Naavi.org

The UID or the Aadhar started as an ID that could separate Indian Citizens in border areas from illegal migrants and serve the national security purpose.

Subsequently, it has become a project to provide a control mechanism to reduce pilferage in Government subsidies reaching the target citizens.

When the system began the only concern about Privacy in Aadhaar was about the collection of “biometrics” and its possible misuse. Arguments were both on the technical issues of false rejections and positives as also the use of unreliable vendors who could steal the biometric data either at the time of creation or when it was in storage.

Government brushed aside the objections and went ahead with linking the Aadhaar with the Banking information of an individual extending the privacy concerns to the financial information.

Presently we see that KYC system in Banking is completely dependent on the Aadhaar number being provided as a “Photocopy of the Aadhaar document” which exposes all the parameters attached to the ID (except biometric) in the form of a paper document. Similar paper documents are available with Gas dealers, Mobile Companies, schools and many others who may have little understanding of the meaning of “Privacy” let alone the legal concept of “Privacy Protection”.

To this risk of biometric and financial information being combined and spread all over in an insecure manner, we are now adding the healthcare information since the UID is set to be the “Universal ID” to be associated with patient information in the proposed HDPSA (HealthCare Privacy and Data Security Act).

Though the details of the proposed act are not yet available, the document which the Government of India (Department of Health and Family Welfare) released for public comments in 2013 on the “Electronic Health Standards of India” contained detailed guidelines on what the Government intends to do.

This Circular which was released earlier gets a new life with the recent public announcement that a “Draft Health Care Privacy and Data Security Act” is now under the consideration of the Government. We should logically presume that many of the suggestions made in the earlier circular will be adopted in the new Act as and when it becomes a reality. Afterall the circular was founded on a time tested framework adopted in US under the HIPAA in 1996 which carries to date.

According to the circular, the standaridization of healthcare information collection, storage, transmission and processing will adopt a system of using unique IDs for every patient, every medical practitioner, every hospital, every pharmacy, along with adoption of medical codes for diseases, procedures, health encounters etc.

In this process the circular speaks of “UHID” which is the Unique Health Identifier to act as a Patient identifier, for which UID will be used in all EMR systems.

This would now mean that Aadhaar details will now be available in all hospital records of the patients and gets integrated with the Bank details and the associated biometric data.

In principle there is nothing wrong in adopting this nationally unique ID which integrates a person with health and financial data. However this raises the issue of how the information security is handled by all the entities who may have access to any one of these fundamental parameters.

The Information Security community which deals with the sensitive personal information in electronic form as well as the physical security community in health care organizations where the sensitive personal information is available in the form of paper, will now need to devise their strategies to upgrade their security arrangements.

The needs in “Hospitals” which includes the neighborhood clinics and other health care entities such as pharmacies need to start their learning of the principles of Privacy.

I am not sure if the medical colleges teach Information Security and Privacy as a part of their curriculum in the MBBS and Pharmacopoeia qualifications. If not it is time the students of medicine are exposed to information technology and related issues of Privacy in the coming days.

Naavi

The proposed  HDPSA (Health Data Privacy and Security Act) which is being worked on by the Health and Family Welfare department of the Union Government is likely to draw a lot from the HIPAA (Health Insurance Portability and Accountability Act) of USA. HIPAA was drafted around 1996 and then modified/upgraded with the HITECH Act (Health Information Technology for Clinical and Economic Health Act). For some body following HIPAA and its implementation for more than a decade, it appears that India is exactly tracing the same path of development which we saw in HIPAA.

Firstly, HIPAA came into being a law when the Health Insurance Industry was trying to force more digitization into medical record keeping so that the processing of health insurance could be more efficient and less fraud prone. The Insurance industry therefore wanted a push for greater use of Electronic Health Records( EHR) by medical professionals. At the same time, Privacy advocates were skeptical that increased use of EHR would result in higher risk for Privacy of the patients. Hence Privacy Protection and a standard for Information Security was built into the HIPAA. HITECH Act expanded the security measures and at the same time strengthened the Privacy obligations of the covered entities. It also introduced incentives and disincentives to promote accelerated use of EHR which wa felt necessary even 12 years after HIPAA. (HITECH Act came into operation in January 2009).

We in India are retracing similar steps through the actions sorrounding HDPSA.

One of the provisions of the proposed HDPSA is to bring in interoperability of electronic data captured and processed across different systems. This requires defined common standards for identification of health entities as well as different parameters of health data and also structuring of data transmission codes.

In 2013, the Department of Health and Family Welfare  (D-HFW) published the “Electronic Health Record Standards for India” and a copy was placed on the website for stakeholders to comment. The copy is available here.

