Patients and Privacy: GDPR Compliance for Healthcare Organizations

patientsprivacyWhen the European Union’s General Data Protection Regulation (GDPR) came into enforcement on May 25, 2018 — as was the case when it was approved in 2016 — it drew a range of responses from various sectors and industries all over the world. Many organizations have taken up the challenge of compliance and made substantial changes to their data management and security policies. Some, however, found the task so daunting that they suspended operations or completely closed their business. What is certain is that the latter is not an option for healthcare organizations.
The GDPR sets a new standard for data privacy: It affects any organization that processes EU citizens’ data, no matter where that data is being collected, processed, or stored. This gives the regulation an unprecedented scope, extending its reach to territories outside the EU and affecting organizations around the world, in whatever industry. For the healthcare industry — which requires varied types of personal data — it is an opportunity to improve systems, policies, and processes to stay ahead of any potential threat to institution and patient information.

Healthcare industry: a trove of personal data

The GDPR outlines stringent new policies for collecting, processing, and securing personal data. Healthcare organizations are in a vital position as they handle an entire spectrum of data — from financial records and health insurance information to patient test results and biometric information. Some of these data types are more sensitive than the typical information collected by non-healthcare organizations: They are uniquely linked to an individual and are mostly unalterable. For example, a person can create a new email address but can’t change their medical history or their dental records, making it a serious privacy concern if such data is stolen.

Apart from the general protections provided for personal data, the GDPR also defines three types of “health data” that require special protection: data concerning health, genetic data, and biometric data. These are classified as sensitive personal data, and the regulation generally prohibits any kind of processing for these unless explicit consent is given or very specific conditions are met. There are some exceptions; processing is generally permissible for assessing working capacity for employment, for the management of health or social care systems, and services, or for public interest.

As healthcare organizations like private and public hospitals, medical device manufacturers, and health insurance providers manage personal data, including the special categories, their compliance with the GDPR requirements is critical. Healthcare organizations need to invest time and capital in changing their perspective and approach, not just towards GDPR but cybersecurity as well. There are unique challenges that the healthcare industry faces, but there are also effective security solutions that will benefit an organization in the long run.

Compliance beyond the EU healthcare sector

In 2016, the EU-US Privacy Shield was adopted to provide guidelines for the transfer of data between the EU and the US. Participating organizations were deemed to have "adequate protection" to hold or access EU citizens' data. However, being certified under the EU-US Privacy Shield does not guarantee GDPR compliance.

Healthcare organizations outside of the EU should already be compliant with their local privacy laws, for example, with the Health Insurance Portability and Accountability Act (HIPAA) for organizations in the United States. However, the GDPR is a groundbreaking and far-reaching regulation. Previously enacted laws were concerned with regulating the organizations within their specific country or region. But now, data can travel quickly through channels that go beyond physical borders, so citizens of one country can have their personal data processed or stored in servers that are continents away. The GDPR has taken that, along with other technological advancements, into consideration.

This means that organizations across the world that do business with EU citizens need to revamp their data management policies in different ways. And even if an organization does not conduct business regularly with EU citizens, complying with the GDPR gives them a head start in data management and protection: Many countries and regions are catching up with the EU and implementing comprehensive policies or amending legislation to match the GDPR.

Healthcare organizations, in particular, will benefit from compliance even if they are not based in the EU. The healthcare industry has been a prime target for cybercriminals for years, with attacks ranging from business email compromise (BEC) schemes to data breaches. So complying with the regulation is favorable for healthcare organizations on many levels: They will avoid non-compliance fines, be better protected against hackers, have better protection for valuable customer and enterprise data, and have an advantage over other organizations that don’t offer clients the same level of security.

Data management challenges for healthcare organizations

Here are some specific areas that organizations in the healthcare industry should be concerned about.

  • The GDPR outlines specific rights for data subjects — for example, the “right to be forgotten,” as well as accessibility, portability, and more. Organizations must also gain explicit consent for processing if they don’t fall under other lawful bases of handling personal and health data. It is the responsibility of the healthcare organization to create a system so that the subject can exercise all these rights. This requires some time and effort — from reorganizing data to installing new software and setting new archiving policies.
  • For years, healthcare organizations have been highly targeted by cybercriminals looking to profit from the unique and valuable data they store. These threat actors target victims using different methods such as ransomware, phishing, malicious spam, and so on. Data breaches that put individuals at risk can be fined.
  • There are many exposed devices in homes and enterprises across the globe, which are left unsecured and vulnerable to hackers. In healthcare, unsecured medical internet of things (IoT) devices contain confidential patient information, test results, and medical images. Organizations have to use devices with adequate built-in security, or install solutions to secure the data stored in them.
  • Connected hospitals have to look out for supply chain compromise. Some third-party suppliers develop unique partnerships with healthcare organizations and have access to sensitive data and devices. This has its risks. Cyberattacks in the supply chain can come through different, and sometimes atypical, vectors: firmware attacks, mobile app compromise, portal compromise, third-party vendor breaches, and even insider threats.

Solutions and mitigation

To comply with the GDPR, as well as protect the sensitive personal data of patients and staff, there are steps healthcare organizations can take.

  • Organizations have to retool their data management framework and adopt new policies for accessibility, archiving, organization, and protection. There should be an efficient system in place that can guarantee that data subjects can exercise all the rights outlined in the GDPR. Companies in the United States can rely on comprehensive security frameworks like HITRUST CSF®, which already incorporates the GDPR in its latest version, in addition to global standards like those of the International Organization for Standardization (ISO) and Payment Card Industry Data Security Standard (PCI DSS) as well as the relevant local regulations. 
  • Meanwhile, companies also have to manage the growing risk of supply chain attacks. Risk assessment is essential — companies should only work with organizations that are compliant with the GDPR and are reliable partners in data protection. Apart from that, they should perform risk assessments on suppliers, do background checks on anyone with access to databases, medical devices, and equipment, and make sure to implement efficient patching policies. Penetration testing of hospital networks by professional pen-testing companies is also highly recommended.

[READ: Exposed Devices and Supply Chain Attacks: Overlooked Risks in Healthcare Networks]

  • General best practices that will help secure data and hospital networks include the following: network segmentation, firewalls, antimalware solutions, Breach Detection Systems (BDS), security systems that detect and prevent network attacks, and encryption technologies. Apart from the hospital networks, medical devices, and third-party software also need to be sufficiently secured: Devices should be assessed during design and manufacturing phase; applications and software should also be assessed and be equipped with the proper security solutions.

In general, the GDPR requires organizations to have “state-of-the-art” data protection, so installing tailored security solutions across networks and devices will help with compliance. But apart from that being a requirement, improving data protection and privacy will be beneficial for any organization. Healthcare, along with many other industries, is becoming increasingly reliant on data and analytics in order to provide better and faster services. Complying with data protection regulations is a responsibility that goes beyond geographical limits, especially for an industry that deals with the physical and emotional safety of individuals.

Trend Micro has the resources and expertise to help companies who are still on their GDPR compliance journey. Find out more about necessary state-of-the-art security on our solutions page. And for more information about the GDPR in general, our resource center has more information about the regulation.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Online Privacy, GDPR