NDHM-Health Data Management policy objective need not be linked to ISO standard

Posted on December 15, 2020 by Vijayashankar Na

(This is a continuation of the earlier article)

Before we dive deeper into the NDHM’s Health Data Management policy, there is a need to discuss one philosophical issue about what should be the objective of such policy and even the laws such as PDPA.

For the time being we shall assume that this “NDHM-HDM Policy is a directive from the Ministry to all the participants of the NDHM eco system and hence has the force of a near statutory regulation. Presently it is aligned to Section 43A of the ITA 2000 and once PDPA comes into existence, this policy will get aligned to the PDPA and get a real legal force.

Hence we need to discuss what should be the objectives of such laws/regulations.

The ITA 2000 objective was to promote E Commerce and to protect data through various measures of information security and cyber crime control. The objective of PDPA is to protect the “Privacy of an Indian Citizen”.

The policy declares that it is the first step in realizing NDHM’s guiding principle of “Security and Privacy by Design” for the protection of individual’s data privacy. This statement is in alignment with the objectives of PDPA. The policy is also careful to declare that it is subordinate to other applicable laws.

However, in Paragraph 3 of the Policy, the policy has stumbled to declare that one of the key objectives of this policy includes

“to create a system of digital personal and medical health records which is easily accessible to individuals and health service providers and is purely voluntary in nature, based on the consent of individuals, and

in compliance with international standards such as ISO/TS 17975:2015 (defines the set of frameworks of consent for the collection and processing of health data by healthcare practitioners and other entities) and

other relevant standards related to data interoperability and data sharing as may be notified for the implementation of NDHM from time to time”

It is difficult to understand whether the second para above was required or could have been deleted altogether since it indicates as if it is one of the objectives of this policy to be compliant with an ISO standard.

It appears that there is no need to frame a law or a regulation to be compliant with a “Standard” unless the “Standard” itself is a law as it happens in a prescriptive law such as HIPAA.

In other laws, the law sets down a principle which is expanded in the regulatory notifications. After this it is for the industry to develop their own best practices which may be called “Standards” or by any other name.  Those who develop “Standards” align the standards to the law and not the other way round.

ISO standards some times are mistaken as “Regulatory Standards” and this perception needs to be changed. ISO standard is subordinate to law and is a tool of compliance. Law cannot be a tool of compliance of an ISO standard.

It would be better to correct this aspect in the policy.

(To Be continued)

Naavi

All Articles in the series:

1.National Digital health mission shows the way… Be Ready before PDPA becomes effective

2.NDHM is a trend setter… Get started early on the Privacy Protection journey

3.Consent Management under NDHM

4. NDHM-Health Management policy Objective need not be linked to ISO standard

5.Managing IDs in NHD ecosystem

6. Data Fiduciaries under NDHM

Posted in Cyber Law | Leave a comment

Consent Management under NDHM

Posted on December 15, 2020 by Vijayashankar Na

(This is in continuation of the earlier article on NDHM)

“Informed Consent” is the backbone of most Data Protection laws including the Indian Personal Data Protection Act (proposed). The NDHM’s Health Management Policy adopts all the provisions of the PDPB 2019.

Consent is a mandatory requirement under the policy and it should meet the standards of a “Free Consent” under Section 14 of the Indian Contract Act, should involve “Informed choice” etc as envisaged in PDPB 2019 (Section 11).

The purposes to which a consent can be obtained under this policy is restricted to the requirements of the NHA (National Health Authority similar to the DPA of PDPA) which means that the consent can be used only for purposes consistent with the NDHM.

Once this policy comes into force, fresh consents have to be obtained. This means that the legacy health data for which consent may be available or not becomes a data collected under a “Defective” or “Expired Consent”.

When subsequent processing is required and the data has to be passed onto another processor (Health Information Users and Providers), a “Consent artifact” has to be generated and shared by the “Consent Manager”.

In obtaining the consent from a minor (less than 18 years of age), the policy indicates that a “Valid Proof of relationship” must be obtained along with the identity of the parent or guardian for processing of sensitive personal data.

The “Valid Proof of relationship” could be a point of difficulty and needs to be debated further.