The goals of suggesting the standards were indicated as follows:

•  Promote interoperability and where necessary be specific about certain content exchange and vocabulary standards to establish a path forward toward semantic interoperability

• Support the evolution and timely maintenance of adopted standards

• Promote technical innovation using adopted standards

• Encourage participation and adoption by all vendors and stakeholders

• Keep implementation costs as low as reasonably possible

• Consider best practices, experiences, policies and frameworks

• To the extent possible, adopt standards that are modular and not interdependent.

Within the standards, guidelines were also incorporated for hardware, networking and connectivity, as well as software standards to be complied with the industry.

The standards also touched on the Ethical, Legal, Social Issues (ELSI) guidelines for Electronic Health Record (EHR) to define the Privacy and Security Requirements of EHR with the recommendations following HIPAA  requirements of Privacy and Security.

If  HDPSA becomes a law, it is a reasonable presumption that there will be a need to adopt some of the provisions which was available as the Standards document. Similarly it needs to also adopt some of the provisions of the Tele Medicine Act which was drafted several years back and simply forgotten.

The HDPSA will also have to contend with the co-existence with ITA 2008 which would interfere in the Privacy and Information Security issues but not on the data standards issues.

Overall there are interesting days ahead to watch how the legislation is likely to unfold. So far, the draft law which was discussed in the news report has not been made public and hence it is difficult to comment on the exact provisions that have been included there in. We wait for the Government to release the draft for public comment.

We may also remember that in 2006, a “Personal Data Privacy Bill” was drafted and even placed before the Parliament along with the amendments envisaged for ITA 2000. Subsequently, in 2008, the ITA amendments passed through but the Privacy Bill lapsed. Since then there are other versions of the Privacy Bill which were presented in the Parliament but have failed to get the consensus since they directly interfered with the national security issues involved in “Intereception of communication” and also the issues related to Aadhaar implementation.

The Sector specific approach now proposed in  HDSPA addressing only the Heath Care Data Privacy and Security is unlikely to receive much of opposition except from the Health Care industry itself which would be seriously affected in the process of implementation of the Act.

While the larger hospital chains are likely to implement the provisions of HDPSA, there will be numerous number of smaller nursing homes, neighborhood doctors, pharmacies, mobile App companies dealing in Health information who will simply be unable to comply with the provisions of the Act and will remain non compliant.

Even in the advanced US market, HITECH Act had to set aside US$ 17.2 billion for providing various kinds of incentives to make the industry comply with HIPAA. This would be an equivalent of over Rs 1 lakh crores. Will the Government make such investments? obviously not.

This means that we are in for a long haul as regards the real implementation of the provisions as and when implemented.

HIPAA actually gave compliance deadlines which extended from 1996 to beyond 2003 and yet they had to postpone some provisions of data breach notification provisions into the Omnibus Rule in 2014.

If therefore the law makers are serious about adoption of HDSPA, then there has to be a strategization of how the compliance will be pushed. We know that even after 16 years, ITA 2000 compliance is still at the nascent stage. If so, it is anybody’s guess about what should be the time line for HDSPA implementation.

If there is no proper strategization of the compliance, we will have an industry domain which will be living under the umbrella of non compliance with the constant fear that the regulator could crush then down any time.

This “Living under Fear” will be the biggest threat to the Health Care industry which they need to avoid.

I therefore suggest the industry to organize themselves properly so that when the next phase of roll out of this draft legislation happens, the interest of survival of the industry is not forgotten.

If the industry is complacent, there would be a “Globalization” of the hospital and health care industry to such an extend that just like the K-Marts eating away our neighborhood kirana store, the international hospital brands may eat away all our domestic medical practitioners. In the process, health care in India will become more expensive and dependent on heath insurance industry.

Keeping all these things in mind, it is necessary to ensure that the proposed legislation builds adequate safeguards to protect the interests of the consumers.

Has the health ministry factored all these aspects?… God knows..

Comments please…

Naavi

At a time when there is a raging debate on whether the health status of a leader like Ms Jayalalitha should be made public or held confidential and whether unnecessary secrecy breeds rumours or confidentiality is essential for public peace, Government of India has expressed its intention to bring in a Bill to provide “Privacy Rights to Individuals on their Health Data”.

Refer Article here

As per the news report, the Union Health Ministry is contemplating a new legislation tentatively titled “Healthcare Data Privacy and Security Act” (HDPSA)  to devise a “comprehensive legal framework” for  “Protection of individual health data” and “Standardization”. The statement released in the Press also says that the law will “Identify Ownership” of the data through establishment of a “National e-Health Authority” and “Health Information Exchanges”.

The law will also have “Detailed remedies for breach of data” both Civil and Criminal penalties entitling the patient to compensation if data is leaked as well as severe punitive action against “Agencies  responsible”.

It also speaks about the “Consent” to be obtained from the patient.

