- Security News
- Online Privacy
- Patients and Privacy: GDPR Compliance for Healthcare Organizations
When the European Union’s General Data Protection Regulation (GDPR) came into enforcement on May 25, 2018 — as was the case when it was approved in 2016 — it drew a range of responses from various sectors and industries all over the world. Many organizations have taken up the challenge of compliance and made substantial changes to their data management and security policies. Some, however, found the task so daunting that they suspended operations or completely closed their business. What is certain is that the latter is not an option for healthcare organizations.
The GDPR sets a new standard for data privacy: It affects any organization that processes EU citizens’ data, no matter where that data is being collected, processed, or stored. This gives the regulation an unprecedented scope, extending its reach to territories outside the EU and affecting organizations around the world, in whatever industry. For the healthcare industry — which requires varied types of personal data — it is an opportunity to improve systems, policies, and processes to stay ahead of any potential threat to institution and patient information.
Healthcare industry: a trove of personal data
The GDPR outlines stringent new policies for collecting, processing, and securing personal data. Healthcare organizations are in a vital position as they handle an entire spectrum of data — from financial records and health insurance information to patient test results and biometric information. Some of these data types are more sensitive than the typical information collected by non-healthcare organizations: They are uniquely linked to an individual and are mostly unalterable. For example, a person can create a new email address but can’t change their medical history or their dental records, making it a serious privacy concern if such data is stolen.
Apart from the general protections provided for personal data, the GDPR also defines three types of “health data” that require special protection: data concerning health, genetic data, and biometric data. These are classified as sensitive personal data, and the regulation generally prohibits any kind of processing for these unless explicit consent is given or very specific conditions are met. There are some exceptions; processing is generally permissible for assessing working capacity for employment, for the management of health or social care systems, and services, or for public interest.
As healthcare organizations like private and public hospitals, medical device manufacturers, and health insurance providers manage personal data, including the special categories, their compliance with the GDPR requirements is critical. Healthcare organizations need to invest time and capital in changing their perspective and approach, not just towards GDPR but cybersecurity as well. There are unique challenges that the healthcare industry faces, but there are also effective security solutions that will benefit an organization in the long run.
Compliance beyond the EU healthcare sector
Healthcare organizations outside of the EU should already be compliant with their local privacy laws, for example, with the Health Insurance Portability and Accountability Act (HIPAA) for organizations in the United States. However, the GDPR is a groundbreaking and far-reaching regulation. Previously enacted laws were concerned with regulating the organizations within their specific country or region. But now, data can travel quickly through channels that go beyond physical borders, so citizens of one country can have their personal data processed or stored in servers that are continents away. The GDPR has taken that, along with other technological advancements, into consideration.
This means that organizations across the world that do business with EU citizens need to revamp their data management policies in different ways. And even if an organization does not conduct business regularly with EU citizens, complying with the GDPR gives them a head start in data management and protection: Many countries and regions are catching up with the EU and implementing comprehensive policies or amending legislation to match the GDPR.
Healthcare organizations, in particular, will benefit from compliance even if they are not based in the EU. The healthcare industry has been a prime target for cybercriminals for years, with attacks ranging from business email compromise (BEC) schemes to data breaches. So complying with the regulation is favorable for healthcare organizations on many levels: They will avoid non-compliance fines, be better protected against hackers, have better protection for valuable customer and enterprise data, and have an advantage over other organizations that don’t offer clients the same level of security.
Data management challenges for healthcare organizations
Here are some specific areas that organizations in the healthcare industry should be concerned about.
Solutions and mitigation
To comply with the GDPR, as well as protect the sensitive personal data of patients and staff, there are steps healthcare organizations can take.
[READ: Exposed Devices and Supply Chain Attacks: Overlooked Risks in Healthcare Networks]
In general, the GDPR requires organizations to have “state-of-the-art” data protection, so installing tailored security solutions across networks and devices will help with compliance. But apart from that being a requirement, improving data protection and privacy will be beneficial for any organization. Healthcare, along with many other industries, is becoming increasingly reliant on data and analytics in order to provide better and faster services. Complying with data protection regulations is a responsibility that goes beyond geographical limits, especially for an industry that deals with the physical and emotional safety of individuals.
Trend Micro has the resources and expertise to help companies who are still on their GDPR compliance journey. Find out more about necessary state-of-the-art security on our solutions page. And for more information about the GDPR in general, our resource center has more information about the regulation.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.