Law must ensure digital health records stay secret
The Centre has been working on a health care act for more than four years.
Hyderabad: With the increase in breaches on health apps, cyber security experts have raised concerns over the protection of health records and the data of individuals. Recently, women’s menstruation-tracking app Maya has come under scrutiny for sharing confidential information and experts point out that some of the diagnostic centres also went online, sharing medical reports of users.
It might become an easy target for hackers to cash on in the black market. It is need of the hour to bring the Digital Information Security in Healthcare Act
(DISHA) which is in the draft stage into implementation to curb any future cyber attacks, stated cyber security experts.
There are many digital healthcare platforms through which people can download an application, book an appointment, talk to doctors and store medical records
like blood reports, MRI and CT scans and others.
Mr Sai Krishna, chairman of Global Cyber Security Forum said, "Usually these are run by people who don't have any diagnostic centre. They will make a deal
with a diagnostic centre and approach people with discounts. After downloading the applications, when a customer approaches for any check up, s/he will be
directed to a nearby diagnostic centre and sometimes reports will be sent online".
Unfortunately, in India, there is no law that protects health records. The government has been working on a health care act called DISHA for more than four years. This law will help in the protection of health data by imposing strict restrictions. It will lay out a standardisation mechanism. Otherwise, there is no law for protecting the health care data and diagnostic centres.
It is need of hour to bring a stringent act like DISHA to protect citizen data and patient data from different stakeholders. Under DISHA, an individual has been
given an actual say in what happens with her/his data.
As per the draft of the DISHA Act, the digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitised.
An owner shall have the right to privacy, confidentiality and security of their digital health data, which may be collected, stored and transmitted in such form and
manner as may be prescribed under this act.
A person or an entity committing a serious breach of digital health information shall be liable to pay damages by way of compensation to the owner of the digital
health data in relation to which the breach took place. “As long as they don’t have standard guidelines/frameworks, they avoid investing in protecting data. Most mobile healthcare applications do not have proper protection. As there are no guidelines from the government, we can’t even question them,” explained Mr
Krishna.
Explaining further, he said, "For example, if a cancer drug manufacturer wants to know about the statistics of a particular area, like how many in that area are
affected by cancer, what type of cancer and other specific details of the patients, to target the launch his product, to identify people suffering with cancer, he can
directly buy the data from hospitals and access the contacts of those suffering. Subsequently they can directly target these patients according to their needs by
approaching them, offering discounts."
If there is no proper protection, cybercrooks might target these applications and cash them by selling the data in black market.
Even health records in hospitals don’t have protection.
For commercial purposes, this data can be sold to medical manufacturing companies, pharmaceuticals and social media, so that they can target them with
multiple advertisements.