By Siddharth Mala & Prathiba Raju
New Delhi: The protection of health data is of paramount importance, as it encompasses highly sensitive and personal information about patients. Hospitals and healthcare organisations bear a profound responsibility for not only collecting and managing this data but also ensuring its security and safeguarding it against unauthorised access or breaches, informed speakers at the 3rd edition of the ETHealthworld Healthcare Leaders Summit .The experts featured a compelling panel conversation titled “Protecting Patient Data Safety: Roadmap of Tech Leaders to Enable Cyber Security”who brought to fore that the confidentiality, integrity, and availability of health data are vital not only for the privacy and well-being of patients but also for maintaining trust in the healthcare system
In this era of digital advancements, the task of securely storing and managing health data has become more complex, requiring stringent measures and protocols to safeguard this invaluable information, informed speakers.
The panelconsisted Dr K Madangopal, Advisor Public Health Administration, NHSRC, MoHFW, Govt of India, Dr Sushil Kumar Meher, CIO, AIIMS, Praveen Bist, CIO, Amrita Hospitals, Delhi NCR and Nikhel Goel, Country General Manager, India Cluster, Carestream, which was moderated by Prabhat Prakash, Senior Digital Content Creator, ETHealthworld.
Initiating the discussion, Dr Madangopal said , “COVID has taught us to adopt technology”. He informed that many utilised a combination of triangulation through mobile towers and Bluetooth technology to trace individuals undergoing testing, linking them to their mobile numbers. During the initial phase, when COVID cases were fewer and our understanding of the disease was limited, this approach was effective. It involved a central command center, responsible for directing exposed individuals to either isolate or undergo quarantine. This demonstrated the potential of technology in managing such situations.
However, as the second wave hit and the virus spread rapidly, this approach became impractical due to the sheer number of cases. It became challenging to isolate and track individuals effectively. It’s important to note that this approach also raised concerns about cybersecurity since it involved using mobiles and Bluetooth to track contact with infected individuals.
While discussing about medical data privacy Dr Meher emphasised on specifically attempting to gain unauthorised access to someone’s bank account or medical records. In the international market, such activities are priced between $25 and $30 for bank account hacking and approximately $40 to $45 for medical record hacking. This heightened interest in hacking coincides with the ongoing COVID pandemic, which has adversely affected major hospitals. Notably, a prominent US hospital recently experienced a security breach, highlighting the vulnerability of healthcare institutions. Remarkably, over 70 per cent of hospitals still rely on non-digital methods for healthcare services. Consequently, healthcare data has become a prime target for cybercriminals who aim to sell medical records in underground markets.
To safeguard one’s medical records, it is imperative to understand the ownership of health records, regardless of whether they are stored in hospitals, government agencies, or private organisations. However, before delving into the protection of medical records, it is crucial to address the unethical intent behind such actions.
Dr Meher stated that the DISHA Act, if it gets approval, will ensure the security of medical data. However, it’s important to note that no other entity has received approval so far. DISHA, short for the Digital Information Security in Healthcare Act, has not been granted approval yet. Therefore, once the act is passed, we will have a better understanding of how to safeguard medical records in India.
“Threat is coming in large scale in the health sector “added Dr Meher. In the context of safeguarding data, there are established standard guidelines that individuals and organisations should adhere to, whether their data resides on-premises or in the cloud. These guidelines encompass specific protocols that need to be followed.
First and foremost, it’s important to recognise that medical data is extensive, encompassing both structured and unstructured information. Therefore, the initial step involves categorising this data into different levels of importance, such as green, yellow, blue, and red. Data classified as “red” is of utmost significance and cannot be compromised under any circumstances. Consequently, institutions must formulate policies that prioritise the protection of this critical data.
However, challenges arise due to a gap in communication between administrative personnel and IT experts. It’s essential to convey that achieving 100 per cent data security is a formidable task, with no foolproof solutions available in the country. In such scenarios, vigilance becomes crucial because the healthcare sector faces a substantial influx of threats. Instances of data compromise within the National Capital Region (NCR) are becoming increasingly common, leaving many individuals perplexed about how to respond.
To address these issues effectively, it’s imperative to establish the extent to which data protection is achievable and what data must be safeguarded. Once these determinations are made, one can explore solutions available in the market and select the most suitable one.
In cases where the situation escalates beyond one’s control, communication with relevant authorities becomes paramount. Reporting an incident promptly, ideally within four hours, is crucial to initiate a swift and effective response.
Additionally, it’s essential to align data security measures with business needs. This entails considering the flexibility required to ensure that business operations can continue uninterrupted. High availability and backup systems should be in place to promptly restore any distorted data. These measures must align with established standard protocols that govern data protection.
Bist emphasised the significance of data security and the role of artificial intelligence in addressing this concern. He also pointed out that despite taking various precautions and adhering to best practices, the possibility of data breaches or incidents still exists and highlighted the need to address two key aspects when such incidents occur.
Bist also noted the complexity of protecting digital data compared to physical security measures, where fortifying a physical location can be more straightforward. In the digital realm, safeguarding data involves multiple facets, making it a nuanced and challenging task.
Among the various aspects discussed, Bist mentioned the importance of end-user security and touched upon the significance of securing medical devices. However, the conversation primarily focused on server-side and network security. To manage and analyse the vast volume of data and transactions involved, they mentioned the existence of systems such as Security Information and Event Management (SIEM). SIEM systems enable the logging and identification of legitimate, suspicious, or fraudulent activities, often involving a vast amount of data. Bist highlighted the need for rapid identification and action and mentioned the availability of AI tools like Security Orchestration, Automation, and Response (SOAR) systems, which can automatically monitor and respond to security events without requiring human intervention. This capability is crucial given the impracticality of manually sifting through extensive logs in a timely manner.
“Policymakers should focus on patient data privacy” highlighted Goel while discussing data privacy and its significance in the context of healthcare. In the age of interconnected healthcare, any deviations from the established data security measures could potentially pose risks. For example, in cases of heart rate fluctuations, patients may be connected to general practitioners or electro physiologists through virtual interactions or in-person visits. Diagnostic tests, some of which can be conducted at home, while others require hospital facilities, follow this initial consultation. Subsequent steps, including treatment protocols and, in extreme cases, surgery, are determined based on the test results. Notably, advancements in medical technology have enabled drug combinations to be explored through mobile applications.
This entire continuum of patient care generates vast amounts of data, and ensuring the responsible handling and accountability of this data is crucial. Medical device companies operating within this healthcare framework have a duty to protect patient information without compromise. In today’s landscape, trends in medical device design mirror those in consumer technology, such as smaller and more streamlined designs. These innovations often result in reduced space requirements within healthcare facilities, leading to data storage challenges. Traditionally, data was stored within the equipment itself, but the trend is shifting toward cloud storage. However, this transition to the cloud introduces cybersecurity vulnerabilities, considering the high incidence of cyberattacks.
To address these concerns, medical device companies must prioritise data security breaches. The role of the IT department within such companies becomes just as important as the products themselves. The ability to maintain data privacy and accuracy is integral to the manufacturing process, starting from the initial data collection stages. It is essential to ensure that data security measures are in place before the product is ready for deployment.
Moreover, in the western world, where many professionals in the Indian medtech industry work for American or European firms, stringent regulations, such as HIPAA (Health Insurance Portability and Accountability Act), exist to protect patient privacy. These regulations set a high standard for data security and privacy. To align with international standards and enhance data protection in India, policymakers should consider adopting similar policies and protocols, making them accessible to all.
Most Read in Industry