It is expected that the NDHE framework will take note of “Nomination” like an “Authorized representative” who takes care of the consent in the event the data principal is seriously ill or mentally incapacitated.

This point is a problem in all health related laws since this provision is in conflict with the earlier provision that “Consent has to be as per Section 14 of Indian Contract Act”. As per the Indian Contract Act, a person who loses the mental capacity to take decision is no longer able to withdraw the earlier authorization given to an agent and hence the contract of agency is deemed as terminated in such a situation. HIPAA resolves this dilemma by bringing in the view of the medical practitioner whose certificate would be a vital document that determines what decision can be taken in respect of the patient.

It is better if we also adopt this provision in the policy.

The Rights of the data principal recognized by the policy is similar to the PDPB 2019 and includes right to confirmation, right to access, right to receive a notice, right to correction and limited right to erasure. and data portability.

The provisions recognize the need for retention of data as per law and use of restriction of access and disclosure instead of deletion if the situation so warrants and expects a Data Retention and Archival policy to be adopted for the purpose.

Another point of difficulty is the policy that a person may restrict consent to disclose the information to his legal heirs after his death which would not be possible in electronic form of consent. This would be ultravires the ITA 2000 since any instruction applicable after the death of a person can be considered as a statement of Will which has no recognition in electronic form.

(….Continued)

Naavi

All Articles in the series:

1.National Digital health mission shows the way… Be Ready before PDPA becomes effective

2.NDHM is a trend setter… Get started early on the Privacy Protection journey

3.Consent Management under NDHM

4. NDHM-Health Management policy Objective need not be linked to ISO standard

5.Managing IDs in NHD ecosystem

6. Data Fiduciaries under NDHM

Posted in Cyber Law | Leave a comment

NDHM is a trend setter… Get Started early on the Privacy Protection Journey

Posted on December 15, 2020 by Vijayashankar Na

(This is in continuation of the earlier article on NDHM)

The National Digital Health Mission (NDHM) is an ambitious project of the Government of India for providing a nation wide health care system and makes comprehensive use of technology. Since the project deals with the health information of individuals, it is already under an obligation to be compliant with ITA 2000. Though we may argue that Section 43A is for Body Corporates and not for Government, any organization which can sue and be sued in its own name should be considered as being under the obligation of compliance under ITA 2000 even if it is a public body. At the same time post Puttaswamy judgement, the obligation for privacy protection is already on all Government projects. Hence NDHM is a project which needs to be compliant with the expectations of Information Privacy Protection under the Puttaswamy Judgement, as encapsulated in the PDPB 2019 which is also the “Due Diligence” requirement under ITA 2000 for both Section 43A and Section 79.

The NDHM is already under various stages of implementation and hence the Ministry of Health and Family welfare (MOHFW) had acted a few years ago in building a law called DISHA (Digital Information Security for Health Act) and also formulated the EHR policy for hospitals as well as Telemedicine Policy. However since the PDPA was conceived as a comprehensive privacy legislation, it was prudent for the MOH to drop its proposal for a separate Act and restrict itself to developing a code of practice for the health care industry to meet the requirements of PDPA.

When DISHA was drafted we did not have a draft of PDPA and now we have a near final version of the Act as proposed. Hence NDHM has gone ahead and incorporated the principles of PDPA into its policies and has already started its journey towards PDPA compliance.

This is precisely the pro-active approach which Naavi has been suggesting to other companies and sectoral regulators and we must appreciate the efforts of MOHFW in showing the way for other regulators.

The Policy document is applicable  to the participants of NDH Ecosystem which revolves around all the citizens of the country and all stakeholders in the health industry. By its very nature it encompasses the entire universe of health data processors including the Central and State Governments, Hospitals, Diagnostic labs, Pharmacies, Health Insurance services, Heath Tech Services, Medical practitioners, NGOs etc. Even the Websites who provide services to the health care sector may come under the provisions of this policy.

Since “Health” is an associated aspect of every citizen, the policy is applicable for a very large section of the population especially those who are using the services of the NDH related services.

The participants of the NDHE are issued specific Digital IDs (Patients, Doctors and other participating institutions) which will be an ID to be protected.

