GLOBAL BUSINESS SCHOOL HUBLI

CYBER LAW
Case Study On Data Security At KLES Hospital, Belgaum

Data Security at KLES Hospital, Belgaum

INTRODUCTION The article provides a brief introduction about the Medical Records at KLES Hospital Belgaum. It tells us in details about the policies, procedures, methods, maintenances and the use of Medical Records practiced at the hospital. It describes how the Medical Records Department (MRD) plays an important role in treating the patients. BACKGROUND At KLES Hospital Belgaum in the year 2008, here an incident had occurred in the hospital itself related to information that was been stolen from the MRD (Medical Record Department). There are around 700+ doctors and many nurses working in that hospital. The hospital was fully computerized. All the information pertaining from the staff to the patients were all been recorded in the system itself? Even from smallest to the biggest information about the patient, the patients full history of diagnosis report, who treated him, what was the prescribing etc was been stored in the hospitals system. On an average, around 2

lakh patients use to come to the hospital every year. Even some of the patients had cashless service i.e. health insurance card. One day, on the eve of the hospital management day, when all the staff was celebrating the management day, the information from the data base was been removed from the data base itself. When the management went on investigating the cause for the problem, they came across various means and ways of how has the information got lost or due to various other reasons the information must have been removed. Even though there was a good server. The admin use to take the backup once in a week. They thought it must be the work of someone or some rivals who wanted to hack the information or for some other reasons removed the data. It was not this reason they came to know. Then they thought it must be due to the system crash, the data must have been lost. This was not again the reason. They went through various ways to find out what was the exact reason. Then, finally they came to know the reason for it and it was from the hospital staff itself i.e. 7 doctors and an admin staff from the MRD. The whole lot of information of 8 days that was been removed from the system. But the day prior to it, these 8 of them gave a complain in the nearby police station saying that the laptop was been stolen of one among them. When investigation was done the management came to know that it was with the help of this laptop the information was been stolen i.e. from the IP address they came to know. Then they were been sacked from the job. At that time there was only one admin for data base management. From then onwards, there were 3 admin staff for the database where they use to work on shift bases. Each would work for 8 hours (3*8=24hrs). They use to take the backup daily at 11p.m. The management became more cautious and various HR policies were been implemented on the staff. IMPACT The post impact of the MRD data loss was quiet huge because the whole lot of information about the patients were lost, the patients who were suppose to make their payments were not able to make because the doctors will find it difficult to diagnose the patients, the hospital did not have any records left in order to make the bills of the patients, there would be difficulty in the case if the patient has paid certain amount, even for the patients to get the insurance claim was difficult since there was no evidence. There will not be any records of the patients. There will be an impact on society. Patients will not come back again to the hospital; they will lose faith and trust in the doctors as well as the management. PRECAUTIONS TOWARDS DATA SAFETY IN A NETWORK SYSTEM When the patient enters the hospital and goes to the reception for making an entry for the day and meeting the concerned doctor, there the patients information will soon be displayed if its the regular patient or else if the

patient is new then a new information will be entered. For the doctor the advantage is that the data of the patient can be known easily and further on the diagnosis will be done well. Data can be safe by taking suitable precautions that is by encrypting and decrypting the data, Often changing the password, there must be more than two administration staff in maintaining the data base systems, even by synchronization data can be secured and through clouding also data can be safe.

1 ) Project the case study under data hacking with facts and figures In KLE medical Hospital five doctors and one Administrator working Staff unsatisfied their work 4 pathalogy departments are there Medicines worth rupees 2.6 lakh Total 28 departments are there Ambulence, Blood bank and finance departments also available Paramedicine staff OT details and fire wall They Hacked their Own Systems Somebody Theft one computer Five doctors and one Administrator lodge complaint against someone else Information hacked by some person While investing going on five doctors and one Administrator hacked Information One week of MRD Details Hacked they lost their degree Dissatisfaction of Progress this is happening in hospital

2. What can be the preventing measures can be obtained give detailed suggestions ? PREVENTING MEASURES FOR HACKING Never Disclose Your IP Address Once the hacker knows the address of your computer it will be easy for him Enter into your home(computer) and steal your accessories ( data and passwords). Do Not Download any Suspcious Software or Attachments A lot of people search for cracks and keygens online.Remember this is most exploited method used by the hackers to hack into the pc(personal computer).They usually attach a keylogger or virus with the crack or the keygen Once you download and install it then your data will be automatically sent to the hacker without your permission.And this might lead to a disaster if you are a online business man because your sensitive information such as paypal account information,e-mail account information can be sent to the hackers.

Use Good Antivirus And Firewall Program Do not depend upon windows firewall to protect yourself from online hackers.It is always a wise decision to use a good firewall program and do install a good antivirus program.If you dont have enough money right now go for the free antivirus and firewall program but make sure that you have a updated antivirus and a firewall installed on your computer. Use Secure Passwords (3D passwords) Always use 3D passwords to protect your accounts from getting hacked.Your password must contain digits,special symbols like underscore( _ ) and characters(in caps as well as in small letters).Do not use small passwords.Your password should be at least eight characters long in length. Always logout From Your Accounts You should always logout from your accounts instead of closing the browser window directly because whenever you login into your account a cookie is placed by the server into your account and when you logout this cookie is deleted. Backup Of Your Data Some viruses are made to destory your data so it is always advisable to store your data in a backup file.various good data backup programs are available on the internet. Adapting a data recovery software so that they can easily get the data which is lost If they use Intra net service there is less chance that data may loose. Regular feed back Employee satisfaction and counseling Security must be provided for the system Individually department should record all data

3) Link IT Act sections for the case Hacking punishable under Section 43(a) read with S(66) of, The Information Technology Act,2000: If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,- accesses or secures access to such computer, computer system or computer network;. Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to five lakh rupees, or with both. Cyber Law Consulting helps you in hacking incidents by investigating,filing Police Complaints,liasoning with police and framing litigations against the hacker for bringing him to justice. Also helps you in deriving a fair compensation in case of any cyber contraventions. We further guide you in framing your policies against hacking attacks and to harden your network .

Our core Experience in dealing with hackers across the world both psychologically and technologically gives our investigation an cutting edge SECTION 66. Computer Related Offences

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both. Explanation: For the purpose of this section,a) the word "dishonestly" shall have the meaning assigned to it in section 24 of the Indian Penal Code; b) the word "fraudulently" shall have the meaning assigned to it in section 25 of the Indian Penal Code. SECTION 66 A Punishment for sending offensive messages through communication service, etc

Any person who sends, by means of a computer resource or a communication device,a) any information that is grossly offensive or has menacing character; or b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device, c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages shall be punishable with imprisonment for a term which may extend to three years and with fine. Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.

SECTION 66 B. Punishment for dishonestly receiving stolen computer resource or communication device

Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.

Intention or knowledge to cause to wrongful loss or damage to the public or any person

Destruction ,deletion, alteration value or utility or injuriously affecting information residing in a computer resource

Punishment Imprisonment up to three years Fine up to Rs. 2 lakh. Cognizable, non balible, jmfc

SECTION 66C Punishment for identity theft Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh. Section 69 Legal Provisions Penalties in case of non compliance Section 69 of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. 7 years imprisonment and fine Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. 7 years imprisonment and fine Section 69B of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009. 3 years imprisonment and fine Section 70B of the Information Technology Act, 2000 1 year imprisonment and / or fine upto Rs 1 lakh Ingredients Controller issues order to government agency to intercept any information transmitted through any computer resource. Applicability Email messages Encrypted messages Password protected files

Punishment Imprisonment up to 7 years Cognizable, non-billable