How the DPDP Act reshapes the healthcare sector’s compliance requirements

  • October 18, 2023
  • News
  • 4 mins read

Source: Financial Express

With the implementation of the DPDP Act, individuals will gain enhanced rights and protections for their health data, granting them the ability to access, correct, and erase their health information.

In Brief

  • The DPDP Act empowers individuals by giving them the right to access, correct, and erase their health information.
  • As the level of digitization varies among healthcare organizations, there is a need to implement a sustainable method of data discovery for robust data governance.
  • Storage and processing of data shared with third-party vendors, insurers, and digital healthcare platforms will require a comprehensive third-party data privacy management framework.
  • Healthcare institutions must implement centralized solutions that enable active security monitoring, threat detection, incident response, as well as vulnerability scanning and patching.

The Digital Personal Data Protection (DPDP) Act, 2023 underscores the importance of safeguarding personal data privacy and security across diverse industries. In the healthcare sector, where digitization is revolutionizing how hospitals and healthcare institutions manage and access medical records to enhance patient care, the DPDP law is expected to redefine strategies for safeguarding data, upholding patient confidentiality, and advancing medical capabilities. Specifically, the DPDP Act imposes substantial obligations on data fiduciaries and mandates rigorous measures to preserve the confidentiality and integrity of health data, with severe consequences for any breaches or security lapses. This underscores the indispensable necessity for robust cybersecurity protocols.

While earlier laws, such as the Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, offer some protection for healthcare data, the rapid pace of digitization in healthcare exposes vulnerabilities, leaving highly sensitive personal health information at risk. The Digital Information Security in Healthcare Act (DISHA), which is pending approval and is modeled after the EU General Data Protection Regulation(GDPR) and US The Health Insurance Portability and Accountability Act (HIPAA), aims to safeguard the privacy and confidentiality of digital health data, along with the Health Data Management Policy of 2020.

With the implementation of the DPDP Act, individuals will gain enhanced rights and protections for their health data, granting them the ability to access, correct, and erase their health information. This marks a momentous shift towards a healthcare system centered on individual empowerment.

Data discovery is prime

With the new law, data discovery has become a necessity in the healthcare sector. From the moment a patient is admitted to the point of eventual discharge, healthcare organizations amass a trove of sensitive personal data, including information about children and individuals with disabilities. These data are routinely shared with third-party vendors, insurers, and digital healthcare companies and platforms, serving various purposes such as data-driven decision-making. However, in many instances, the storage and processing of these data lack proper control and organized structure. Additionally, the level of digitization within healthcare organizations in India varies depending on the size of their operations. Given these scenarios, organizations should implement a sustainable method of data discovery for robust data governance. Moreover, automation of this process is crucial for sustainability.

To enhance data governance, healthcare organizations must establish a comprehensive third-party data privacy management framework. This framework should include a set of principles, tools, and practices geared toward identifying and addressing risks while enforcing effective risk management protocols.

Securing data

While only a handful of healthcare institutions have successfully developed and fully implemented comprehensive security policies, standards, and procedures, the majority have either implemented them partially or are at a rudimentary level. Numerous areas within the healthcare sector demand immediate reinforcement of cybersecurity measures. For instance, establishing benchmarks for system design and configuration is important for new systems and for the adaptation of existing ones.

Most organizations currently lack centralized solutions for security monitoring. In the future, healthcare institutions must prioritize the implementation of centralized solutions with active security monitoring, threat detection, incident response, as well as vulnerability scanning and patching to bolster data security. To fortify the infrastructure, institutions should also consider adopting cloud-based security solutions.

While healthcare institutions have made some headway in ensuring secure access for clinicians and privileged users, both on-site and remote, introducing multi-factor authentication (MFA), which necessitates users to provide multiple forms of verification before gaining access to electronic health records (EHRs), patient information, and other critical systems, adds an additional layer of security. This not only safeguards against insider threats but also mitigates credential-related risks.

In addition to establishing robust security systems, institutions should routinely conduct privacy risk assessments of their technology systems. This includes a comprehensive third-party risk assessment, which entails analyzing the risks posed by third-party relationships throughout the supply chain, including suppliers, vendors, and service providers.

Regulators should consider implementing legislation that compels manufacturers to assume responsibility for the design and security systems of medical devices. Furthermore, they should address cybersecurity vulnerabilities that may arise after installation.

Additionally, in accordance with the DPDP Act, healthcare organizations in India should contemplate the appointment of Data Protection Officers (DPOs) to oversee and ensure compliance with data protection obligations within their organizations.

The timeline for implementing these mitigation measures may range from four to six months, depending on the size and existing infrastructure of the healthcare organization. Simultaneously, the organizations must allocate sufficient budgets to establish the necessary systems and structures.

Share this article:
Pharmaways

Pharmaways Global Private Limited is a company established in 2022. Headed by a group of professionals with over 25 years of experience. A team of professionals who have excelled in their respective fields of Pharma, Legal & Information Technology. We have global exposure and hands-on experience of the global Pharma industry. We are in pursuit of bringing the global Pharma Industry on a platform where they can connect, collaborate and work towards mutual growth. We have taken a step into the future by innovating a technology that will help global Pharma players to empower, excel and accelerate in their business. A platform that has been developed exclusively for the Pharma fraternity. We are a New Delhi based company with overseas offices in America and the United Kingdom.

Previous Post: Two labs in India take on the bulk of testing for cough syrup samples for export

October 18, 2023 - In News

Next Post: Glenmark launches triple drug formulation for type 2 diabetes patients in India

October 18, 2023 - In News

Related Posts

Leave a Reply

Your email address will not be published.