The report in Economic
Times suggesting a
successful sting operation revealing the possibility of leakage of medical
record information for a price by one transcription company in India calls
for an urgent and appropriate response from the industry.
It is necessary for us to remind the
world that the IT industry contains a spectrum of operators and there will
be the good, the bad and the ugly. One sting operation like the reported
incident cannot be used to tarnish the image of the industry as a whole.
A recent PWC survey on global scenario
indicates that Information Security practices in India is reasonably good
and compares well with the global standards. However more efforts are
needed in this direction to ensure that accusing fingers are not pointed at
However, it is possible for sections
of the International Community which is opposed to outsourcing business to
India to pick up the current incident and blow it out of proportion. They
may actually try to get sanctions passed against outsourcing of business to
India through the Data Protection Act in EU or through HIPAA/HITECH in USA.
The problems will not stop at the small medical transcriptionists. It is
likely to affect the image of the country as a "Security Conscious" country
and would hurt even the larger companies.
If the Indian industry does not wake
up and take remedial action, the damage can be substantial. Naavi.org
therefore suggests an action plan for medical Transcription Centers in
Bangalore to meet the emerging threat.
The outline of the action plan is as
1. Naavi.org will take the lead in
promoting the concept of "Information Security Society for Medical
Transcriptions" to which all Medical Transcription companies in Bangalore
will become members.
2. The objective of the society is
to promote use of global standard information security in all the member
3. Provisional membership would be
provided to all entities which are in the Medical Transcription Business.
4. The membership will be upgraded
from "Provisional" to "Secure" membership of Class I, Class II and Class
5. Norms of security would be
defined for each member class I, II and III and the members need to
fulfill the norms and maintain it.
6.Periodical audits to be conducted
by the organizations to document their security status.
7. Society would conduct periodical
surprise inspections to determine whether the security status is being
8. The society would endeavour to
project a collective image to the global vendors to instill confidence in
9. Cyber Law College will develop a
standard framework called MTSF-1009 (Medical Transcription Security
Framework) exclusively for the purpose on the lines of LIPS-1008 a
security standard developed for Legal Process Outsourcing Companies.
10. The Society would endeavour to
conduct appropriate training for the members and their employees to
ensure compliance of the desired "Techno Legal Information Security