In its response to the Niti Aayog’s paper on the National Health Stack, industry body NASSCOM and DSCI suggested an independent regulatory body for oversight in the digital healthcare sector, “this is essential to ensure a system of checks and balances” said the two bodies in a joint submission to Niti Aayog. Niti Aayog had released the National Health Stack paper in July 2018 and invited comments on it. The Ministry of Health later formed an inter-ministerial committee headed by former UIDAI chairman and former MeitY secretary J. Satyanarayana to draft an implementation framework for the NHS. The committee released its report the ‘National Digital Health Blueprint 2019‘ in July 2019, and invited comments, and held a public consultation on it.

The main points from their submission are:

1. Decentralised governance model, separate regulatory body:

  • The NHS system should allow for multiple operators with the ability to port and access data from each other, instead of restricting to one operator
  • There is no mention of how the geographical architecture of a state level subject will interact with national level system, for example the question of inter-state portability for cashless treatment when a patient might require hospitalisation when out of their home state; this design principle needs consideration in the architecture of NHS

2. Overall centralised structure: The overall architecture of the NHS seems to be a centralised structure, which is not aligning with newer trends towards decentalisation aka blockchain. Restricting system-building approaches to be centralised may not benefit the health sector from efficiency, resiliency, and data protection aspect, central databases are prone to carry additional risks as compared to decentralised systems.

3. Role of private sector: The role of private sector, including e-pharmacies, health insurance providers, e-nursing, aggregators, has not been elaborated; these players are adopting digitisation practices such as providing digital health IDs, telemedicine, robotic surgeries, instant health insurance claims, healthcare data portability, and real-time fraud management; the NHS should consider integration of private players, along with government players.

4. Usage of a single ID: Confining the NHS to one digital health ID issued by the government may negate ongoing discovery of use cases and technology experimentation, which are evolving in such a way that any identifier can become a digital health ID, such as mobile number, social media IDs, etc. Hence there should be flexibility for introducing identifiers as digital health IDs, says the submission.

5. Disconnected registries: “The NHS should triangulate all existing registries and subsume information under its own master data,” suggested NASSCOM-DSCI, while stating that existing registries like National Health Resource Repository run by the Central Bureau of Health Intelligence, National Identification Number run by the Ministry of Health, and the Registry of Hospitals in Network of Insurance run by the Insurance Information Bureau are all disconnected from each other.

6. Vulnerabilities while interacting with external ecosystem providers: The NHS is silent on how it will tackle discrimination of any category while approving claims, and the NHS “may include guidelines on how the system plans to deliver a non-biased system”, An automated system may include hidden biased configurations leading to frauds in the system”.

7. Third-party compliance with security norms: Large central databases of biometric personally identifiable information, linked with networks and made searchable in a distributed manner, represent significant targets for hackers and other malicious entities to exploit. Other registries and agencies which will use the data APIs and store the same even as they transmit the same to the central health system may turn out to be the weakest link when it comes to privacy and security, as enforcing the same level if security practices on third parties or external systems is an arduous task.

Some of their recommendations:

  • Formulate and enforce robust cyber security guidelines for third parties who are either collecting, processing, storing health care data or leveraging it for their business operations via API integrations as planned in the future
  • Subject players in the NHS ecosystem, including third parties, to rigorous regular assessments and audits
  • Special attention needs to be given to interfaces, external connections, and environments participating in executing the health service transactions to curb the possibilities of data breaches
  • Devices, interfaces, systems and even algorithms participating in processing of health services transactions should have security strengths to withstand the possible threats
  • Security and governance function should match the quantum and complexity of challenges