Data
Breach Incidents and HIPAA Compliance
A recent Economic Times Report in India which
reported a successful Sting operation by a UK agency in which some health
related data was bought from a medical transcription company has evoked
some predictable response in US. As could be expected, there are voices
stating that the best way forward for Health Care Information Security is
not to outsource.
Seon Caroll CEO of Webmedx, one the large
medical transcription companies in USA has stated that it is unrealistic to
think that US laws can be effectively enforced outside our borders
sufficient to deter the misuse of information or breaches of security. The
Company therefore advocates 100% US infrastructure as a policy of security.
While one can appreciate the business strategy
of Webmedx to promote its “No- Outsourcing” policy as a virtue, it is
necessary to take a pragmatic view of the problem and work towards a
solution.
As a person who has conducted many HIPAA
awareness trainings in India and promoting a voluntary HIPAA compliance
even in Indian Health Care Industry as a best practice, I can share some of
my thoughts on the way forward.
Outsourcing by US companies to India or
elsewhere is a conscious business decision which in the long run is expected
to add value to the enterprise. Obviously this cannot be done at the cost
of Information Security (IS) . However, IS a joint responsibility of both
the US Covered Entity and his business associate in India.
The current incident involving a sting
operation of a journalist is not a clear indication of the risk of data
being sold for a price. However we can accept that it indicates the obvious
that financial inducements can make some employees part with information
otherwise considered confidential. But we have to focus more on the
organized attempts at acquiring confidential data by Cyber Criminals than
the sting operations.
To put the incident in the proper perspective,
we can recall the many data breach incidents that have occurred in the US
itself where millions of records have been compromised some out of
financial inducements, many through negligence and many more due to
criminals who hack into systems as a profession. IS is therefore as much an
issue in US as it is in India.
The reason for increasing data breaches of the
kind referred to in the instant case is the growing Cyber Crime underworld
which finds all means of stealing data because there is a market for the
same. In the case of health records coming under HIPAA, the beneficiaries
are in US. Many of them are the Insurance Companies who follow
unscrupulous methods to obtain data that can be used for marketing. It is
therefore the unethical business practices of the US Insurance companies
that cause a fertile ground for the proliferation of the data breach
incidents. Part of the solution therefore lies within the US jurisdiction
on how to promote ethical business practices. I would request Seon Caroll
to find means of spreading this message in the industry in US.
On the other hand, I would also request the US
companies outsourcing health care business to India to insist that their
clients in India must undergo a “HIPAA-HITECH Compliance Drill”. I have
observed that many Indian companies are not aware of their
responsibilities. This lack of awareness is also indicative that the US
vendors are not driving home the requirement of HIPAA compliance in their
SLAs. Perhaps they have exchanged a contract which indirectly talks of an
indemnity. This is more a legal formality they have undergone rather than a
real effort to educate their counterparts. Let it be one of the HIPAA
compliance requirement of the US companies that they have specifically
enquired with their Indian counterparts about the HIPAA compliance measures
undertaken in India and obtain certifications. Not all these certificates
would be reliable but many would be.
Many of the HIPAA Awareness programmes I have
conducted, and audits I have participated in are a result of the initiative
of the local companies to improve their competitiveness. This indicates
that there is a desire in India for companies to adopt IS standards. Like
in every other case of motivation, they perhaps need a little nudging,
little coercion and little incentivisation.
I would request US companies not to treat
HIPAA compliance as a paper formality to be completed. Let it be a genuine
exercise to promote Information Security culture. Let the US vendors insist
in their business contracts that Indian medical transcription partners must
only engage employees who have undergone a “HIPAA Awareness Training” and
send documentary proof for having conducted such programme for their
employees. US companies can also devise strategies where they earmark a
part of their payments to be released only towards expenses in employee
training and other HIPAA initiatives. (Extension of Obama’s strategy of
incetivisation of adoption of EMR by medical practitioners).
The sting report is therefore a wake up call
as much to the US companies as it is to the Indian companies. Let’s work
together in the effort to have adequate information security without losing
out on the outsourcing advantages.
India is keen to retain its Outsourcing
advantages because it is a key economic activity for the country. India is
therefore willing to do everything in its control to ensure that Data
Security is ensured in the operations of the Indian Companies.
US Companies may take note that the Indian
Information Technology Act has been amended recently to incorporate a
responsibility for following reasonable security practices to protect
sensitive personal information failing which the company would be liable to
pay damages without any upper limit. There is also a 3 year imprisonment
for data breaches. There is a fast track adjudication system for providing
relief under the Information Technology Act with one adjudicator in each of
the States in India.
Nasscom has also created an SRO of its own in
the form of Data Security Council of India to contribute towards better
data security compliance in the industry.
Thus there are several state led initiatives
towards making India a secure destination for information processing.
In addition to these efforts, individuals like
the undersigned are undertaking efforts of their own towards building a
public private partnership in Information Security. The State of Karnataka
of which Bangalore is the Capital has undertaken a State policy to make
“Bangalore the Information Security Capital” and initiated several projects
in this direction in recent times.
After the recent report from Economic Times I
have been working towards creating a “Security Consortium” for Medical
Transcription Companies in Bangalore and invited interested Medical
Transcription Companies to get in touch with me. I am also encouraging
companies who are working in IS solutions to partner in the building of a
secure Medical Transcription network in Bangalore in the beginning and then
extend it to other places. A conference is being organized in November to
talk to some of these unit heads and make them aware of the implications of
data breach. The idea is to create a group of Medical Transcription
Companies who voluntarily subscribe to information security standards that
meet and if possible exceed the HIPAA expectations of business associates.
We hope that this data breach report becomes a
trigger for an all India activity in which medical transcription industry
is shaken up and driven home the need and advantages of being aware as well
as implementing HIPAA security standards in India.
I am sure that the US Companies will soon find
that India has a better overall IS environment than even US.
Naavi of www.naavi.org
Naavi
October 24, 2009
Related Articles:
Indian BPOs need to demonstrate their
commitment to Data Security
Data Breaches in US.. SC Magazine
Comments are Welcome at
naavi@vsnl.com