Vinayak Godse, CEO, Data Security Council of India (DSCI) in an interaction with Kalyani Sharma emphasises on the ways to safeguard healthcare data in the era of increasing cyber-attacks and highlights that ensuring security while designing, developing, and deploying applications will be critical in the fast-moving pace of digitisation
What are the crucial steps to safeguard data security in hospitals?
Today, hospitals are spread across the geographies, nationally and some even globally. The hospital system evolved to manage data and technology operations centrally. Applications for health information management, patient service platform, chronic disease management, mobile service delivery, and ERP/SAP are increasingly managed centrally. Now, hospitals are focusing on deploying intelligent platforms and integrating various devices and types of machinery. Healthcare operations are becoming data-centric, emphasising recording, processing, inferring, and sharing for better patient experience, enhancing diagnostic decision-making, improving the productivity of operations, and exploring new possibilities. Pandemic-induced acceleration of video consultation, remote expert opinion, remote monitoring, and increasing collaboration for clinical research.
Robust security architecture and infrastructure protect data flowing within and outside hospital systems. Ensuring security while designing, developing, and deploying applications will be critical in the fast-moving pace of digitisation. More importantly, as health data is classified as sensitive information, hospitals should adopt a data-centric approach to security. Expectations of privacy for sensitive personal information are stringent, demanding extra care and caution. Obtaining comprehensive visibility over how data is collected, processed, generated, shared/received, and shared can help extend the coverage of the security program to the possibilities that can create significant ramifications. Augmenting a data-centric security stack, in combination with privacy-preserving technologies, would help safeguard the data. Vulnerabilities and weaknesses in the configuration of devices, machinery, and systems connecting to the network tend to expose data and make it easy for attackers to steal information. Hence, healthcare systems need competent vulnerability and configuration management. The adoption of Internet of Things (IoT) in the healthcare system exposes them to attacks on the hardware level. In the overall data-centric security design, equal attention should be given to hardware and embedded security.
Can you throw some light on the current challenges, which need to be addressed while dealing with patient data?
A sudden increase in offering digital health care, remote diagnosis and consultations, and remote monitoring is leading to increased collection and processing of data, primarily sensitive in nature, attracting strict provisions, obligations, and liabilities. The policy regime in the country for privacy is still evolving, leaving notable gaps in how data is collected, processed, stored, and shared. Although the Supreme Court underlined the Right to Privacy, without well-defined content principles and competent regulatory and enforcement structure, the privacy of patient data might not get due attention. Individuals involved in collecting patient data are often unaware of the need to safeguard patient information from unauthorised access. Application design, development, and deployment might not adhere to privacy by design principles. The collection of data might not be proportionate. The patients might not get to exercise their rights on the data collected. The data gets locked in one hospital system, making it difficult to port and increasing the costs of healthcare services. Redressal to data breaches might not be effective.
What needs to be strengthened at the governance and policy level for a better data security ecosystem in India?
Supreme court’s judgment of privacy as a fundamental right provides a constitutional guarantee, serving as a critical driver for a better data security ecosystem. Comprehensive privacy regulation and enforcement and regulatory mechanism unveiled by it will improve governance at the ground level. Regulatory norms associated with data collection, process, usage, storage, and sharing would guide the implementation of privacy programs. Frameworks and best practices would also help.
The DSCI developed a privacy framework [DPF] to help systematically implement privacy programs. Regulatory rules, guidance, and standards in specific areas, such as anonymisation, will also help improve data security and privacy. The creation of privacy assurance mechanisms and certification schemes are suggested for enhancing privacy governance. Developing an ecosystem for data-centric security research and innovation will create privacy-preserving technologies. Due to their all-pervasiveness, associated sensor systems, and data-heavy applications, IoT systems demand specific attention from the efforts for security and privacy assurance.
The National Digital Health Mission (NDHM) has completed two years. How do you see its progress so far? Where are we and what is yet to be achieved?
Connected, integrated, and systematised healthcare promises to remove pain, enhance the patient experience, improve operations productivity, avoid duplications and cost overruns, and create new possibilities for reach and inclusion. NDHM promises these benefits through national architectural and infrastructural intervention. It emphasises access to real-time health records to provide informed decisions quickly while reducing the cost of services. With 24 crores of Ayushman Bharat Accounts, 162 thousand plus registered health facilities, 91 thousand plus registered healthcare professionals, and, more importantly, linking of 1.5 crores plus medical records, NDHM achieved notable success. We would like to see its adoption improved across the states, especially in the linkage of medical records.
From the security perspective, attempts are being put for a robust security architecture. However, we would like to see how the architecture responds to contemporary trends in distributed computing for more resiliency and data protection, as announced by AADHAAR in the recent past. It would also be remained to be seen how security is maintained in the expanding ecosystem, how applications onboarded address security threats, and how trends like anonymisation are adopted for privacy protection and ethical processing. From a privacy perspective, NDHM is being envisaged as a significant intervention to transform the delivery of health care services, DSCI would like to contribute to the deliberations and efforts of making privacy central to its design and execution. As an enabler of processing health data at a large scale, we would like to see it as a reference example in adhering to contemporary privacy virtues and values, including transparency, openness, and accountability. It can ensure increased participation of patients by offering easy, effective, and informed ways to exercise the subject access rights. We would also like to see attention on data security and privacy use cases and active efforts in developing innovative solutions with the help of researchers and the start-up community. NDHM and its plans could create a pipeline of new security and privacy start-ups in the country.
What are your views on the implementation of Electronic Medical Records (EMR) in the Indian healthcare system? (Current status and any challenges)?
From the privacy perspective, one of the most challenging parts is to set interoperability standards. Data portability is especially important in this National health mission vision as every citizen should have the right to port data from one place to another and continue getting services. This will change the entire paradigm where data is available and not binding to a particular hospital. Individual hospitals are getting integrated with the national systems, and with that structure in place, we will see quite a significant portability of data more effectively and efficiently. These portable medical health records would probably save the cost of the health services that are provided to the citizen and ensure data privacy.
How do you see the future of cybersecurity in healthcare in India?
Healthcare is one of the largest sectors in India, both in terms of revenue and employment. It is loaded with personal and critical data, making its security more important than ever before. With the significant increase in data breaches in the healthcare segment, the focus on healthcare cybersecurity is expanding with new areas for investment. Cybercriminals are constantly seeking opportunities to gain access to health data, especially when many consider healthcare institutions to be soft targets. Data collected from such institutions also have significant value on the dark web.
Thus, to over these challenges, healthcare institutions need to focus more on safeguarding their data by investing more in technological innovation and adopting holistic cybersecurity measures. Steps like integrating security into medical devices, security in the development and deployment of applications, data-centric security approaches, spreading awareness and training on cybersecurity measures, regular assessment of threats and sharing information to mitigate them, and setting up competent security operations could help the sector create a shield and to minimise the impact of cyber threats.