The policy is closely aligned to the PDPB 2019 in terms of definitions, obligations and rights guaranteed.

Some of the new difinitions that have been introduced are

“Personal Health Identifier” or “PHI” is the data that could potentially identify a specific data principal and can be used to distinguish such data principals from another. PHIs could also be used for re-identifying previously de-identified data. It could include a data principal’s demographic and location information, family and relationship information and contact details;

“Health Information Provider” or “HIPs” means hospitals, diagnostic centres, public health programs or other such entities registered with the National Health Infrastructure Registry, which act as information providers (by generating, storing and distributing health records) in the digital health ecosystem

“health locker” means a service of information exchange of electronic health records or electronic medical records, which can be accessed by the data fiduciary or data processor upon receiving the consent of the data principal and where such service can also be used by a data principal in order to create Personal Health Records;

“Health Information Users” or “HIUs” are entities that are permitted to request access to the personal data of a data principal with the appropriate consent of the data principal. The NHA may, from time to time, specify certain terms and conditions in relation to HIUs;

“Health ID” refers to the Identification Number or Identifier allocated to a data principal, “Health Facility ID” refers to the unique ID allocated to each health facility and  “Health Practitioner ID” refers to the unique ID allocated to each health practitioner

Though PDPA has missed, the policy defines the three different terms Anonymization, Pseudonymization and De-identification independently.

“de-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to a data principal but does not, on its own, directly identify the data principal;.

On the other hand, “pseudonymisation” means a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms;

 “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified through any means reasonably likely to be used to identify such data principal;

The definition of “Biometric” data is also interesting as it includes the “Behavioural characteristics” of a data principal, by stating “biometric data” means facial image, fingerprint scans, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;

An interesting term called “Consent artifact” has been defined instead of the usual “Consent may be in writing or other means etc. ” Instead here  “consent artifact” means a machine-readable document that specifies the parameters and scope of data sharing and access that a data principal consents to in any personal data sharing transaction;

The guideline also adopts the term “Consent Manager” which in this context means an entity or an individual, as the case may be, that interacts with the data principal and obtains consent from him/her for any intended access to personal or sensitive personal data, where the role of the consent manager may be provided by the NHA or any other
service provider;

The “Definitions” indicate that the policy seems to have taken into consideration many aspects of PDPA and made relevant additions also which may in turn influence the final draft of the PDPA.

(To Be Continued)

Naavi

All Articles in the series:

1.National Digital health mission shows the way… Be Ready before PDPA becomes effective

2.NDHM is a trend setter… Get started early on the Privacy Protection journey

3.Consent Management under NDHM

4. NDHM-Health Management policy Objective need not be linked to ISO standard

5.Managing IDs in NHD ecosystem

6. Data Fiduciaries under NDHM

 

Posted in Cyber Law | Leave a comment

National Digital health Mission shows the way.. Be Ready before PDPA becomes effective

Posted on December 15, 2020 by Vijayashankar Na

India is entering the global order of Privacy Protection with the enactment of “Personal Data Protection Act” some time in 2021 when the Bill (PDPB 2019) will be presented to the Parliament.

Even while a section of the industry is working at delaying the passage of the Bill, the Government is silently working at implementing the provisions of the proposed bill in its National Digital Mission without waiting for the Bill to be passed, DPA to be constituted etc.

This approach is consistent with the law in India since Information Technology Act 2000 (ITA 2000) already has provisions under Section 43A.  This provision of ITA 2000 mandates protection of sensitive personal data under “Reasonable Security Practice”.

“Reasonableness” under Section 43A can be extended to “Due diligence” which includes the general legal development in the country that India is shortly enacting a comprehensive personal data protection Bill which will expand and replace Section 43A of ITA 2000.

The fact that PDPB 2019 is the “Due Diligence Prescription under Section 43A of ITA 2000” is the reality and though the penal provisions of the law may not be effective as at this time, the principles of personal data protection under PDPB 2019 are applicable as of now as part of Section 43A of ITA 2000. This has been rightly recognized by the Ministry of Health which has adopted the emerging law into its NDHM project through a comprehensive ” Health Data Management Policy”.

