With the much publicised, especially in the western media, incident of clinical data theft from the London clinic, the issue of data security has come to forefront. Since the incident involved Indian IT or business process outsourcing (BPO) companies, the western media has blown up the issue.
NASSCOM, the premier trade body and the chamber of commerce of the IT-BPO industries in India, has called for a speedy police enquiry into the case of alleged illegal sale of private medical records through IT companies in the country. The case was busted in a sting operation by a British television news channel.
As per the findings of the sting operation, medical records sent for computerisation to Indian IT companies were sold illegally in the black market. The files were sold by two men who claimed to have gained access to the information from IT companies. Thousands of medical files from top private hospitals in Britain are outsourced for computerisation to India every year.
A number of these files, which contain personal details of the patient’s health, name age and address are for sale in the black market, for prices as low as $4 each. The two men caught on camera involved in the black marketing, claim to have access to thousand more such files.
Incidentally, to prevent such kind of data theft or data misuse, NASSOCM had set up a self regulatory body (SRO) titled as Data Security Council of India (DSCI). However, without any statutory authority, DSCI has so far failed to prevent these kinds of incidents.
There is one more body, Indian Computer Emergency Response Team (Cert-In) set up by the Indian government 'To enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration'.
While DSCI is a SRO created by an industry body, Cert-In is an statutory body which operates under the auspices of and with authority delegated by, the Department of Information Technology under the Ministry of Communications and Information Technology.
But in the recent data theft case, both DSCI and Cert-In were caught napping. While calling for a speedy police inquiry in the case, NASSCOM said:"Given the scale of movement of data in the globalised world, incidents such as what has happened are stray incidents that are not reflective of the industry as a whole. Security is and will remain our number one priority. India has established an excellent international reputation and we will not allow this to be compromised at any cost."
Although, there is no law or regulation that makes it mandatory for all organisations handling data to be a member of DSCI and comply to its data protection guidelines, this was the basic reason why DSCI was created in the first place. This leaves more responsibility on Cert-In. But, in recent past, this body was more engaged in sending out alerts for virus, spam, malware, phishing attack and for security holes in softwares.
This leaves the data protection job in hands of the company, organisation officials. But since the volume involved is so huge, it is not possible to keep a vigil on each and every record, all the time.
There is another interesting finding with regard to medical records. One of the major contributors is that medical or health care data – and how it is collected, stored and shared – is handled much differently than in most other sectors. Whereas other records can be dealt with discretely during some sort of business transaction, the sum of one's health care history is typically required during a medical occurrence.
A bank can put security parameters around a transaction very nicely, but in health care you can't do the same kind of encapsulation (the process of adding control information as it passes through the layered model) as its needs are different. Also looking at the lower IT spends at hospitals the task becomes even more difficult.
While financial services provider allocates about 10% to 12% of revenues for IT, other high tech companies even spends almost 20% to 30% on technology. Compare this with the healthcare industry's IT allocations which are somewhere between 3% to 5%. This explains above mentioned data theft incidents.
Looking at security controls that have been put in place, the military and government have much higher integrity and medical data still remains a soft target for potential theft. Indian IT and BPO industry, no doubt have to improve its data handling, other users also need to be careful in data handling, especially the medical data, since electronic medical records (EMRs), personal health records (PHRs) are the hot buttons in healthcare at the moment. -Yogesh Sapkale[email protected]