Information Assurance Framework
for Health Care Industry
(IAF4HC)
By
Naavi
Health Care industry world over is concerned with the need to
protect the Privacy of patient information. While there is a
focus on the Privacy and Information Security requirements of
Health Care industry in USA in the form of HIPAA-HITECH acts, in
India the health care industry is yet to develop the required
focus.
Indian Health Care industry is in the initial stages of
adopting IT into its operations and very few of the hospitals
have gone beyond the first stages of implementation of IT. At
the current stage the managements are more interested in the
functional aspects of IT and are not providing the right
priority to Information Security.
It is however necessary to remind the Indian Health Care
industry that India has a law that is similar to HIPAA in the
form of Information Technology Act 2000 as amended in 2008 (ITA
2008). Under the provisions of this act and the rules notified
under Section 43A on April 11, 2011, information relating to
“Physical, Physiological and Mental Health condition” (Health
Information) is considered as “Sensitive Personal Information”
and requires to be protected by a “Reasonable Security
Practice”. Failure in meeting this obligation will place a civil
liability for payment of compensation under Section 43A of the
Act. It may also result in criminal liability under Section 72A
in certain cases.
In view of this provision of ITA 2008, it is essential for
Indian Health Care industry to implement an information
assurance program that may be considered as “Reasonable Security
Practice”.
Naavi who has developed a general information security
framework IISF-309 for ITA 2008 compliance and LIPS1008
framework for legal information protection in India has now
developed a separate framework tailored for the Indian Health
Care industry. This adopts the best practices of HIPAA and ISO
27001 already reflected in IISF309 and LIPS 1008 but is
customized for the requirements of the Health Care industry. It
takes into account the present status of the industry where the
information security adoption is at a preliminary stage as
compared to industries such as the banking industry. Though this
framework is presented for the Health Care industry, it is also
suitable for other industries where the use of IT is yet to
mature.
The framework is tentatively recognized as ‘Information
Assurance Framework for Indian Health Care industry” (IAF4HC).
It is recommended for consideration by the industry for adoption
as the industry standard.
The inaugural version of the framework would be referred to as
IAF4HC (v1/1112).
The detailed specifications will be developed by Ujvala
Consultants Pvt Ltd and explained through these columns in a
series of articles.
Naavi
17th Nov 2012
[PS: Naavi's approach to IA is broader than the usually
recognized definition of IA. Hence Naavi has decided to use the
term "Total Information Assurance" in place of Information
Assurance in all his discussions. As a result the acronyms will
also be changed from IA to TIA where ever applicable in all
references in future...Naavi ...19th November 2012]