Since this policy indicates how other sectoral regulators may also think of advancing the implementation of PDPB 2019 without waiting for the formalities of its passage into a law, we can explore this policy is greater detail along with the other details of the NDHM through a series of articles.

Watch out for more information

Naavi

( To be continued)

All Articles in the series:

1.National Digital health mission shows the way… Be Ready before PDPA becomes effective

2.NDHM is a trend setter… Get started early on the Privacy Protection journey

3.Consent Management under NDHM

4. NDHM-Health Management policy Objective need not be linked to ISO standard

5.Managing IDs in NHD ecosystem

6. Data Fiduciaries under NDHM

Posted in Cyber Law | Leave a comment

Making Corruption Easy

Posted on December 12, 2020 by Vijayashankar Na

For any financial crime to prosper, there has to be a means of benefitting from the crime. This means that the proceeds of the crime should be converted into legit wealth of the criminal. This is precisely what we call as “Money Laundering”.

Normally we expect that the Government of the day, the Central Bank and the Courts of the Country will do everything under their control to prevent “Money laundering” so that financial crimes are discouraged.

Unfortunately, in India our system does everything to make corruption easy.

And in this exercise the regulators, the Government and the Courts are all happy shifting the blame to another if the decision is difficult.

This tendency is clearly visible in the way the Bitcoin issue is being handled in India. It is no surprise that Bitcoin users and Bitcoin business entities want Bitcoin to be made a legal tender so that it neither becomes a crime to use them or to deal with them. For some time RBI resisted this but Supreme Court came to the assistance of the Bitcoin industry and gave a “Deemed Acceptance” of Indian Banks opening and operating bank accounts for the purpose of trading in Bitcoins and other crypto currencies.

The moment Supreme Court came to the assistance of the Bitcoin Exchanges, the fact that Bitcoin is a currency of the Criminals and Currency best suited for receiving and handing over large value bribes became more relevant than ever before.

Today an article “India’s Banks Are Once More Serving Crypto Traders and Exchanges” indicates the mindset of the industry and how they are slowly putting pressure on Banks to open out to maintaining the accounts for Bitcoin exchanges.

I would like to challenge these Banks….

“how do Banks consider the opening and operating a bank account for a Crypto Currency exchange which allows buying and selling of Bitcoins and crypto currencies which are not “Currencies” but are “Commodities” and they are subject to the legal principle of transfer of property namely “No body shall transfer a title free from the defects of the transferor’s title” (unless the transferee is a holder in due course of a negotiable instrument” as not “Money Laundering”.

If Banks become bankers to money launderers where is their obligation to the “Prevention of Money Laundering Act”?.

It is perhaps unfair to blame only the Banks because this situation has arisen solely because of the Supreme Court. The Chief Justice of India could have reviewed the subject order and corrected the perception of the honest public of India that Supreme Court is supporting Bitcoin. But he is perhaps busy with other issues.

There was a time when the supreme Court was asking the Government of India what measures they are taking for prevention of corruption and black money. But now the Supreme Court of 2020 is seen actually as a facilitator of digital black money in the form of Bitcoins.

The Government is also not concerned because if “Bribing” becomes easy, the Government employees are the most happy persons because a large part of the market share of corruption predominantly belongs to the Government employees.

What is left is for all of us is to think of conducting  a training to public on how to buy bitcoins and use it for paying bribes.  Presently only the digital savvy persons and receiving large amount of bribes are perhaps using bitcoins. It is time that we let the small time people such as clerks in Government offices and traffic cops to also be conversant with the use of Bitcoins and how to collect their bribes with Satoshis. (1 satoshi is 1/100,000,000 of 1 bitcoin and 1 satoshi is approximately equal to 1.3 paise. ). It would be better if the Government of India declares a new currency term 100 satoshis equal to 1 Satoshi rupee so that it becomes easy for the public to give and receive bribes.

Perhaps the Ministry of Finance and the Ministry of IT would also be able to provide some financial incentives to people who can conduct outreach programs for conducting such training programs.

May be it is also time for the PMO to consider that in the next Mann Ki Baat, Mr Modi can speak of opening out our economy by merging the Bitcoin as part of our currency system so that we become a part of a global digital currency system.