The law appears to have been influenced by the need for “Interoperability of Electronic Health Records (EHR)” and sounds much like the HIPAA of 1996 in USA.

It is clear that the law will follow the standard principles of privacy revolving around authorization of collection of information based on prescription and obtaining of consent of the patient. Collected data should follow the principles of minimal collection. Data Breach notification to the owner would be part of the legislation.

The mention of what is called “Information Exchanges” indicate regulation of IT facilities including Mobile App companies with a registration requirement with a National Authority to be set up and consequential “Compliance Regime”.

Like the HIPAA, there will be Unique registration numbers assigned to every health facility starting with the public sector.

A new “E-Cloud Repository” for real time health data is also envisaged.

A New Adjudicatory and Appellate Authority is also likely to be set up.

The legislation should be considered as a huge step in the Health Care Regulation in India and just as HIPAA made a seminal difference to the industry. There is a clear overlap of the proposed law with the Information Technology Act which already defines “Health Information of an Individual” as a “Sensitive Personal Information” and prescribed “Reasonable Security Practice”.

However, given the slackness of the Ministry of IT in implementing the provisions of ITA 2000/8, the emergence of the new “Healthcare Data Privacy and Security Act” or HDSPA could provide a good competition to ITA 2008 in redefining the standards of “Data Security” in India.

We therefore welcome the proposed new legislation.

HIPAA legislation in USA implemented through the HHS is a model law which is worth emulation not only from the point of view of the basic provisions but also in how it needs to be implemented in the industry.

We hope that HDPSA will also be taken through similar steps of “Receiving Comments from Public” on the draft provisions at every stage of its implementation and “Providing a Compliance Time line” for the industry unlike the ITA 2000/8 implementation which occurred through MCIT.

Watch out for more comments…

Naavi

Further Information on this Proposed Act will be covered through www.hdpsa.in

Media is considered the fourth pillar of democracy and “Free Press” is considered the hallmark of a mature democratic society. The same society also holds “Privacy Right” in high esteem. But often the “Privacy Right” of individuals clash with the “Freedom of the Press” to disseminate information.

Just as the Privacy Vs Security debate is important, Privacy Vs Free Press debate is also important for the greater good of the community.

Today, Media is also an “Industry” as much as the “Health Care” or “BFSI” or “Outsourcing”. Worldwide there has been an attempt to develop sector specific laws to address Privacy Issues which cannot be effectively handled through the approach of an omnibus Privacy Protection law  which some countries try to practice.

In this connection, a debate is due on whether there should be an attempt at a specific Privacy Law addressing the needs of the Media Industry.

In his competitive world of “One-Upmanship Journalism” and the “24 hour TV news Channels”, media chases revenue through higher Readership or Viewership ratings ignoring the “Ethics” which was once a hallmark of good journalism.

In this context of competitive reporting, “Breaking News” and “Investigative Journalism” have become important business strategies for the media. This often leads to a “Media Trial” and “Misreporting” where the “Privacy Rights” of individuals goes for a toss.

We can look at some examples to appreciate how Media in its bid to outdo others often hurt the privacy rights of others.

Presently the Complaint of Mr Ratan Tata lies in the Indian Supreme Court concerning his Privacy rights in the Nira Radia Tape issue.  The recorded telephonic conversations which were captured by the Income Tax department for their investigation of possible tax evasion by a PR Professional, Ms Nira Radia and her firm were leaked into public place because the Tax department failed to manage “Inforamtion Security” at their end. The eager media trying to expose political machinations of Nir a Radia,  also brought to open her telephonic conversations of Mr Ratan Tata which according to his complaint had no public interest component.

In the Sheena Bora murder case, TV channels conducted their own investigations and dragged a forgotten ex-husband of Indrani Mukherjee into TV studios unmindful of the damage to his own family with wife and children.

In both these cases, Media had no respect for the Privacy rights of the individuals.  There are many instances of irresponsible political criticism politicians freely infringe on the privacy of individuals and when challenged, simply escape defamation charge with an apology.

Media keeps publishing such stories without any respect for the privacy of the politicians under the ground that a “Public Servant has no right to Privacy”.

At the same time, we also observe that there are instances where Media tries to show a  holier than thou attitude and goes out of the way to protect the privacy of information which perhaps requires to be disclosed in public interest.

A few months back, two Companies in Mumbai were reported to have paid a ransom of $ 5 million each to hackers who threatened to disclose some corporate data to which they had hacked in. The Companies paid the ransom but succeeded in ensuring that no publication revealed the names of the companies who had suffered the data breach.

The fact that the companies considered that they could pay a ransom of $5 million to keep the data under wraps indicated that probably the revelation might have uncovered an illegal activity  which could have caused a huge embarassment to the company.

