You are here


Survey Answer:

The Clinical Establishments (Central Government) Rules, 2012 requires clinical establishments to maintain and provide electronic medical records/electronic health records, thus mandating the storage of health information in an electronic format. The SPDI Rules recognize health information as constituting ‘sensitive personal data’ and thus regulates its collection, use and disclosure. However, as already mentioned the SPDI Rules apply only to the private sector thus leaving the whole of the public health sector outside its ambit.
Use of medical data will be subject to provisions of the Electronic Health Records Standards, 2016 (the EHR Standards).
The EHR Standards include provisions relating to information capture, storage, retrieval, exchange and analytics, including images, clinical codes and data. The further provide that all medical data belongs to patients and not to service providers that patients should be in complete control of who access their data that no changes to data may be made once it enters the system, and that all data should remain in encrypted form.
The RBI issued guidelines pertaining to information security, electronic banking, technology risk management and cyber frauds (G. Gopalakrishna Committee) vide Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011, wherein banks were required to adopt the above mentioned guidelines and incorporate the same in their annual report from the period 2011-2012 onwards. The guidelines dealt with the establishment of an IT committee within the organisation, its roles, and responsibilities, dealing with cyber frauds, audit process etc.
The RBI further issued DBS.CO/CSITE/BC.11/33.01.001/2015-16 dated 02.06.2016 (“Guidelines”) wherein:
i. banks have been instructed to put in place a cyber security policy with the approval of their Board.
ii. The cyber security policy is to be separate from the broader IT security policy of the entire organisation.
iii. banks have been instructed to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the RBI.
iv. banks have been encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT.
v. banks have been instructed to have a cyber crisis management plan (“CCMP”) in place. The CCMP was to be designed to address the following four aspects: (i) detection (ii) response (iii) recovery and (iv) containment.
vi. banks have been instructed to take effective measures to prevent cyber-attacks and promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are further expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.
NBFC Sector
With respect to NBFCs , the Reserve Bank of India issued the Master Direction – Information Technology Framework for the NBFC Sector dated 08.06.2017(Master Direction DNBS.PPD.No .04/66.15.001/2016-17. Firstly, these directions have made it mandatory for the NBFCs to formulate a cyber security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board. The NBFC has to ensure that it reviews the cyber security policy on a constant basis. NBFCs are required to devise a strategy for managing and eliminating vulnerabilities and such a strategy may clearly be communicated in the cyber security policy. Thirdly, NBFCs are required to have in place a cyber crisis management plan covering the following four aspects: i) detection (ii) response (iii) recovery and (iv) containment. Lastly, the directions make it mandatory for the NBFCs to report any unusual cyber security related incident to the DNBS Central Office, Mumbai.
Insurance Sector
The Insurance Regulatory and Development Authority issued the Guidelines on Information and Cyber Security for Insurers dated 07.04.2017. Firstly, these guidelines require the insurers to configure all of its IT infrastructure, including servers, applications, networks and security devices to ensure security. The insurers have to ensure that the configuration is based on secure configuration documents. Secondly, by virtue of these guidelines, insurers are required to classify and identify critical assets, business process and functions that require protection against compromise. Information assets (including sensitive personal information) and related system access should be a part of the identification process. Thirdly, insurers are required to have adequate controls in place to ensure cyber security. The guidelines also attach great importance to incident response planning and contingency planning. Most importantly, the guidelines make it mandatory for the insurers to report any cyber security related threat / unusual incident to the IRDAI within a period of 48 hours from the knowledge of the occurrence of such incident.
Credit Information Companies
Credit information companies are governed by the Credit Information Regulation Act, 2005 (“CIC Act”).It is the duty of the credit information company to take up measures to ensure the privacy of its customers. The CIC Act requires the company to implement measures to ensure that all the information that is received or collected by the company is properly recorded, collated and processed. The company, by virtue of the CIC Act and the rules made thereunder, is required to implement measures to protect the information collected by the company against loss and unauthorized access.
Telecom Sector
The Telecom Service Provider is required to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and its business to whom it provides the service and from whom it has acquired such information by virtue of the service provided and is required to use its best endeavours to secure that: (a) no person acting on behalf of the licensee or the licensee divulges or uses any such information except as may be necessary in the course of providing such service to the third party; and (b) no such person seeks such information other than is necessary for the purpose of providing service to the third party.

Provided By:
G.V. Anand Bhushan: Shardul Amarchand Mangaldas & Co.