A Patient Record Leaked in Mandi Bahauddin Hospital Data Breach Medical records of a women c section operation surgery video was made by doctors and disclosed patient’ physical condition was shared online. This unauthorized disclosure of patient was challenged by her family. This type of medical records exposed in the data breach are protected under the cyber security law section 20 and 21. Federal Investigation Agency can arrest doctors and put them in 7 years prison as such type of unauthorized disclosures are offense. It’s unclear how long the records were exposed but Deputy commissioner Bahauddin immediately taken action and suspended the doctors. I have worked on US healthcare industry information security law e.g. Health Insurance Portability and Accountability Act (HIPAA) for 7+ years. The type of medical records exposed in the data breach are protected under the HIPAA. In its summary of the HIPAA security rule, the Department of Health and Human Services noted that “the rise in the adoption rate of these technologies [electronic health records] increases the potential security risks.” We should enhance the awareness level and compliance within Pakistani Healthcare Industry about Compliance including Information Security. There is a neeed to hire compliance professional in Pakistani healthcare industry to review and prevent patient record breaches and ensure compliance.
Internationally Compliance is controlled by applicable Information Security regulations e.g. Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR). Countries e.g. United States (US) and European Union (EU) etc. have set regulatory and standard requirements to be met for the exchange of information internally or externally.
There has obviously been lots of debate in Pakistan/Azad Kashmir about Brexit, data security and transfer issues as the UK exits the EU. It is hard to predict the impact of EU referendum result on Pakistan but in the short the change will be minimal. As suggested by Jonathan Armstrong, the EU plays a significant role as regards value-added tax (VAT – sales tax) and excise duties. So indirect taxation in the context of access to the Single Market is likely to be a hot area in the negotiations. Further, The UK Government consulted on implementation of new cyber security measures and Pakistan needs to focus on ecommerce, data protection, data transfer and data breach regulations to cope-up with Brexit impact. Longer term there is likely to be lots to do on the separation and with the UK putting in place agreements to replace current EU deals – many variations are currently possible. The referendum result is not technically law but a recommendation to the Government to make law. Currently, cybercrime bill has been passed by the National Assembly Standing Committee on IT which is a reactive approach rather than proactive approach in absence of Data Protection Act. The proposed Electronic Data protection act was a drafted and proposed in 2005 and so far not published. There is no law regulating the protection of data in Pakistan till to date. Understanding the need of the hour, new Foreign Data Security and Protection Act 2004 draft is published by Ministry to support US and EU companies outsourcing data within Pakistan. Currently, cybercrime bill has been passed by the National Assembly Standing Committee on IT which is more a reactive approach rather in absence of Data Protection Act. In the absence of a Pakistani Data Protection Law, the introduction of a cybercrime law would be overwhelming for civil rights and businesses in the country. Therefore, we suggest that Pakistani Government and AJK Government should publish Data protection Law as a proactive approach. Further, internationally government organizations closely work on information security laws and they do not approve techniques e.g. encryption algorithm which they cannot break as they want to monitor users communication and behavior. It is essential for our nation and government agencies to analyze and review international laws trend to cope-up with these security loop holes. This Act may require Covered Entities under this law to implement physical, technical and administrative level safeguards. Few improvements are suggested below to cope-up with developed countries data security standards:
Suggested improvement in Pakistani Data Protection Act 2005
- Designate Compliance official who are responsible for managing Information Security Compliance program
- Covered Entities shall implement encryption of data (at rest or in-transmission) compliant with international standards e.g. Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2).
- Conduct internal monitoring and auditing after specific intervals. International standards e.g. ISO 27001 and automated log monitoring tools e.g. Log Analyzer – Security Information Event Management (SIEM) can be used to enhance effectiveness.
- Conduct information security trainings after specific intervals.
- Disciplinary guidelines should be developed and enforced effectively. Employee Compliance rankings can be maintained.
- Identify and manage risks and deducted information security offensives in timely manner.
- Hashing should be implemented to ensure integrity of data at storage and rest. The hashing standard should be FIPs/NIST compliant.
- Authentication Compliance requirement at least by supporting:
- Level 3 Assurance Level or above for remote access of confidential information and
- Level 1 Assurance Level or above for other types of access.
Two-factor authentication can be used in following scenarios based on Table 1 analysis and same is suggested as an improvement for Pakistani/AJK Data Protection Act as well:
a) Remote access: Highlight all author and affiliation lines.
- If employee, staff, etc. are accessing confidential information over the Internet (via a portal or VPN, etc.), healthcare organizations should use two-factor authentication.
- Whenever helpdesk require access to customer’s system, it should be used.
- All modems that are deployed in the environment should have a well-documented business justification that cannot be met in any other and should be periodically reviewed for continued applicability and need.
- Modems deployed with remote access software enabled (such as pcAnywhere or gotomypc) must be configured properly and use two-factor authentication.
b) Agreement execution with the client
c) Confidential Information on cloud & two-factor authentication
Entities should consider additional methods for securing administrative access, such as implementing two-factor authentication or establishing dual or split-control of administrative passwords between multiple administrators while transmitting confidential data using cloud technology.
US and EU data privacy laws e.g. HIPAA and EU data protection law etc. limit businesses moving confidential data to countries with weak privacy compliance programs. It is essential for an organization covered under HIPAA and which outsource its business process to developing countries e.g. Pakistan and AJK etc. to meet the international level privacy requirements imposed to eliminate the losing potential customers due to non-compliance. An organization covered under HIPAA and/or GDPR is required to ensure confidentiality, availability and integrity of Protected Health Information. It is essential for these organizations to adopt compliance mechanisms while outsourcing data. The Pakistani data protection act draft was created to benefit the citizens of the country. As suggested by Madiha Latif, the drafts persons of this bill seem to have forgotten to address anticipation of future technological development. Further, the fact that the law has still not moved forward on the floor of the assembly is incredibly worrying.