But media wanted to protect the “Confidentiality” of the identity of the companies to protect their reputation. Though “Protection of Confidentiality of a Company’s identity” is not the same as “Protecting the identity of an individual” in the context of Privacy Rights, media mis-understood the need to protect a corporate interest where there was a public interest for disclosure as a “Privacy Issue” where there was a duty to disclose.

In a similar manner, the health status of important leaders like Ms Sonia Gandhi and J. Jayalalitha have been kept under wraps though there is a public interest involved in such information.

There are also many instances of information involving Judicial Authorities where there is a public interest involved but the information does not become news since there is the fear of “Contempt of Court” proceedings.

This inconsistent approach to   “Protection of Privacy” and “Confidentiality of Information” by media indicates that perhaps there is a need to think of a sectoral Privacy law exclusively directed to provide a guideline to the Media on how to handle Private information.

I am aware that any such hint would immediately be jumped upon by media as “Regressive”, “Draconian” etc.

But the same media would not hesitate to bring new legislation on Social Media including “WhatsApp” or “Facebook” or “Twitter”.

Presently, even the Delhi High Court in its judgement on the WhatsApp Privacy Policy has commented that the services such as WhatsApp may be regulated by the Government.

Why should “Social Media” be subjected to a different “Privacy Law” than the “Conventional Media”? is a point we need to discuss.

If regulation of Privacy in Social Media is acceptable, we should also be able to consider a Privacy regulation for the conventional media to  ensure the protection of Privacy in media coverage.

Perhaps this “Privacy Law for the Media Industry” will attempt to strike a balance between the Right to Privacy and Right to Free Expression in such a manner that without hurting the fourth pillar of democracy which is the “Free Press”, we usher in an era of “Decent Journalism”.

In structuring the “Privacy laws for the Media”, we need to incorporate the role of Media and Social Media, when does a “One to one Messaging” becomes “Publishing”, “How the “Advertising Norms” and “Press Council Norms” be integrated”, “How the law of Contempt of Court or Copyright to the extent they affect the media”, may also be addressed. Obviously, there will be some aspects of “Prevention of Press Censorship” or “Dispute Resolution Mechanism” which should also be integrated with such a law.

Comments?

Naavi

In an interesting report highlighting the new dimensions of Cyber threats that may arise from IoT (Internet of Things)  devices, BBC reported (Refer article here) that a webhosting company OVH suffered a DDOS attack from an army of Webcams acting as Zombies remotely controlled by the attacker. This is reported to be perhaps the largest DDOS attack with more than one terrabit of data being fired at the server to bring it down.

The attack was mounted by around 145000 web cams acting as a botnet and indicates how the large number of devices capable of being connected to a server and sending data could be misused by the hackers to redirect the data towards a single server and cause the server to be brought down.

According to security experts such attacks could be easily executed using tools available on the net with minimal amount of skills required.

With more and more devices under IoT getting connected through internet, there is an urgent need to ensure that enough security is built into the device to prevent this sort of hacking. This also means that professionals who install such devices as smart Webcams or other smart devices should have a reasonable knowledge of information security and configure the devices with suitable information security controls.

Some of these controls need to be enabled at the time of manufacturing of the PLCs (Programmable Logic Controllers) that may drive such devices and the quality certifications of such devices should include their security evaluations.

India is dreaming of Smart Cities, smart Trains and various other devices where off the shelf devices are likely to be used with default security configurations which create the security vulnerabilities that can be exploited.

Hopefully the corporate security professionals will wake up to this new type of emerging threat which use “Physical Security Devices” and create “Cyber Security Issues”.

Naavi

It is reported that the Insurance Regulatory and Development Authority of India (IRDA) has mandated that the Indian Insurance companies should store all critical customer data in domestic servers within the next 3 to 6 months. (See article here)

This would mean that many of the Insurance companies which have joint ventures and are storing their data in foreign servers (or on the cloud) will now be required to set up new data centers in India so that Customer data does not move out of India.

It is expected that this move would require substantial investments from these insurance companies such as Tata AIG, Bharti AXA, ICICI Lombard, Birla Sunlife, Bajaj Alliance etc.

The decision follows the issue of the Outsourcing guidelines which inter alia indicate the following norms.

According to the guidelines, only Indian companies can be the outsource agents though there is a provision to approve any other authority that may be approved by IRDA.

The guidelines also suggest that the Insurance company has to ensure that the outsourcing agency has adequate information security measures and also conduct periodical audit of the outsourcing arrangement.

A detailed guideline of the clauses that the outsourcing contract must have has also been indicated in the exposure draft.

Though the guideline only reiterates some of the known principles of Information security for management of outsourcing agencies which are already in place in case of other regulated industries such as the Banks, it brings in a new focus on the Insurance companies and the need for storing the data within India.

Naavi