The digital revolution in the healthcare sector, most notably the digitisation and electronic storage of patient health records and data, is nothing new. Since the 1990s, Information and Communication Technology (ICT) has enhanced the quality of patient care, increased patient security and reduced operating and administrative costs for healthcare facilities globally. However, more recently, the COVID-19 pandemic has significantly accelerated the digitalization of the most sectors including healthcare by propelling an unprecedented deployment of digital health technologies within a very short period of time.
In fact, every second, an exponential amount of healthcare data is generated and mined for valuable insights. Today, approximately 30% of the world’s data volume is being generated by the healthcare industry. By 2025, the compound annual growth rate of data for healthcare will reach 36%.*
While such advancements offer a variety of positive outcomes in healthcare contexts, not least for patients and employees, they also create a situation where healthcare organisations are now prime targets for malicious attackers seeking to compromise systems, exfiltrate and sell patient data and disrupt the industry.
This all means that healthcare organizations have an ever increasing challenge in order to securely protect the integrity, confidentiality and availability of patient data, protect the fundamental rights of patients and staff; and achieve their commercial objectives. But how can those competing interests be appropriately balanced?
Where can data be found in healthcare settings?
Pharmaceuticals, hospitals, clinicians, healthcare service providers and most organizations (both public and private sector) in healthcare either store or process vast amounts of data. Much of this is personal data that identifies patients or staff and includes significantly sensitive health and medical records. Those tasked with securing that data and managing evolving privacy compliance requirements are faced with a number of priority areas for consideration, and answering their management’s demands for innovation, security and compliance. Some examples are listed below:
EHR:
Every patient has their own digital record which includes elements such as demographics, medical history, allergies, laboratory test results, etc. Records are typically shared via secure information systems and are available to providers from both the public and private sectors to enable a “single customer view” across the industry. Every record is comprised of one modifiable file, which means that doctors can implement changes over time with no paperwork and reduced danger of data replication, duplication or loss.
Real-time alerting:
In hospitals, Clinical Decision Support (CDS) software analyses medical data on the spot, providing health practitioners with advice as they make prescriptive decisions. For example, if a patient’s blood pressure increases alarmingly, the system will send an alert in real-time to the doctor who will then take necessary decisions and interventions to reach the patient and administer measures to lower the pressure.
Predictive analytics:
“Big Data” - involves taking huge volumes of the historical data generated in clinical and administrative settings to predict potential patient outcomes. This can include multiple sources from varied inputs and providers. A simple example of using predictive analytics could be identifying those who might be is at risk of diabetes and thereby advising them to make use of additional screenings or weight management.
Telemedicine:
Telemedicine isn’t new, but with the arrival of online video conferences, smartphones, wireless devices, and wearables over the last number of years, combined with the constraints imposed upon medical practitioners and patients during the COVID-19 pandemic, it been able to come into full bloom. The term refers to the delivery of remote clinical services using technology and is generally used for primary consultations and initial diagnosis, remote patient monitoring, and medical education for health professionals.
Some more specific uses include telesurgery – doctors can perform operations with the use of robots and high-speed real-time data delivery without physically being in the same location as their patient. Such use can be linked to the use of predictive analytics as seen previously. It allows clinicians to predict acute medical events in advance and prevent deterioration of patient conditions.
By keeping patients away from hospitals, telemedicine helps to reduce costs and improve the quality of service. Patients can avoid waiting in lines and doctors don’t waste time on unnecessary consultations and paperwork. Telemedicine also improves the availability of care as patients’ state can be monitored and consulted anywhere and anytime.
Staffing and admissions:
This is especially critical in public health systems where budgets, resources and the system itself are largely under stress on a regular basis. The use of HR analytics and admissions data to perform Patient Administration Systems pattern analysis can help public health officials and hospital administrators to identify trends, reduce re-admissions or even initial admissions through early primary care intervention.
Leveraging data insights is also critical to managing resourcing, minimizing costs, targeting resources to where and when they might be needed and help better manage absenteeism in an often highly pressured environment.
Who and what is behind the data?
How can healthcare organizations adopt ‘Privacy by design’ to improve security?
Protecting an individuals fundamental rights must be front and centre in the innovation process within healthcare settings. This means adopting an approach to privacy and data protection that involves the consideration of privacy protecting measures that do not take away from the desired
outcomes and improvements, but actually shape and advance them. This is what Privacy by Design is, and what regulations like the GDPR envisage with Data Protection by Design and Default.
Listed below are some approaches which borrow heavily from operational privacy programs, thoughts leaders and regulatory compliance requirements from all over the world:
1. Data oriented strategies (Privacy Design Strategies (The Little Blue Book): Jaap-Henk Hoepman January 27, 2020)
Minimize: Limit as much as possible the processing of personal data
- Select only relevant people and relevant attributes and process only that data
- Exclude people or attributes in advance. Do not process that data or immediately throw it away if you happen to receive it
- Strip Remove (partial) data as soon as it is no longer necessary. Set clearly defined and justifiable retention periods and ensure data gets automatically deleted as soon as this time expires
- Destroy Completely remove personal data as soon as they are no longer relevant. Ensure that the data cannot be recovered, even in unforeseen ways. Remove data from backups as well, and use secure ways to erase data from hard disks
Separate: Separate the processing of personal data as much as possible
- Isolate:Collect and process personal data in different databases or applications that are either logically separated, or actually run on different (yet still centrally located or controlled) hardware
- Distribute the collection and processing of personal data over different physical locations using databases and systems that are not under the control of a single entity. Use decentralised or even distributed system architectures instead of centralised ones
Abstract: Limit as much as possible the detail in which personal data is processed
- Summarise: Summarise detailed attributes into more coarse-grained, general attributes. For example, use an age category instead of a birth date, or a city of residence instead of a full address, whenever possible
- Group: Aggregate information about a group of people instead of processing personal information for each person in the group separately. Compile group profiles with average information concerning the members of the group
- Perturb: Do not process the exact value of a personal data item. Instead use an approximation of that value, or adjust the value with some random noise. For example, instead of reporting the exact current location of a person, report the location within some random distance from the real location.
