As the European Union’s General Data Protection Regulation (GDPR) have taken effect from 25th of May, 2018, different business filed form all over the world are upholding for the updated regulations. The GDPR is affecting more than data consent and protection—it is transforming the approach how businesses should function—influencing how and when they should collaborate with the information of EU citizens. However, the one industry that will be required to uphold the high standards, is healthcare IT.
When it comes to collecting and securing the private data of the EU citizens, the healthcare industry can anticipate facing an array of new challenges. The latest regulations intend to work on the protection of the regular and updated private data, functioning to make sure that the personal information is secured throughout all transforming activities and endpoints.
A Quick Glance at the GDPR
The General Data Protection Regulation is an essential change in the security of an individual’s data and its confidentiality. Before this law, the private data was used to be extensively viewed as the assets of the companies who gathered and accumulated the information. After the effectiveness of GDPR in May, any private data of the EU citizens has been considered as the person’s property, and GDPR offers rights concerning the collection and utilization of their information by the companies. As its basis, the GDPR determines the rights of a single person they pertain to data security. The rights provided by the GDPR can be comprehensively summed up as:
- Informed Consent: The right to be evidently knowledgeable as of why the information is required and for what purpose it will be utilized. Permission must be unequivocally given and can be discontinued at any time.
- Access: Free of charge access is offered to all the gathered data and the individuals can also get an evidence of how it is being used or exchanged.
- Correction: If the individual find that their personal data is inaccurate they have the authority to correct it.
- Erasure & the Right to be forgotten: The privilege of requesting the removal of an individual’s personal data.
- Data Portability: The right given to individuals to reclaim and reprocess their private data, for their own use, across various services.
GDPR has also initiated a new requirement for the companies to inform the related authorities of private data breach expected to cause a threat to the rights and liberties of the individuals. Where that threat is considered elevated, a warning is needed to be expanded to the concerned data subjects. The companies are required to issue the warnings without too much delay and if possible, better to report the data breach within 72 hours of its discovery. The best practice to avoid any breach that can cause a threat to EU citizens’ private data, is to encrypt all the collected information through data governance implementation. If this plan is followed, the companies also need to take into consideration their capacity to sustain huge amounts of encrypted traffic whether the data is being exchanged or stored.
The GDPR functions as a way of keeping the private data of EU citizens safe across the world. This signifies that any organization or business that utilizes or accumulates the information of EU citizens are obliged to follow the GDPR laws and regulations—irrespective of the fact whether the healthcare organization is EU based or is physically functional in any of the EU countries.
For the US-based healthcare organizations, the General Data Protection Regulation can be considered as an extension of the Health Insurance Portability and Accountability Act’s (HIPAA) rules and regulations. Parallel to the security HIPAA offers for the personal health information (PHI), the GDPR develops on the idea by managing the complete life cycle of private data, inclusive of how it is collected, utilized, accumulated and in the end erased.
How Healthcare Organizations can be in Compliance with the GDPR?
With regard to the healthcare organizations to adhere to the GDPR rules, there are many obligations, some particularly for the healthcare industry, to be fulfilled. All private data identified as ‘either information regarding a recognized or an unknown ordinary individual’ has to be collected in compliance with Article 5 of the GDPR, implicating that the data must be:
- Gathered for particular, legal and explicit reasons and not utilized in a manner which is irreconcilable for them.
- Used legally, objectively and in an explicit way.
- Maintained to make sure the data is properly secured.
- Sufficient, compatible and restricted to what is obligatory with regard to the reasons for it is being used.
- Precise and regularly updated.
- Maintained in an outline which allows recognition of the data subjects for no longer than the reasons it is being used.
- Managed by a controller who is accountable for the data and capable to manifest compliance.
As pointed out previously, healthcare providers have a distinctive set of high principles to abide by. In particular, genuine private data—identified as genetic data, data relating to health and biometric data—can’t be managed or used except it is placed into specific categories. Prior to going into the details of what those categories are, it is better to identify the three categories of the healthcare-related private data subject to the particular rules:
- Genetic Data: Private data relevant to the hereditary or genetically inherited characteristics of a normal individual that offers exclusive information regarding the anatomy or physical condition of that individual and that end result, specifically, from an examination of a genetic sample from the individual in question.
- Health-Related Data: Private information that is correlated to the physical fitness or mental strength of an individual, along with the catering of healthcare services, which communicates the information regarding the health condition of that individual.
- Biometric Data: Private data derived from particular technological processing regarding the physical, anatomical or developmental attributes of an individual, which permit or validate the distinctive recognition of the individual, for example, facial recognition or dactyloscopic data.
Despite the fact that the GDPR rule out the redundant collection of private data by the healthcare organizations, there are numerous exclusions that permit for the data collection. Therefore, for the healthcare organizations to accumulate particular private data, the data gathering must come under one or more of the given categories:
- Data has been provided with precise approval from the owner
- Utilizing the data is obligatory to the crucial wellbeing of the patient or provider
- Managing the data is required in order to use preventive or professional medicine
- Data is compulsory for the betterment of public health
What are the Non-Compliance Penalties?
Failure to meet the data protection rules set by the GDPR can cause severe charges for the healthcare organizations. The charges are estimated considering numerous factors but can extend to the greater of €20 million ($24.8 million) or 4% of the international annual revenue. The term “greater” used here is significant. If a data breach or compliance failure is revealed and reprimanded, the higher-generating amount will be utilized at the time of the charges. This signifies that if 4% of international revenue for the healthcare organization is more than €20 million then the charges will be the sum equivalent to 4% of global income.
How can the Healthcare Organizations be in Compliance with GDPR?
If the healthcare organizations get themselves to comply with the GDPR rules and regulations, there are many steps they must be taking to help make sure that they are fully prepared:
Initially, they need to evaluate their level of competency to find out what private data is needed to be updated for compliance. They must make it certain to have accurate knowledge as of what information is gathered, how it is accumulated and the reasons for collecting the information.
Secondly, they need to learn how the data is being used, saved, transported and shared internally/externally through their faculties. They must manage and secure any potential information silos to make sure that the compulsory data isn’t being misplaced in poorly executed operations or technologies.
Once the healthcare providers already have evaluated the data protected under the GDPR Compliance, they must make a contribution in training and educating the staff members on the improved and updated data lifecycle prerequisites; renewing the systems for collecting, utilizing, saving and erasing the private data. Besides this, the teams for data protection and confidentiality are required to be ready if in any case an EU citizen request or want to evaluate his/her personal data.
Subsequently, the healthcare organizations are also required to assess their cybersecurity competencies. They must establish whether they are skilled enough to detect and report data breaches within the time period of 72-hours. Detecting a breach attack is often very complicated, even for the leading firms. Indeed, most of the data breaches are often identified by third parties—more often than not by the consumers or law enforcement. If the attacks are not identified, the healthcare organizations need to revamp their cybersecurity strategies to secure themselves against the data infringements across the globe.
Last but not least, the healthcare organizations need to commit themselves to meticulous risk-based cybersecurity strategies which include a constant evaluation of your GDPR-related data lifecycle and their overall security stance. Whereas being in compliance doesn’t essentially signify to be protected, given the grave charges related to the GDPR, time after time scrutinizing for weak spots inside the organization can guarantee a powerful infrastructure for acting responsively if an EU citizen claim his/her data, file a complaint or, in extreme circumstances, if the confidential data has been breached.