Searching for cybersecurity legislation in the Philippines related to healthcare information security is like opening a can of worms. I, being the ignorant technology user that I am, came across so many acronyms of government institutions all involved somewhat in promoting “Cybersecurity”. From the NPC to NEDA to DICT, not to mention DOST and even the DOJ-NBI, DILG-PNP and AFP, all seemed to be involved somewhat in this endeavor. And then finally, this led me to the Philippine Health Information Exchange or better known to us MSHI students – PHIE. Quoting from DOH’s website on PHIE – “Guided by the PeHSP (Phil eHealth Strategic Plan)….The PHIE is a platform for secure electronic access and efficient exchange of health data and/or information among health facilities, health care providers, health information organizations and government agencies in accordance with set national standards…” Then it goes on to describe PHIE further as something “envisioned to become an integral component of the health care delivery system”, “shall integrate and harmonize health data coming from different EMRs and HIS” and “shall promote public health, improve total patient care and better decision making, while safeguarding the right to privacy of every individual”. 2020 was the target date of the PHIE’s roadmap, and still we are describing it in the future tense.
So what governs cybersecurity in philippine healthcare at present? PHIE, I would believe, is envisioned to spearhead drafting and submitting specific guidelines for compliance related to healthcare similar to the role of HIPAA (Health Insurance Portability and Accountability Act) in the US and GDPR (General Data Protection Regulations) in the UK. Sadly, that has yet come to pass but that does not mean that the Philippines is without any legislation related to cybersecurity.
DICT or the Department of Information and Communications Technology was officially mandated the Philippine Government through RA 10844 or DICT Act of 2015 to be the primary policy, planning, coordinating, implementing and administrative entity that will plan, develop and promote the national Information and Communication Technology (ICT) development which includes it its agenda and function a Cybersecurity Policy and Program Coordination. Listed in their website are the following laws/policies and standards related to cybersecurity in Healthcare in effect in the Philippines:
1. 2011-2015 National Security Policy
2. R.A. 10173 Data Privacy Act of 2012
3. R.A. 10175 Cybercrime Prevention Act of 2012
4. E.O. 310,s2009 Institutionalizing the Certification Scheme for Digital Signature
5. PNS ISO/IEC 270001:2005 (Information technology – Security techniques – Information security management systems – Requirements)
6. PNS ISO/IEC 27002:2005 (Information technology – Security techniques – Code of practice for information security management)
From this list clearly cybercrime is already included in the government’s initiative, but interestingly, Cybersecurity was not one of them. The terms cybercrime and cybersecurity have often been used interchangeably in context. Cybercrime being the act of using a computer device and the internet to commit crime while cybersecurity refers to the measures in place to prevent the crime. There is in fact a difference according to the FBI Internet Crime Complaint Center which you can view in a tabular format in the article posted in the theconversion.com. Victims of cybercrime are mostly individuals or families that target humans and human’s data whereas Cybersecurity breach refers to victims of corporations or governments where computer networks, software and hardware are targeted.
This now makes more sense to me that the Philippines already has a law in effect regarding Cybercrime but none related to promoting Cybersecurity or actions against proponents of cybersecurity breaches .
Surprisingly to me, DICT already has a plan – the National Cybersecurity Plan of 2022 and in their 50-page booklet describes details of their Strategic initiatives – enhancing security resilience in government, public and military networks to deal with sophisticated attacks, increasing efforts to promote adoption of cybersecurity measures among individuals and businesses and growing a pool of cybersecurity experts. They also described a National Cybersecurity Framework that focuses on technical, administrative, and procedural measures that will protect critical infrastructure and increase resilience of ICT and ICT-enabled environments. I do not claim to have read the 50-page booklet but it does look very promising as they described in detail aside from the Framework of inter-agency cooperation, Guiding Principles, Specific Roles and Responsibilities, key areas for cybersecurity, classification of a National Security System and Risk Management approaches.
Key programs of the NCSP are protection of Critical Information Infrastructure, Protection of Government Networks, Protection of Supply Chain, Protection of Individuals with Active and Pro-active approaches.
DICT is the umbrella institution that guides PHIE in its endeavors to keep Health Information secure form malicious attacks. The NCSP plan has yet to see full implementation until 2022, and PHIE’s strategic framework has already encountered set-backs. As part of the health system ourselves, the duty and responsibility then lies on us to act with deference to what has already been tried and tested by our big brothers, the US and UK and/or other European countries standards. Thankfully no devastating health-related data breach has yet occurred in the Philippines (funnily maybe because less than 10% of all our health related records are not yet electronic based and more importantly not integrated). We should be more prepared for such occurrences because since we have all the opportunities and more time to anticipate them. Personally we can apply certain steps to promote cybersecurity such as appointing a Data Protection Officer, Conducting a Privacy Impact Assessment, Creating a Privacy Manual, Implementing Privacy and Data Protection Measures and Exercising Breach Reporting Procedures (lifted from National Privacy Commisions website).
Grad Student AUDS 