Healthcare

Security & Privacy by Design - 'The Guiding Principle' of Health Data Management Privacy Policy by ABDM

__
<p style="text-align: justify;">Every byte of data has a story to tell. The question is whether the story is being narrated accurately and securely. Usually, we focus sharply on the trends around data with a goal of revenue acceleration but commonly forget about the vulnerabilities caused due to bad data management.&nbsp;</p><p style="text-align: justify;">Data possesses immense power, but immense power comes with increased responsibility. In today&rsquo;s world, collecting, analysing, and building prediction models is simply not enough. Keep in mind that we are in a generation where the requirements for data security have perhaps surpassed the need for data correctness. Hence the need for privacy by design is greater than ever.</p><p style="text-align: justify;">&ldquo;<a href="https://abdm.gov.in/documents/health_management_policy">Privacy by Design</a>&rdquo; and &ldquo;Privacy by Default&rdquo; have been frequently discussed topics related to data protection. The first thoughts of &ldquo;Privacy by Design&rdquo; was expressed in the 1970s and were incorporated in the 1990s into the RL 95/46/EC data protection directive.&nbsp;</p><p style="text-align: justify;">Privacy by design is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures. The adoption of security and privacy principles is a crucial step in building a secure, audit-ready program.</p><p><img style="display: block; margin-left: auto; margin-right: auto;" src="https://kradminasset.s3.ap-south-1.amazonaws.com/ExpertViews/Sujeetimage1.png" alt="7 Principles of Privacy by Design" width="335" height="331" /></p><h2><span style="font-size: 14pt;">Privacy by Design is Based on Following 7 Principles:</span></h2><p style="text-align: justify;">1. &nbsp; &nbsp;Proactive, not reactive; preventative, not remedial - Privacy by design comes before the fact, not after.<br />2. &nbsp; &nbsp;Privacy as the default setting - it is built into the system by default.<br />3. &nbsp; &nbsp;Privacy by design is embedded into the design and architecture of IT systems and business practices.<br />4. &nbsp; &nbsp;Privacy by design seeks to accommodate all legitimate interests and objectives in a positive-sum &ldquo;win-win&rdquo; manner, not zero-sum.<br />5. &nbsp; &nbsp;End-to-end security &mdash; Full life-cycle protection.<br />6. &nbsp; &nbsp;Visibility and transparency &mdash; Privacy by design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives.<br />7. &nbsp; &nbsp;Respect for user privacy &mdash; Keep it user-centric.</p><h2><span style="font-size: 14pt;">Privacy by Design in Health Data Management Privacy Policy by ABDM</span></h2><p style="text-align: justify;">Consider data protection requirements as part of the design and implementation of systems, services, products, and business practices. The federated design of the National Digital Health Ecosystem ensures that no personal data other than what is required at a minimum to create and maintain Health IDs, Facility IDs, or Health Professional IDs shall be stored centrally.&nbsp;</p><p style="text-align: justify;">Electronic medical records shall be stored at the health facility where such records are created or at such other entities as may be specified by policy. Electronic health records shall be maintained by entities specified by policy as a collection of links to the related medical records.&nbsp;</p><p style="text-align: justify;">Ayushman Bharat Digital Mission (ABDM) shall issue appropriate technological and operational guidelines providing for the establishment and maintenance of the federated architecture, for ensuring the security and privacy of the personal data of data principals, and for maintenance of electronic medical records and electronic health records.</p><p><img style="display: block; margin-left: auto; margin-right: auto;" src="https://kradminasset.s3.ap-south-1.amazonaws.com/ExpertViews/Sujeetimage2.jpg" alt="Centre approves Health Data Management Privacy Policy by NDHM" width="499" height="270" /></p><h2><span style="font-size: 14pt;">Prepare a privacy policy containing the following information:</span></h2><p style="text-align: justify;">(a) Clear and easily accessible statements of its practices and policies; &nbsp;<br />(b) type of personal or sensitive personal data collected;&nbsp;<br />(c) the purpose of collection and usage of such personal or sensitive personal data; &nbsp;<br />(d) whether personal or sensitive personal data is being shared with other data fiduciaries or data processors; &nbsp;<br />(e) reasonable security practices and procedures used by the data fiduciary to safeguard the personal or sensitive personal data that is being processed.&nbsp;</p><p style="text-align: justify;">The privacy policy referred to shall be published on the website of the data fiduciary. In addition, the data fiduciary shall also make available a privacy by design policy on its website containing the following information:<br />(a) The managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;&nbsp;<br />(b) the obligations of data fiduciaries;&nbsp;<br />(c) the technology used in the processing of personal data, in accordance with commercially accepted or certified standards;&nbsp;<br />(d) the protection of privacy throughout processing from the point of collection to deletion of personal data;&nbsp;<br />(e) the processing of personal data in a transparent manner; and&nbsp;<br />(f) the fact that the interest of the data principal is accounted for at every stage of processing of personal data.&nbsp;</p><p style="text-align: justify;">The privacy policy issued and the principles of privacy by design followed by the data fiduciaries should be in consonance with this policy and applicable law.</p><p style="text-align: justify;"><em><span style="font-size: 10pt;">This <a href="https://www.linkedin.com/pulse/security-privacy-design-guiding-principle-health-data-katiyar/">article</a> was contributed by our expert Sujeet Katiyar.</span></em></p><h3 style="text-align: justify;"><span style="font-size: 18pt;">Frequently Asked Questions Answered by Sujeet Katiyar:</span></h3><h2><span style="font-size: 12pt;">1. What is the purpose of health data management?