A large number of tourists visit India to get access to the wide array of health care services due to affordable prices, large number of highly skilled medical professionals, world-class infrastructure, quality and cost-effective treatments, ease of communication and travel, limited waiting time, and medical technology that is on par with the global industry standards.

Services opted for by the tourists range from basic elective procedures to complex specialized surgeries. With the steps taken by the Ministry of Tourism to promote India as a medical and health tourism destination and the introduction of the "e-Medical Visa," which enable travelers of 166 countries to visit India for medical treatments, it is expected that the number of tourists visiting India for health care services will constantly increase each year.

India’s draft Personal Data Protection Bill emphasizes the core requirement of protecting the personal data of data principal. Among other significant provisions, the PDPB proposes substantial penalty for violation of the stated requirements of INR 5 Cr (about USD 1 million) to INR 15 Cr (about USD 3 million) or 2 to 4% of its total worldwide turnover of the preceding financial year, whichever is higher. Such provisions, along with a heightened focus on collection and use of personal data, will require organizations (referred to in the bill as data fiduciary and data processor) to revisit their processes and operations and establish a robust privacy and data protection framework.

With the requirements of multiple privacy regulations, health care laws and increasing use of technology in medical devices and service delivery, the use of mobile apps and aggregator platforms to access health care services, the awareness of privacy and data protection in the health care industry becomes more and more pertinent. Although health care organizations are now starting to adopt best practices with privacy and data protection in their service delivery and device interfaces, major improvements are still needed at an operational level.

Key issues faced by health care organizations with regard to privacy and data protection and practices adopted by organizations are as follows:

Segregation and treatment of data received from multiple sources, including internet-of-things-enabled devices

  • Information footprinting: Organizations are now tracking data to identify and understand where personal data lies at all times. To support this, data discovery exercises (manual- and tool-based) are being conducted. The mapping of data helps determine the lifecycle of data, security controls, associated devices through which the data is generated, level of access to be provided to staff (doctors, nurses, contractual staff, etcetera) and sharing of information outside the organization so that the right information is accessed by the right stakeholders. Additionally, identifiers are being added to datasets to identify the source of the data, the associated consent provided, the validity of consent and also the region of origin of the user.
  • Asset management controls: Organizations have started taking into consideration key privacy and security factors that can embed privacy by design in existing and planned systems, for example, identifying privacy and security checks before a new IoT device is purchased, security configurations around data stored or held by the device, retention periods of the data stored on the device, etcetera.
  • Privacy and data protection trainings and awareness sessions: Health care organizations have started conducting role-based privacy trainings to make the staff (doctors, nurses, contractual staff, etcetera) aware of the risk associated with mishandling and misuse of data.
  • Security controls: Health care organizations now provide local access or access via multifactor authentication for patient records and reports. Mobile access to patient records and health care systems is restricted and enabled only for devices with appropriate security certificates installed.
  • Handling data of family members: In cases where a family member of one of the health care professionals is being treated, organizations monitor access to ensure that the health care professionals are not accessing records of family members unless authorized by them to do so.

Encrypting electronic medical records in a network of connected medical devices and applications

Several standards and regulations recommend encryption among other data security efforts to reduce the risk of a cyberattack; however, every organization follows its own approach to encryption based on maturity, applicable regulatory requirements and risk appetite. Some health care organizations do not encrypt data at rest as it may lead to issues in the performance of connected medical devices and other health care applications. It may also pose issues as the numerous devices and applications may have different encryption capabilities that may not necessarily be compatible with each other. Given the requirements for data access, organizations have also adopted models wherein the main devices and applications keep the data being processed currently, and once the patient is discharged, the relevant data is transferred to a more secure environment/server, and the original source is removed. For other organizations, encrypting data at rest and in transit is a common best practice that is done quite efficiently when a proper public key infrastructure is in place enabling combinations of symmetric encryption and hashing to efficiently encrypt data. Organizations that follow encryption of data at rest, adopt the practice of encryption at multiple levels based on the data being handled to decrease the impact on the performance of the systems, such as table-level encryption, field-level encryption, etcetera.

Blockchain is also being considered as a potential solution to ensure patient data confidentiality, but it has not been implemented by organizations yet.

Handling data and communication via Whatsapp

While regulatory requirements may not allow the use of WhatsApp or may term the communication as one with insufficient safeguards, it is still being used by health care professionals and patients to interact with one another, share documents and advice. Organizations that have discouraged the use of WhatsApp have enabled communication via chat applications, hospital portals or web forms that adhere to the requirements of applicable privacy laws.

Organizations that have accepted the use of WhatsApp have prepared organizational WhatsApp usage policies and guidelines to inform health care professionals of their responsibilities toward the usage of WhatsApp for communication and handling of the associated data. These policies and guidelines usually include practices such as:

  • On receipt of requests or information, inform the patient of the commitment to privacy of patient data, potential risks of using unsecure channels or modes of communication and other appropriate communication channels. Delete or archive the message once the patient has sent the request through the appropriate channel.
  • Interact with the patient, respond to the query on WhatsApp, upload necessary details as a part of the central patient record or print a copy of the communication and add it to the patient file, delete or archive the original information. In some cases, organizations allow communication only via organization-owned devices.

Managing risks on using personal data for business intelligence and analysis

Organizations use BI tools for analysis and management reporting of patient data. Reports include trends of users and customers in the past few months, services most and least sought by users, etcetera. Organizations deal with privacy and data protection risks in the use of BI tools and associated analysis in the following ways:

  • Documenting the personal data used by the BI tool for the analysis, the purpose of the analysis and making the patients aware of the same.
  • Pseudonymizing or anonymizing patient data.
  • Ensuring that secondary databases created for use or for references are aligned with the original purpose of the analysis.
  • Identifying access levels and associated controls to restrict access and BI and analysis to a specific group.
  • Identifying controls for retention of data.
  • Limiting the involvement of third parties unless absolutely necessary.
  • Frequent monitoring of data being processed and related accesses.
  • Enabling built-in encryption on tools and configuring the access per user role so that visualizations, worksheets, etcetera, can be encrypted/decrypted at the client side.

Managing the personal health data of VIPs and celebrities 

Organizations that service VIPs and celebrities have to consider an additional layer of security and privacy specifically for such personal data. The first task carried out is to restrict access to such patient records by assigning permissions. Thereafter, an automated workflow is initiated wherein notifications are provided to the privacy team every time the file is requested/accessed/updated. This can also be configured via the existing security, incident and event management or user and entity behavior analytics tools. Security information and event management use predefined rules to determine if certain scenarios are met and raise an issue as per the configured rules. User behavior analytics, on the other hand, are able to monitor peer groups and compare the behavior and deviation between the behavior from a specific user and their peers.

In cases in which the automated workflow is not initiated, organizations perform an audit of the accesses to medical records of VIPs and celebrities to identify unauthorized access. In such instances, the data protection officer is informed without delay and the unauthorized accesses are dealt via the organization disciplinary process.

Some health care organizations use separate servers or modules and require multifactor authentication to provide access to records of VIPs and celebrities.

Since the health care industry process high volumes of personal and sensitive personal data, they may be identified as significant data fiduciaries that will impose more obligations on them. As the health care ecosystem is very large and involves multiple stakeholders, it would be useful for organizations to perform readiness assessments and identify the best practices that can be adopted to ensure timely readiness as per the requirements of the bill.

Photo by Srikanth D on Unsplash