Digital Information Security in Healthcare Act

 Digital Information Security in Healthcare Act

What is the Digital Information Security in Healthcare Act (DISHA) in India?

The Ministry of Health & Family Welfare, Government of India (MoHFW) proposed the Digital Information Security in Healthcare Act in 2017, but it was never implemented. On March 25, 2020, the MoHFW released the Telemedicine Practice Guidelines in response to the urgent requirement, which caused an unexpected rise in e-consultations in the healthcare industry.

The Guidelines set forth severe requirements for technological platforms and, in the event that they are discovered to be in breach, hold them accountable by blacklisting them.

The Digital Information Security in Healthcare Bill, 2022 (DISHA) was recently put forth by the MoHFW with the following goals:

  • Recognize the need to safeguard persons' personal data;

  • Oversee and control digital personal data.

The fact that there is no clear-cut formula to distinguish between the behaviors that fit into the categories above makes this Bill just another tool for restricting citizens' rights (privacy).

Highlights of the DISHA Act:

  • The DISHA (Digital Information Security in Healthcare Act) will serve as the framework for the development of digital health records in India and will enable the digital sharing of individual health records with hospitals and clinics as well as between hospitals and clinics. The National Health Policy has given approval for the exchange of Aadhaar-linked electronic health records via the National Health Information Network. It seems like DISHA lays the foundation for other health exchanges.

  • DISHA places a person squarely in control of his data and establishes considerable constraints on the usage of health data. The stronger security provided by DISHA for an individual's data is evident. In reality, the DISHA expressly limits the uses and processing of health data and forbids processing on any other legal justifications, including permission. In addition, there is a necessity of either the person's agreement or legislation requiring such use if a purpose or processing is defined under DISHA.

  • The DISHA's approach to data governance is totally consent-based, providing the individual enormous rights and making him the clear owner of his data.  An individual now has a real say in what happens with his or her data thanks to DISHA.

  • The bill offers a unique compliance framework for India's defense of people's digital security. According to Section 4, the Bill is applicable to digital personal data that is digitized and collected within the boundaries of India, whether it is collected online or offline.

  • The bill will only be used in situations where outside parties are handling personal data. India is used to profile individuals or to provide goods and services to Indian-based Data Principals.

  • The bill also includes special clauses in Chapter 4, which discusses exceptions to the bill's applicability. For example, if the processing is being carried out by a court or tribunal or if it is necessary for the investigation, prosecution, or detection of an offense.

  • The board may impose a penalty based on the kind, seriousness, and length of the violation under Section 25, which establishes a punishment in the event that an individual violates the provisions.

Why Secure Digital Health Data?

Every nation should have accurate and complete patient records, whether they are ethereal (soft copies) or physical (hard copies). As we've transitioned to the digital era, paperwork has decreased significantly nowadays. Everyone therefore makes an effort to maintain their records digitally because technology has many advantages. However, there is a concern about data security when it comes to the internet and technology. Sensitive and significant data should be securely and effectively protected. 

India has a significant population, making it difficult to maintain a single, unified record of every individual and necessitating the correct security of digital patient data.

The Digital Information Security in Healthcare Act, 2018, which the central government created as a public welfare act, addresses these issues by taking into account these facts and the incidents of data breaches involving highly sensitive and personal data.

What is the DISHA Healthcare Act's Purpose?

The act's major goal was to guarantee the confidentiality, privacy, standardization, and security of digital health data. The act aims to control how digital health data connected with identifiable personal information is generated, collected, stored, transmitted, and accessed. The National Digital Health Authority and Health Information Exchanges were established as a result. It keeps track of all the health-related data about the person's physical and mental well-being, the health services they received and inspection of a body part or physical substance, the data gathered while offering health services, and the specifics of any clinical facility the person visited.

Is a Healthcare Data Security Law Necessary in India?

The Information Technology Act, 2000 (the "IT Act"), as amended by the Information Technology (Amendment) Act, 2008, when combined with Information Technology Rules, 2011, addresses the current legal framework pertaining to data privacy and protection. The IT Act, which places a strong emphasis on information security, fails to adequately address concerns about data privacy.

Furthermore, it doesn't outline any broad guidelines for the security, exchange, and protection of private data, including health information. In this respect, the proposed Digital Information Security in Healthcare Act 2018 (‘DISHA’) provides security, standardization, privacy, and confidentiality standards for electronic health data. The Health Insurance Portability and Accountability Act of 1996 (or "HIPPA"), which governs this subject in the United States, is seen as having an Indian equivalent in DISHA. Although DISHA seems to hold some promise, its enforcement and implementation have not yet undergone a full evaluation.

