Helping healthcare meet GDPR requirements head-on
The arrival of the General Data Protection Regulation on 25 May 2018 brings big responsibilities to the healthcare sector.
For healthcare providers, insurance, pharmaceutical, biotech and technology companies and health related charities, the way health data is managed, from collection through to disposal, is now under ever-greater scrutiny.Healthcare organisations need to prepare now to demonstrate compliance and avoid hefty penalties. Not only will they be obliged to demonstrate that they comply with the new law, but should they experience a data breach, the Information Commissioner’s Office (ICO) will be able to impose a fine based on a percentage of worldwide turnover or a fixed sum of up to €20 million Euros.
What counts as health data?
Health data is defined by the GDPR as ‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.’
The definition also goes further to include genetic data, biometric data and personal data, which may have been obtained through specific technical processing relating to the physical, physiological or behavioural characteristics of a person, which could identify that person.
This health data will be subject to a higher standard of protection than personal data in general.
Where is our data?
Healthcare organisations will have to show that they know exactly where data is stored, how it is being processed and whether explicit consent has been given by the individuals it covers.
All public authorities must appoint a Data Protection Officer, keep records of all data processing activities and wherever high-risk data processing is involved, carry out a Data Protection Impact Assessment.
The healthcare sector will also need to change its approach to obtaining consent, which will need to cover as many potential transfers of health data as possible, including international data transfers and cloud storage.
Shining a spotlight
Under the GDPR, the ICO will continue to carry out investigations in the form of data protection audits and access all relevant premises to do so.
With the ICO reporting the results of 38 audits, visits and reports in the healthcare sector in the 12 months up to June 2016, and health trusts being highlighted for poor data security in recent months, every health organisation should prepare for the possibility of an investigation.
Fines are not new to the healthcare sector, with the highest fine to date in the UK at £325,000, imposed after computer hard drives containing patient personal data were stolen from Brighton and Sussex University Hospitals NHS Trust.
Health organisations experiencing a breach of data will be required to report the breach to a data protection regulator within 72 hours, and those affected by the breach will have to be informed.
The following practical solutions will help healthcare organisations minimise the risk of a data breach:
- Store safely. If data is stored on encrypted USB and SSD devices, this can significantly reduce the risk of a data being stolen or illegally accessed.SafeXS FIPS approved encrypted storage USB sticks have been designed and developed within the EU, specifically for government agencies to help reduce costs whilst still maintaining high security requirements.The Safexs Protector 3.0 drive is loaded with security features to protect against unauthorised access and malware attacks. It is also the first drive to have the new Password Rescue functionality built-in, allowing users to securely access the device in case of a lost password, without the risk of losing data.
- Lock it up. Laptops and other devices need to be locked when they’re not in use. Kensington’s mobile security products include laptop and mobile security locks, offering a new generation of front-line protection for mobile devices. Locks include the Microsaver retractable laptop lock, combination portable lock and ClickSafe Portable Combination Laptop Lock.
- Prevent ‘visual’ theft. Busy open office environments can mean patients, visitors, suppliers or employees in the vicinity of data processing. This can create an opportunity for unauthorised individuals to view data on a screen or on paper.3M’s range of privacy filters protect devices by blocking the view of the screen to all but the user, allowing people to continue working securely.
- Destroy data securely. One key practical aspect of the GDPR is data destruction. Secure destruction of sensitive paperwork, once it is no longer needed, is vital. Cross cut shredders that can shred A4 sheets into hundreds of pieces should be in use anywhere confidential data may be held.
- Protect printers. Many modern printers scan, send and store potentially sensitive information, which can make data vulnerable.
Individuals’ data should be encrypted or regularly erased on all printing and imaging devices, to reduce the chance of confidential details being accessed.
To make sure sensitive documents in output trays cannot be retrieved by any user, all printers should work on a pull printing requirement. Settings should be restricted to admin-only access to prevent anyone with access to printer settings from exploiting permissions.
With Banner you can improve your healthcare data storage. To find out more, please email our healthcare team on health.team@BannerUk.comDownload our B Guide to GDPR