Let's Build a Responsible Cyber Society



 Data Breach Incidents and HIPAA Compliance

A recent Economic Times Report in India which reported a successful Sting operation by a UK agency in which some health related data was bought from a medical transcription company has evoked some predictable response in US. As could be expected, there are voices stating that the best way forward for Health Care Information  Security is not to outsource.

Seon Caroll CEO of Webmedx, one the large medical transcription companies in USA has stated that it is unrealistic to think that US laws can be effectively enforced outside our borders sufficient to deter the misuse of information or breaches of security. The Company therefore advocates 100% US infrastructure as a policy of security.

While one can appreciate the business strategy of Webmedx to promote its “No- Outsourcing” policy as a virtue, it is necessary to take a pragmatic view of the problem and work towards a solution.

As a person who has conducted many HIPAA awareness trainings   in India and promoting a voluntary HIPAA compliance even in Indian Health Care Industry as a best practice, I can share some of my thoughts on the way forward.

Outsourcing by US companies to India or elsewhere is a conscious business decision which in the long run is expected to add value to the enterprise. Obviously this cannot be done at the cost of Information Security (IS) . However, IS a joint responsibility of both the US Covered Entity and his business associate in India.

The current incident involving a sting operation of a journalist is not a clear indication of the risk of data being sold for a price. However we can accept that it indicates the obvious that financial inducements can make some employees part with information otherwise considered confidential. But we have to focus more on the organized attempts at acquiring confidential data by Cyber Criminals than the sting operations.

To put the incident in the proper perspective, we can recall the many data breach incidents that have occurred in the US itself where millions of records have been compromised some out of financial inducements, many through negligence and many more due to criminals who hack into systems as a profession. IS is therefore as much an issue in US as it is in India.

The reason for increasing data breaches of the kind referred to in the instant case is the growing Cyber Crime underworld which finds all means of stealing data because there is a market for the same. In the case of health records coming under HIPAA, the beneficiaries are  in US. Many of them are the Insurance Companies who follow unscrupulous methods to obtain data that can be used for marketing. It is therefore the unethical business practices of the US Insurance companies that cause a fertile ground for the proliferation of the data breach incidents. Part of the solution therefore lies within the US jurisdiction on how to promote ethical business practices. I would request Seon Caroll to find means of spreading this message in the industry in US.

On the other hand, I would also request the US companies outsourcing health care business to India to insist that their clients in India must undergo a “HIPAA-HITECH Compliance Drill”. I have observed that many Indian companies are not aware of their responsibilities. This lack of awareness is also indicative that the US vendors are not driving home the requirement of HIPAA compliance in their SLAs. Perhaps they have exchanged a contract which indirectly talks of an indemnity. This is more a legal formality they have undergone rather than a real effort to educate their counterparts. Let it be one of the HIPAA compliance requirement of the US companies that they have specifically enquired with their Indian counterparts about the HIPAA compliance measures undertaken in India and obtain certifications. Not all these certificates would be reliable but many would be.

Many of the HIPAA Awareness programmes I have conducted, and audits I have participated in are a result of the initiative of the local companies to improve their competitiveness.  This indicates that there is a desire in India for companies to adopt IS standards. Like in every other case of motivation, they perhaps need a little nudging, little coercion and little incentivisation.

I would request US companies not to treat HIPAA compliance as a paper formality to be completed. Let it be a genuine exercise to promote Information Security culture. Let the US vendors insist in their business contracts that Indian medical transcription partners must only engage employees who have undergone a “HIPAA Awareness Training” and send documentary proof for having conducted such programme for their employees. US companies can also devise strategies where they earmark a part of their payments to be released only towards expenses in employee training and other HIPAA initiatives. (Extension of Obama’s strategy of incetivisation of adoption of EMR by medical practitioners).

The sting report is therefore a wake up call as much to the US companies as it is to the Indian companies. Let’s work together in the effort to have adequate information security without losing out on the outsourcing advantages.

India is keen to retain its Outsourcing advantages because it is a key economic activity for the country. India is therefore willing to do everything in its control to ensure that Data Security is ensured in the operations of the Indian Companies.

US Companies may take note that the Indian Information Technology Act has been amended recently to incorporate a responsibility for following reasonable security practices to protect sensitive personal information failing which the company would be liable to pay damages without any upper limit. There is also a 3 year imprisonment for data breaches. There is a fast track adjudication system for providing relief under the Information Technology Act with one adjudicator in each of the States in India.

Nasscom has also created an SRO of its own in the form of Data Security Council of India to contribute towards better data security compliance in the industry.

Thus there are several state led initiatives towards making India a secure destination for information processing.

In addition to these efforts, individuals like the undersigned are undertaking efforts of their own towards building a public private partnership in Information Security. The State of Karnataka of which Bangalore is the Capital has undertaken a State policy to make “Bangalore the Information Security Capital” and initiated several projects in this direction in recent times.

After the recent report from Economic Times I have been working towards creating a “Security Consortium” for Medical Transcription Companies in Bangalore and invited interested Medical Transcription Companies to get in touch with me. I am also encouraging companies who are working in IS solutions to partner in the building of a secure Medical Transcription network in Bangalore in the beginning and then extend it to other places.  A conference is being organized in November to talk to some of these unit heads and make them aware of the implications of data breach. The idea is to create a group of Medical Transcription Companies who voluntarily subscribe to information security standards that meet and if possible exceed the HIPAA expectations of business associates.

We hope that this data breach report becomes a trigger for an all India activity in which medical transcription industry is shaken up and driven home the need and advantages of being aware as well as implementing HIPAA security standards in India.

I am sure that the US Companies will soon find that India has a better overall IS environment than even US.

Naavi of www.naavi.org


October 24, 2009

Related Articles:

Indian BPOs need to demonstrate their commitment to Data Security

Data Breaches in US.. SC Magazine

 Comments are Welcome at naavi@vsnl.com