New document reveals software to be used for certifying NDHM sandbox participants

The empaneled agencies will be assessing the integration of other private or public entities who participate in the NDHM sandbox to build products and services.

A new Request for Empanelment (RFE) issued by the National Health Authority has revealed the NHA’s plans to use software to facilitate the exit of players from the National Digital Health Mission Sandbox. The players would then enter the live environment of the mission.

Why it matters? Earlier, the framework of the Sandbox said that the certification would be the responsibility of MeitY’s Standardization Testing and Quality Certification Directorate (STQC). Players who are a part of the NDHM Sandbox create products and services which could, following certification, become a part of the actual mission. The NDHM has been built to handle sensitive health data like Unique Health IDs, longitudinal health records (potentially from birth to death), health professionals and health facilities’ registries, and so on. Although the initial guidelines from the NHA had mentioned that it would use the services of ’empaneled vendors’ in the certification process for the “NDHM Sandbox exit”, it did not mention who these vendors would be or that the certification would be determined using software.

What the RFE requires empaneled agencies to do

• Develop a self-assessment certificate service/tool to automate the Sandbox exit process within a period of 4 months

This tool will evaluate the integrations performed by each participant in terms of functionality with NDHM ecosystem APIs and issue a pass and fail certification.

Application Programming Interfaces (APIs) allow a platform or service to connect to other platforms and services. APIs are an integral part of programming. Open APIs allow any service or app to freely connect to a resource, and are generally published openly.

• Based on the certificate, the NHA will sign off on a participant’s final integration into the NDHM.

The RFE says that the integration would initially only be for use-cases related to:

• Creating a Health Locker service: The Sandbox defines this as a software system where a patient’s longitudinal health records are stored either on the patient’s personal devices or on a user-trusted cloud service.
• Building a Health Information Provider (HIP) service: A Health Information Provider can be a hospital, laboratory, health care center, clinic, or pharmacy – basically, any entity that creates medical data pertaining to a patient.
• Developing a Health Information User Service (HIU) service: A Health Information User is an entity that will have access to digital health information from HIPs, in order to provide services to the patient to whom the information belongs.
• Health ID creation and sharing: The Health ID will be used for the purposes of uniquely identifying persons, authenticating them, and threading their health records (with the informed consent of the patient) across multiple systems and stakeholders.

However, the integration can expand to more use-cases and other building blocks of the NDHM once they are operational.

Criteria for agencies to qualify for empanelment

The agencies applying to build the software will need to have:

• Successfully completed at least 1 project on developing a self-assessment toolkit to test functional compliance for an API-based integration in the last 5 years.
• Average turnover of over 3 crores in the last 5 years
• A valid STQC empanelment certificate for ISO/IEC 17025: 2017 or a valid CERT-IN empanelment for information security auditing services

The RFE says that the empanelment will be for three years. The empaneled agencies’ software can be used by a Sandbox participant at a cost decided mutually between the agency and participant.

How the NDHM Sandbox functions

Stage 1: The Health Tech Committee (HTC) will shortlist applicants such as health service providers, hospitals, clinics, laboratories,etc. meeting the eligibility criteria for entry into the Sandbox.

Advertisement. Scroll to continue reading.

Stage 2: Test design for 4 weeks

Stage 3: Application assessment for 3 weeks

Stage 4: Testing for up to 12 weeks.

Stage 5: Finally, the evaluation would take place over 4 weeks after which the participant can enter the live NDHM environment.

Previous method of certification

According to the Sandbox framework guidelines released last year, the certification for sandbox participants. was to be done via two approaches. One to evaluate the process by which the product was developed, and the other to evaluate the quality of the end-product.

The guidelines said that the Ministry of Electronics and Information Technology (MEITY) has to verify, validate, and certify products/solutions that have onboarded with the NDHM Sandbox.

Advertisement. Scroll to continue reading.

Standardisation Testing and Quality Certification Directorate (STQC), an office under MEITY, will be responsible for ensuring certification of the software/product with NDHM before it is rolled out in the open market. The certification/audit of the product shall be mandatory and shall be undertaken by STQC or its empanelled vendors, the guidelines said.

Also read:

• What India should do to improve cybersecurity in Healthcare — Ambassador Latha Reddy
• In Parliament, MoHFW gives a break-up of Health IDs created under NDHM
• Summary: The consultation paper on UHI shows what NDHM could look like

Have something to add? Subscribe to MediaNama and post your comment