Requirement
Security leaders in India are sizing up a Ministry of Health and Family Welfare proposal to roll out a digital information security law for the healthcare sector that includes a breach notification requirement.
The ministry is seeking public comments by 21 April, 2018, on its proposal to adopt standards to enforce privacy and security measures for electronic health data, as well as its recommendations for breach notification.
"We are placing the draft of Digital lnformation Security in Healthcare Act in the public domain for comments. The purpose of the Act is to provide for electronic health data privacy, confidentiality, security and standardization," says S.C. Rajeev, director, e-Health, at MoHFW.
The ministry has proposed setting up a nodal body called the "National Digital Health Authority" through an Act of Parliament that will not only secure electronic health data but also regulate storage and exchange of electronic health records.
Some security experts say the moves by the ministry are long overdue.
"For all privacy related regulations, health or otherwise, a strict breach notification law is always preferred due to the amount of data aggregation and storage prevalent in the industry," says Subhajit Deb, CISO at Dr Reddy's Laboratories, a multinational pharmaceutical company.
But Deb sees some challenges in implementing the proposed Act.
"For one, the government health centers operating in rural locations - most are non-networked," he says. "Even bigger hospital chains are sometimes guilty of this. How will they manage an inventory of data stored? These are murky areas."
In the draft, MoHFW defines a breach of digital health data as when a person or an organization:
- Generates, collects, stores, transmits or discloses digital health information unless required by the Act;
- Does anything in contravention of the exclusive right conferred upon the owner of the digital health data;
- Does not secure digital health data as per the standards prescribed by the Act; or
- Damages, deletes by any means or tampers with any digital health data.
The proposed legislation says anyone, an organization as well as person, who is involved in a breach of digital health data shall be liable to pay damages by way of compensation to the owner of the digital healthcare data that was breached.
Anyone that fails to adhere to the Act's rules and directions would face a minimum penalty of INR one lakh plus INR 10,000 for each day during which such failure continues, subject to a maximum of INR one crore or 10 million.
A penalty of imprisonment of up to five years has also been proposed for those responsible for data theft.
Some security experts question whether the proposed penalties are tough enough.
"The penalties are not severe either financially or in terms of duration of imprisonment," says C.N. Shashidhar, founder of SecurIT Consultancy. "The penalty should be substantially increased to make breaches more expensive for healthcare institutions. The breach offense should be made non-bailable. Only then will there be a deterrence and adherence to the proposed law."
The proposed law also does not include a requirement for an audit and compliance assurance program, which some security practitioners argue is essential.
"The healthcare industry has been underinvesting in IT security for a long time, with a main focus just on regulation rather than looking at cybersecurity as an enabler for a healthcare institution to function," Deb says. "On top of that, the difficult-to-update medical devices continue to run outdated and vulnerable operating systems. The key challenge I see is a lack of a holistic security and privacy framework for the entire healthcare ecosystem comprising hospitals, labs and pharmaceutical and insurance companies.
The proposed legislation is also silent on extra-territorial scope. "Since many hospitals use cloud as a preferred storage for data, the area needs to get covered under the Act," Deb contends.
Multiple security issues plague the healthcare industry. "There are issues like lack of trained cybersecurity professionals, lack of backup capabilities, process failures - all of which are putting healthcare organizations under the constant of threat of cyber exploitation," Deb says.
And because healthcare is a basic necessity, it will be tough for healthcare providers to pass on the additional security cost to patients, Shashidhar says, pointing out that many lack the necessary security technologies.