Any such move would not be opposed by the opposition parties nor the Supreme Court because every body is happy. Hence no Bharat Bundhs and no Delhi blockade. In fact the Urban Naxalites may be persuaded to withdraw from the farmer’s agitation if the incentive of Bitcoin legalization is offered.

Naavi

Posted in Cyber Law | 1 Comment

Software and Business Method Patent in India is possible

Posted on December 11, 2020 by Vijayashankar Na

Software companies in India have been trying to get the Indian Patent law changed to allow patents for Computer Software and Business Methods. Such patents are available in USA but were so far considered not patentable in India because Indian Patent Act Section 3 (k) stated as follows:

3. What are not inventions.—The following are not inventions within the meaning of this
Act,—

 (k) a mathematical or business method or a computer programme per se or algorithms;.

However, it appears that this situation has now changed and a patent number 353365 issued on 1oth December 2020 for an invention titled “Halting a denial of service” appears to be a patent granted for a software which is a “Business Method”.

Earlier it was considered that only if a software is part of a hardware, the device could be patented and “software-per-se” was not patentable.

There are 9  claims under this patent  namely

Claim Number

Claim
1 A method for identifying and mitigating a distributed denial of service attack (DDoS), the method comprising:   collecting, through a processor that is operatively coupled to a network interface card (NIC) of a computing device, a first set of parameters from  user request having data packets, wherein the user request is configured for requesting a service from a server in a network;
collecting, through the processor operatively coupled to the NIC, a second set of parameters from a server response, wherein the server response having data packets from the server in response to
the user request;
analyzing, through a mitigation core coupled with the computing device, the first set of parameters and the second set of parameters, to determine a traffic score associated with the data packets in the user request and the server response, said traffic score being computed using a cumulative sum (Cusum) anomaly detection, wherein said mitigation core comprises layers of one or more mitigation filters that determine whether each data packet is dropped or sent to the next filter of the one or more mitigation filters;
comparing, using the processor, the determined traffic score based on the first set of parameters and the second set of parameters with a pre-determined threshold score to determine that either one of the user request or the server response comprises one or more malicious data packets associated with a DDoS attack in the network; and alleviating, through the processor, the DDoS attack by applying a traffic shaping based mitigation criteria.