</span></h2><p style="text-align: justify;">Health data management is the process of storing, protecting, and analyzing data pulled from diverse sources. Managing the wealth of available healthcare data allows health systems to create holistic views of patients, personalize treatments, improve communication, and enhance health outcomes.</p><p style="text-align: justify;">Benefits of Healthcare Data Management:&nbsp;<br />&bull; &nbsp; &nbsp;Create 360-degree views of consumers, patients, and households. Deploy personalized, guided interactions by integrating data from all available sources.<br />&bull; &nbsp; &nbsp;Enhance patient engagement with predictive modeling and analysis based on healthcare data.<br />&bull; &nbsp; &nbsp;Improve population health outcomes in specific geographic areas by tracking current health trends and predicting upcoming ones.<br />&bull; &nbsp; &nbsp;Make informed, high-impact business decisions based on data insights.<br />&bull; &nbsp; &nbsp;Understand physician activity and align them with the organization&rsquo;s goals.</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">2. What are the challenges of healthcare data management?</span></h2><p style="text-align: justify;">In the past few decades, medical data began a transition from purely paper-based tracking to digitized information. Even today, many types of medical data have yet to be digitised, or have not yet been integrated into Health Data Management systems.&nbsp;</p><p style="text-align: justify;">Here are a few important challenges of healthcare data management:&nbsp;<br />&bull; &nbsp; &nbsp;Fragmented data&mdash; There is no one source of truth for information on patient well-being. Medical data is widely duplicated, collected multiple times, and stored in different versions by healthcare providers, public health organizations, insurance bodies, pharmacies, and patients themselves.&nbsp;</p><p style="text-align: justify;">&bull; &nbsp; &nbsp;Changes to data&mdash;Medical data constantly changes, as do the names, professions, locations, and conditions of patients and physicians. Patients undergo numerous tests and are administered many types of treatment over the years, and the treatments and medications themselves evolve over time. New types of medical treatment, such as telehealth models, create new types of data.&nbsp;</p><p style="text-align: justify;">&bull; &nbsp; &nbsp;Regulations and compliance&mdash;Medical data is sensitive and must adhere to government regulations, such as the USA&rsquo;s HIPAA, Europe&rsquo;s GDPR, and India&rsquo;s Data Protection Bill. Data discovery challenges and poor data quality make it much more difficult to perform the required audits and meet regulatory requirements.</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">3. What is health data management policy?</span></h2><p style="text-align: justify;">The Health Ministry of India has approved the Health Data Management Policy under the National Digital Health Mission (NDHM) to protect and manage the personal data of patients using the digital services of the scheme.&nbsp;<br />&nbsp;<br />The organizations participating in the NDHM, as well as the partners/persons who are a part of the National Digital Health Ecosystem (NDHE), are included in the draft policy&rsquo;s framework. Entities and individuals who have been given an ID under the draft policy, healthcare practitioners, health care providers who collect, store, and distribute health data in electronic form in connection with purchases, drug manufacturers, medical device manufacturers, insurers, research bodies, and regulatory bodies such as the MoHFW are among them.&nbsp;</p><p style="text-align: justify;">Objectives:<br />&bull; &nbsp; &nbsp;To build a cutting edge digital health system, manage core digital health data, and build the infrastructure needed for seamless data exchange;<br />&bull; &nbsp; &nbsp;Constructing a single source of truth for the clinical institution, healthcare professionals, health personnel, medication, and pharmacies by establishing registries<br />&bull; &nbsp; &nbsp;To establish a health record registry based on international standards that is freely accessible to patients, healthcare professionals, and service providers and is based on the individual&rsquo;s informed consent;<br />&bull; &nbsp; &nbsp;Established health information systems should be improved by ensuring their compliance with specified requirements and integration with proposed NDHM;<br />&bull; &nbsp; &nbsp;To promote the adoption of appropriate initiatives to ensure the quality of healthcare;<br />&bull; &nbsp; &nbsp;To promote improved health sector management through the use of health data analytics and medical research;<br />&bull; &nbsp; &nbsp;To enable health professionals and practitioners to use clinical decision support (CDS) systems;<br />&bull; &nbsp; &nbsp;To ensure national portability in the delivery of health care services;<br />&bull; &nbsp; &nbsp;To persuade all national digital health stakeholders to follow open standards.</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">4. What is privacy and security in healthcare?</span></h2><p style="text-align: justify;">In the healthcare world, there&rsquo;s often a lot of confusion between security and privacy &mdash; which are two interrelated but distinct IT issues on the cyber-security spectrum. Briefly, security addresses safeguarding data and systems, whereas privacy addresses safeguarding identity and specific parts of data.&nbsp;</p><p style="text-align: justify;">The healthcare industry is seeing a steady increase in hacking. This situation is worrisome from the perspective of privacy and security in healthcare.&nbsp;</p><p style="text-align: justify;">Why is cyber security in healthcare so important? Patient data includes personally identifiable information (names, dates of birth, addresses, bank account numbers) and medical information (ailments, disabilities, abuse, mental conditions). A data leak can damage the reputation of both doctors and their patients.&nbsp;</p><p style="text-align: justify;">Improving the security of IT systems for storing and processing medical records reduces the risk of cyber-attacks. Laws place protections around patient data and healthcare facilities, establishing security standards to protect medical records.</p>
KR Expert - Sujeet Katiyar