Healthcare Organizations Responsibilities Under the DISHA:

The Digital Information Security in Healthcare Act (DISHA) in India places certain obligations on healthcare organizations. DISHA controls the gathering, storing, and transmission of patient health data with the goal of ensuring its security. Healthcare organizations are required to abide by DISHA's rules in order to protect patient data and guarantee its accuracy and confidentiality. This entails putting in place strong security measures, carrying out frequent audits, and ensuring compliance with relevant laws like HIPAA (in contrast to DISHA) for international requirements for information safety and security as well as the data protection standards defined by DISHA.

The DISHA requirements for the safety of user health information in India must also be followed by healthcare organizations. This entails taking precautions to avoid unauthorized access or breaches and ensuring that medical information is stored securely with access limited to authorized people.

How Can Healthcare Data Security be Ensured in India?

Medical staff used to manually write down large amounts of healthcare information that was difficult to handle and preserve. The development of technology made it possible to save and retrieve this data at the touch of a finger, but this convenience also carries risks. Patient information is more exposed to data breaches and cyberattacks as a result of increased digitalization. Due to the fact that consumers entrust health tech firms with their personal information, the highest level of data privacy is essential in the healthcare industry.

Data is now essential to information warfare. AI requires data as a key component. The quantity of data about a person is growing as a consequence of digital revolutions. Strict data privacy laws must be followed with regard to medical records. Not only do hackers pose a concern, but also businesses that carry out nefarious deeds or utilize backend techniques to access data.

(a) Internal Threats

Because they are more likely to fall for hacking and social engineering frauds or try to steal data on their own, employees in the healthcare sector exhibit a particularly high level of carelessness. This is problematic because most health information must be delivered through secure, authorized channels or encrypted before leaving an organization's premises. Healthcare providers may employ Data Loss Prevention, also known as DLP, technologies to impose restrictions on the flow of confidential medical information within and outside of their networks.

DLP systems use pre-built profiles and individualized definitions to manage and control sensitive data. They are intended to effectively safeguard sensitive data. DLP systems may identify medical information in files and within the text of emails prior to their arrival using sophisticated content assessment and semantic detection technologies that prevent it from being distributed through unauthorized channels.

(b) Access to Data

Locally stored health information on workplace computers becomes unsecured and vulnerable to theft. While performing their tasks, employees frequently access, download, and keep sensitive material, and they could forget to delete these items once they are no longer needed. This significantly jeopardizes compliance and data security initiatives. DLP systems are capable of searching the whole network of a company for locally stored sensitive data, and if it is found, administrators can take corrective action, such as deletion or encryption. As a result, healthcare providers may make sure that no employee continues to have access to private information that is no longer needed.

(c) Employee Training

Training employees is also essential. Healthcare IT remains in its early stages of implementation; therefore, professionals are still getting used to it. Policies and procedures must be changed to allow for the digitalization of medical records in order to safeguard the confidentiality of health care data. Your workers may be better able to identify potential security threats and make more informed choices with the help of security awareness training. This type of instruction can motivate users to handle patient data with the appropriate level of caution. It is crucial to inform both new and existing employees about current information safety protocols.

(d) Control Removable Devices

Despite the internet being increasingly used to transfer data, many employees still use removable storage options like USBs or external drives to copy sizable amounts of data or large files.  Because of their small size, these devices are easily lost or stolen. Even worse, in recent years, malware attacks have increasingly relied on USBs in particular. They might either fully forbid their use or restrict it to approved devices. 

This makes it simpler for healthcare providers to spot anomalous network behavior and possible information theft by enabling them to track which staff is using which device and when.

To ensure data safety, healthcare organizations should go above and beyond and implement an enforced encryption solution. Finally, it is crucial to stop information theft in the event of a data breach as soon as the leak is identified. In order to stop an intruder in his tracks, provide a quick technical structure that will activate predetermined protocols. Ensure that all new and existing employees are trained on the security procedures in place so they can react swiftly if a breach occurs.


Some important recommendations that can be integrated include a broad definition of "Data Concerning Health" and a clear understanding of "explicit consent" and how to obtain it.  Despite the fact that the use of technology in the healthcare sector has the potential to revolutionize the field for rural Indian women, it is crucial to address the concerns raised by the Digital Information Security in Healthcare Act, 2022 (DISHA), as well as to spread awareness of digital health and the value of sharing personal information.


Additi Panda
B.A. LL.B. from CPJ College

Leave a Comment

Previous Comments

Related Blogs