(P.S: The underlined portions above are the changes made in the application to support that the invention is outside the provisions of Section 3(k) as explained in the comment below)
2 The method as claimed in claim 1, wherein the first set of parameters are  selected from any or a combination of a Source IP and/or Destination IP and/or Source Port and/or Destination Port and/or TCP Flags and/or TCP flags distribution across user requests and/or a TCP window size and/or a TCP sequence number and/or a TCP Header length and/or a Source IP distribution across user requests and/or a Destination IP distribution across user requests and/or a Source port distribution across user requests and/or a Destination port distribution across user requests and/or a Number of connections per source IP and/or a Number of connections per source IP and destination IP and/or a UDP header length and/or a HTTP header length and/or a HTTP request Method and/or a HTTP URL and/or a HTTP Referer and/ or a HTTP Host and/or a HTTP User-agent and/or a HTTP version and/or aHTTP Content length and/or a DNS flags and/or a DNS query type and/or a DNS Transaction ID and/or a ICMP type and/or a ICMP packet length and/or an Incoming bytes per second (bps) and/or an Incoming packets per second (pps) and/or a TCP pps and/or a TCP bps and/or a ICMP pps and/or a ICMP bps and/or a UDP pps and/or a UDP bps and/or a HTTP pps and/or a HTTP bps and/or a IPv4 p 5 ps and/or a IPv4 bps and/or a IPv6 pps and/or a IPv6 bps and/or a Non- IP pps and/or a nonIP bps and/or an Invalid UDP pps and/or an Invalid ICMP pps and/or an Invalid TCP pps and/or an Invalid UDP bps and/or an Invalid ICMP bps and/or an Invalid TCP bps and/or an Invalid IPv4 pps and/or an Invalid IPv4 bps and/or an Invalid IPv6 pps and/or an Invalid IPv6 bps and/or an Invalid HTTP 10 Request pps and/or an Invalid HTTP Request bps and/or a HTTP requests per URL and/or a HTTP requests per Host and/or HTTP requests per source IP and/or HTTP requests per destination IP and/or HTTP requests per destination IP and source IP.
3 The method as claimed in claim 1, wherein the second set of parameters are selected from any or a combination of a DNS NX Domain responses and/or a TCP RST pps and/or an Outgoing pps and/or an Outgoing bps and/or a Server response time and/or a TCP flags distribution and/or a TCP window size and/or a Maximum server connections and/or a HTTP response code and/or a HTTP payload length and/or a TCP Sequence number and/or a TCP Payload length and/or a TCP ACK timestamp and/or a Number of open ports per destination and/or a TCP pps and/or a TCP bps and/or a UDP pps and/or a UDP bps and/or a ICMP pps and/or a ICMP bps and/or a DNS response pps.
4 The method as claimed in claim 1, wherein the mitigation criteria is selected from any or a combination of a syn proxy, geo-IP filtering, heuristics, a progressive challenge, rule matching, a temporary blacklist, aggressive aging, or RFC compliance.
5 The method as claimed in claim 4, wherein the data packet is passed if the data packet in the user request and the server response passes the mitigation criteria.
6 The method as claimed in claim 4, wherein the data packet responds with a challenge if the data packet in the user request is found to be suspicious as per the mitigation criteria including syn proxy and/or progressive challenge.
7 The method as claimed in claim 4, wherein the data packet in the user request or the data packet in the server response is dropped if the data packet fails any mitigation criteria and a next data packet is analyzed.
8 The method as claimed in claim 1, wherein the traffic 5 score is computed based on anomaly detection technique selected from any or a combination of an Entropy, a top talker, a multi-variant Gaussian distribution, a univariant Gaussian distribution, or a heuristic analysis.
9 he method as claimed as claimed 1, wherein the pre-defined threshold is computed dynamically based on the first set of parameters and the second set of parameters stored in a repository and the pre-determined threshold is adaptive based on first set of parameters and the second set of stored in a repository, and the first set parameters and the second set of parameters comprises a structured and/or an un-structured representation.

It is to be noted by users of all anti-DDOS products that if they are using any of the methods described above in the patent, they may be liable for infringement of the patent unless they obtain the necessary license.

All auditors need to flag similar methods used by the auditee organizations as a “Risk” and possibility of financial liabilities arising thereof have to be factored.

All Cyber Insurance companies need to rework their assessments of organizations if there is a potential infringement.

This patent issued by the claims filed by the Registered Patent Agent Mr Tarun Khurana and approved by Mr Roopak Jain as  the Controller of Patent (Apparently in the Delhi branch of Patent Office) appears to be a milestone in the history of Software Patents in India.

Based on the issue of this patent, there could be a flood of patent applications from the software companies in India and also applications for re-considerations of earlier applications rejected by different patent offices.

(Comments welcome)

(P.S: Naavi.org is not fully agreeable with the interpretation of the patent office that this patent is outside the provisions of the Section 3(k) since it is a “Method” and no “Physical Device” has been indicated as the patent.

Nevertheless, it is the prerogative of the Patent office to take a view of its own unless otherwise challenged. This will however be a precedent in the case of other software patent applications and if any other party finds that their patents were unfairly rejected, then they may try to amend their claim and seek reversal of the earlier decision either through a review or by approaching the High Court.

In the past Patents have been claimed on basic aspects of network functioning such as hyperlinking, reverse auctions in the e-commerce scenario, single click buying in E Commerce scenario, the GIF imaging etc which have caused extreme discomfort to the users.

This patent is also a basic “Firewall” feature where the data packets are filtered against some pre-set rules. The only distinguishing feature is that “There should be a Processor” that is coupled with the NIC which does the analysis of the packet and its filtering. Unfortunately the patent application is not for this “Processor” but given for the “Method”.

In our opinion, the “Processor” should have been segregated into a “device” and patent should have been provided for the device  which is the hardware plus the embedded software. It is our considered view that the Patent office has erred in granting the patent in its current form under the current provisions of Section 3(k) … Naavi)

Naavi

Posted in Cyber Law | 2 Comments