Advertisment

Data security in Health Care

author-image
PCQ Bureau
New Update

While everyone considers data security to be important and Fortis in particular considers health care information to be critically important, they feel implementing it to a satisfactory level is still a challenge across the industry. In this line of business, information can be classified into three types: patient-specific information, statistical demographics and organizational data (like revenues earned, etc). 

Advertisment

Each of this information has a specific need and a set of people/entities that are entitled to access and modify them. For instance, only a patient's doctor should be able to view that patient's detailed medical records, treatment histories and so on. The receptionist needs still lesser information like patient membership data. Someone querying the database for statistical information like the number of patients treated for malaria in the last so many months and of a particular demograph should not be shown individual personal information of the concerned patients. Competitors should not be able to access internal financial data of the hospital.

Sunil Kapoor 



CIO Fortis Healthcare

Fortis considers implementing data security as a hygienic need that's a conscious call the organization took. However, like most organizations, they find no need to communicate that they have implemented data security to their patients- they find it as mundane as telling them what kind of bed has been provided to them. As a forward-thinking institution, Fortis envisions compartmentalized centralization in their implementation. Each of their units has access to only the segment they address.

Advertisment

Security is implemented at application level where authority to modify is checked before every 'save' operation-this prevents an unauthorized person from using an authorized system to modify the data. The front-end application also does not allow the user to export the data for use outside the system.

In 2001, Fortis Health Care implemented SmartCards for security but that hasn't taken off because of portability and compatibility issues. SmartCards are specific to the system and don't allow the user to transparently reuse it elsewhere. This means that data protected by SmartCards lose their portability between different institutions. Each health-care institution would typically implement proprietary applications and data-storage mechanisms. This diversity makes transfer of electronic data between such institutions difficult if not impossible. 

Security of electronic patient data is as important as that of such physical data. This is especially true in Medico-Legal Cases (MLC). With MLC data, a complete process has to be followed with regards to who has what kind of access to the information. Complete records also have to be maintained of each access and modification. The data itself is stored for a much longer period. 

Advertisment

The real challenge in data security is in preventing unauthorized access within the organization rather than find ways to prevent them from taking the data out of premises. We are able to achieve with application-level security.

As far as medical standards go, HIPAA is the most popular standard. HIPAA is an industry specific standard that affects Fortis; but it is not followed in totality by any hospital globally and even less so within India. 

In the US, if a treating doctor has to consult another expect, he has to first take the permission of the patient on whether the patients data can be shared. If the patient refuses, then the doctor can't do it. In India, standardization of medical records has to happen to share the data before this can happen.

Advertisment