Critical Analysis Of Digital Information Security In Health Care Act (DISHA), 2018

Critical Analysis Of Digital Information Security In Health Care Act (DISHA), 2018

Simran Sahoo_JudicateMe


This Blog is written by Simran Sahoo from KIIT School of Law, OdishaEdited by Harsh Sonbhadra.



DISHA, 2018 is an initiative taken by the Ministry of Health and Family Welfare for advancing electronic health standards by implementing privacy and security measures for storage and exchange of electronic health records. This establishment would help in systematizing and regulating the collection, storage, transmission, and usage of digital health data by ensuring data privacy and data confidentiality.

The digital healthcare data is an electronic record of health-related information concerning a particular individual which includes information regarding –

1) The physical and mental health of the individual concerned.

2) Any health services being delivered to the individual.

3) Any donation of a body part or bodily substance by the individual.

4) The result after testing and examining the body part or bodily substance of the person.

5) Details of the clinical establishments like the hospital, nursing homes, clinic, dispensary, etc.


1) It provides appropriate information at the time of treatment so that the correct medical decision can be taken.

2) It provides for a secured and authorised exchange of digital health data which improves the coordination of information among hospitals, medical professionals, and other concerned entities.

3) It facilitates health care research for finding out the best way of preventing and managing chronic diseases.


1) It has helped in establishing an advanced and efficient “patient-centred” medical care.

2) This establishment has also enhanced public health activities by facilitating early identification and quick retaliation to public health threats and emergencies.


1) Ownership of digital health data

• Under section 3 of this Act, the individual whose digital health data is generated and processed is the owner of the same

• Under section 31, any clinical establishment or health information exchange has no rights of ownership over the Digital Health Data (DHD). It can just control and manage in trust for the owner.

2) Rights of the owner of DHD

Section 28 of this Act provides for several rights of the owner such as:

• The owners have the right to privacy, the right to confidentiality, and the right to security of their DHD.

• The owners have the right to agree or not agree to give consent for the generation and collection of such information and to deny for disclosing about some sensitive information regarding their health.

• The individual has got the right to refuse to give consent for the storage and transmission of such sensitive information.

• The individual has the right to be informed about the purpose for which the data has been used. If the owner denies providing or sharing such DHD, then he/she cannot be denied to receive health care treatment.

• The owners have got the right to have knowledge regarding which establishments have their data.

• They have the right to know whenever their data is accessed or used. They can even claim compensation for damages in case of breach of DHD.

• They have the right to access and rectify to make changes in any information earlier provided.

3) Duty to secure information

As per Section 3 of the Ac, the information has to be secured by clinical establishments (both private and public) such as hospitals, nursing homes, dispensaries, clinics, etc.

4) Purposes for which DHD can be processed

Section 29 states that the DHD can be collected, stored, and transmitted for the following reasons:

• Advancement in the delivery of medical care

• For providing appropriate information for decision making.

• Enhancing coordination between the providers of health care services.

• Improvement of health care activities.

• For research and policy formation.

5) Requirements to be satisfied for data transmission

Section 33 states the following requirements:

• The owner’s consent is the most essential requirement and such consent be acquired after informing the individual about the rights and purposes of such collection.

• The Data has to be transmitted in encrypted form.

• The Health Information Exchange has to maintain a register for recording all the data transfers.

6) Conditions required for accessing data

Section 34 states the following requirements:

• The data can be accessed only on a “Need to know” basis i.e. the data can be accessed by a specific person for a specific lawful purpose.

• In cases of emergency or death of the owner, the government department, relatives, and legal heirs of the owner can even access the data.

7) Provisions on breach of data

Section 37 and section 38 states the following:

•  37– Breach of data is when the data is collected, stored, and transmitted in a manner violating the standards prescribed by the Act.

• This can be done by infringing the rights of the owner or causing any damage, deletion, destruction, or tampering of data.

• The offender who commits such offence is accountable to pay for damages by giving compensation.

•  38 -When there is a serious breach of data i.e. the breach is fraudulent, dishonest, intentional, and negligent or is made for commercial profits, it is considered to be a criminal offence punishable with three to five years of imprisonment and fine for not less than five lakh.

8) Other acts regarded as an offence under this Act

Section 40 and section 42 provides the other offences:

•  40 states that the offences like a failure in submitting information demanded by a health authority, failure in obeying the directions issued by such authority, failure in redressing the inconvenience and grievances of the DHD owners, a minimum of one lakh has to be paid by the offender.

•  42 talks about the intentional data theft and unauthorized access and usage of DHD are punishable with imprisonment of three to four years or a minimum fine of one lakh or both.

9) Adjudicating authorities for redressal of various offences under this Act

Section 45, section 49, and section 51 state the following:

•  45 provides for 2 types of adjudicating authorities to deal with the offences which are central adjudicating authorities and state adjudicating authorities.

•  49 states that such adjudicating authorities have power similar to civil courts and the proceedings deem to be judicial proceedings.

•  51 states that an appeal can be made against any decision of such authorities within sixty days of declaration of the decision.


Heralding a new data regime in India

The COVID-19 pandemic has called for several datafication approaches to health care such as:

1) Digital dashboards to track and trace Coronavirus hotspots.

2) Various apps for Contact tracing which would help the citizens to know their exposure level with the virus in the geographical span.

Advancement of telemedicine  

Telemedicine means healing at a distance. Here the patients are given health care treatment where the doctors/nurses and the patients are not physically present at the same platform.

With the introduction of the Ayushmaan Bharat Scheme, the Indian government is providing the biggest heath financing scheme for the development of the health sector of our country. This scheme provides for long-distance medical care, efficient patient-centred treatment, and time punctual health management environment.

Digitalization of health care and rising cyber concern threats  

The advancement in the digitalization of health care has undoubtedly created a more comfortable platform for patients to treat their complex sensitive health issues but at the same time, there is an imminent threat of attacks in cyberspace. The patient’s information and medical reports have a huge chance of getting exploited for various hostile purposes.


Going digital in such a pandemic situation created by a highly transmissible virus-like COVID-19 would be one of the most effective in safeguarding the first-line health care workers. However, there is a huge concern for cybersecurity in the health care sector.

In India, medical devices lack in software security for many reasons such as-

1) A medical specialist even now uses old and outdated software which has a very low-security feature.

2) The staffs’ lack “know-how” to implement software updates.

3) Many hospitals are not even aware of the system which runs on the devices being used.

So, what’s the need of the hour is to have a comprehensive approach towards cybersecurity for the creation of a safe digital health care environment. Thus a trusted cyber system is very much required in today’s world and the government through various ways like introducing the DISHA is stepping forward for the creation of such a cyber ecosystem.


Digitalization of health care services has opened up doors for better coordination between doctors and patients, communication between multiple health care specialists regarding various health care issues, and opportunities for collaborated research and study. The main concern is the cybersecurity for which the government has to take efficient steps for creating a more secured digital health care structure and also the people at the same time have to be modernised and be aware of the “know-how” of the ongoing technologies in devices being used so that we can build a healthy digital life.






Leave a Comment