In today’s digital landscape, cybersecurity threats and data breaches have become prevalent, particularly in the healthcare sector. Reports of compromised personal and confidential patient information surface frequently, highlighting the urgent need for robust data protection measures. To address these challenges, the Indian government is set to implement the Digital Information Security in Healthcare Act (DISHA), a significant new regulation aimed at safeguarding healthcare data.
What is the Digital Information Security in Healthcare Act (DISHA)?
The Ministry of Health & Family Welfare (MoHFW) in India released a draft of DISHA in November 2017, with plans for its formal enactment. Once implemented, DISHA will standardize and regulate the processes for collecting, storing, sharing, and utilizing digital health data. This legislation aims to ensure that digital health information remains private, confidential, and secure for all individuals.
The Importance of Securing Digital Health Data
Digital health data encompasses a wide array of sensitive information in electronic form, including:
- Details regarding an individual’s physical or mental health
- Information about health services provided
- Records of organ or blood donations
- Data derived from medical examinations
- Interactions with clinical establishments
This information is highly sensitive; any compromise could lead to harmful consequences such as discrimination, violence, or embarrassment. Unauthorized entities could misuse this data to make unjust judgments regarding an individual’s health status, sexual orientation, substance use, or reproductive choices. Consequently, the Indian government is committed to ensuring the security and privacy of digital health data for all citizens.
Objectives of the DISHA Healthcare Act
DISHA aims to facilitate the secure exchange of health information between healthcare providers, including hospitals and clinics. Key objectives include:
- Maintaining the confidentiality and security of electronic health records
- Regulating the storage and sharing of electronic health information
- Granting individuals full control over their digital health data, including the rights to:
- Consent to or refuse the collection and generation of their data
- Withdraw consent for data storage and sharing
- Restrict access to their information
- Decide what data is collected based on its intended use
- Understand where their data is shared and with whom
- Access and rectify inaccuracies in their health data
- Receive notifications when their data is accessed
- Share data with family members in case of emergencies
- Seek compensation for damages resulting from data breaches
The Necessity of a Healthcare Data Security Law in India
India is the second most affected country by cyberattacks, with alarming incidents such as a recent breach involving over 6.8 million health records, attributed to Chinese cybercriminals. This stolen information is often sold on underground forums, highlighting the lucrative nature of healthcare data theft. According to cybersecurity experts, the average cost of a single stolen healthcare record is approximately $380, making it the most valuable data among industries.
With thousands of healthcare-related databases available for purchase on the black market, the pressing need for a comprehensive healthcare data protection law like DISHA is clear.
Responsibilities of Healthcare Organizations Under DISHA
Once DISHA is enacted, healthcare organizations will be required to comply with several regulations, including:
- Informing individuals before collecting their digital health data
- Explaining the purpose of data collection
- Disclosing the entities with whom data is shared within three working days
- Identifying individuals authorized to access the data
- Storing digital health data securely on behalf of the National Electronic Health Authority
Additionally, organizations must implement key measures to ensure the privacy and security of all digital health records:
- Data Encryption: All shared or transmitted health data must be encrypted to protect it from breaches during transfer.
- Data Security: Organizations must adopt physical, administrative, and technical safeguards, including modern data security solutions like Acronis Cloud Backup, which protects against ransomware and ensures encrypted cloud backups.
- Training: Regular training for personnel is essential to maintain compliance with DISHA’s security protocols.
Consequences of Non-Compliance with DISHA
The significance of DISHA is underscored by the penalties for non-compliance. Healthcare organizations that fail to adhere to the regulations may face:
- A minimum fine of ₹1 lakh, with an additional ₹10,000 per day until compliance is achieved, capping at ₹1 crore.
- Compensation obligations for breaches of digital health data, which can include penalties for unauthorized collection, storage, or sharing of health information.
- Severe breaches may result in imprisonment for 3-5 years or fines exceeding ₹5 lakh for those who act dishonestly or use data for commercial gain.
Ensuring Healthcare Data Security in India
As India moves towards implementing the Digital Information Security in Healthcare Act (DISHA), the need for robust data protection mechanisms has never been more critical. In this context, ImproWise CTMS+CDM emerges as a vital tool for clinical trials striving to comply with DISHA and ensure the security of digital health data.
ImproWise offers a comprehensive Clinical Trial Management System (CTMS) and Clinical Data Management (CDM) platform designed to enhance data privacy, integrity, and security. With features such as advanced data encryption, secure data sharing protocols, and real-time access control, ImproWise empowers organizations to manage their health data responsibly. Furthermore, the platform supports training modules that help staff adhere to compliance standards set forth by DISHA.