Hide: Protect personal data, or make it unlinkable or unobservable. Make sure it does not become public or known
- Restrict: Restrict access to personal data. Only allow access to those who really need it (the ‘need to know’ principle). Make it difficult to accidentally share or leak personal data.
- Obfuscate: Prevent understandability of personal data to those without the ability to decipher it. Encrypt data so that it becomes unintelligible without the key. Hash personal data, e.g. to create a pseudonym.
- Dissociate: Break the link and remove the correlation between events, persons, and data. Remove directly identifying data.
- Mix: Mix personal data to hide the source or their interrelationships. Anonymise data. Hide data in a ‘cloud’ of other data. Break the correlation between two events, for example by not responding immediately. Collect a few events first, and then process them in bulk
2. Process oriented strategies (Privacy Design Strategies (The Little Blue Book): Jaap-Henk Hoepman January 27, 2020)
Inform: Inform data subjects about the processing of their personal data in a timely and adequate manner
- Supply: Supply information about which personal data is processed, how they are processed, and why. Clearly specify how long personal data is retained, and how it is deleted. List all third parties with which you share this personal data, be clear about the conditions that cover each third party data exchange, and specify how these conditions are enforced. Put a link to your privacy policy on your homepage, and in your app. Clearly indicate how people can get in touch with questions about their privacy
- Explain Explain which personal data you process, and why. Argue why this is necessary. Do this in a clear and easy to understand manner, even for a layperson. Target this information to different user groups: novices, experts, the authorities. Consider using a layered approach: first provide an overview, and provide links to more detailed information
- Notify Notify users (in real time) the moment you process their personal data, share it with third parties, or as soon as you become aware of a data leak. Prepare clear procedures for this. Make notifications short but informative. Be sure not to notify too often. Allow users to control for which events they wish to receive a notification
Control: Provide data subjects adequate control over the processing of their personal data
- Consent Ask users explicit consent to the processing of their personal data. Inform them beforehand exactly about which personal data will be processed, how they will be processed and for which purpose (‘informed consent’, see also the inform strategy). It should be possible to withdraw consent
- Choose Offer users a real choice: basic functionality should be accessible for people who do not consent to the processing of their personal data. Offer a (paid) alternative
- Update Offer users the means to review and update the personal data collected about them. A logical approach is to combine this with the approach that allows users to view the personal data collected (e.g. through a dashboard)
- Retract Offer users a means to retract (or to ask for the deletion of) their personal information. Again, this can be part of a privacy dashboard
Enforce: Commit to processing personal data in a privacy-friendly way, and adequately enforce this
- Create: The organisation should commit to privacy. Take responsibility. Create a privacy policy. Assign resources to execute this policy. Determine for each process the goal and the (legal) ground: is there a legitimate interest, or is consent required? Be clear about the business model.
- Maintain: Maintain the policy with all the necessary technical and organisational controls. Implement these controls. Assign responsibilities. Create an awareness campaign and train all personnel. Make sure third parties (processors) also comply with the policy.
- Uphold: Circumstances change. Verify the privacy policy regularly, and adjust its implementation whenever necessary. Establish prior criteria, and evaluate your policy against them
Demonstrate: Demonstrate you are processing personal data in a privacy-friendly way.
- Record: Document all (important) steps taken. Record decisions, and motivate them. Collect system logs (and respond to anomalies)
- Audit: Audit the logs regularly, but audit also the organisational processes in general, and the way personal data is processed within the organisation.
- Report: Report the results of such audits to the Data Protection Authority (DPA), or keep them for later reference. Consult, when possible, the DPA regularly.
3. Embed compliance by design (A risk-based approach to compliance with regulations like the GDPR)
Privacy by design is an approach that seeks to ensure protection for the privacy of individuals by proactively embedding privacy into the design and operation of network systems, infrastructure, and business practices and processes. It ensures the intentional design and implementation of essential privacy safeguards from the outset and directly improves both financial and operational efficiencies. This is also known as a 'shifting left' approach to privacy and data protection. Ways organizations can embed privacy by design in their organization include:
- Data Protection Impact Assessments
- Privacy checklists and checkpoints in the development cycle
- Automated privacy code analysis
- Technical reviews of system security and privacy measures
4. Embed privacy culture (A risk-based approach to compliance with regulations like the GDPR)
Much like when you embed privacy in your systems and technologies, when you embed it in your organizational culture, you end up with a structure that protects privacy by default while enabling you to use your data to its fullest potential.
As put by our partners in the IAPP: "It’s important to remember that privacy laws are written by people who don’t know your business. The result is that compliance-focused privacy programs often struggle to engage with stakeholders across the business who may have strategic goals that appear in conflict with protecting personal data.
A culture of privacy provides a shared understanding of how personal data can and should be used to support broader strategic objectives. This improves the ability of the privacy program to execute and drives alignment with other teams, increasing their understanding of and desire to support the achievement of privacy goals. All these lead to the biggest benefit of all: getting the highest and best use out of your data — both for your organization and individuals."
Ways organizations can create a culture of privacy throughout their organization:
- Privacy must be a board-level mandate
- Tailored training for staff
- Targeted assessments of awareness
- Awareness campaigns to refresh, reinforce and sustain awareness amongst all staff
BSI's Privacy Practice have collated a range of materials highlighting the importance of respecting privacy, helping you to protect the integrity of your systems, safeguard your data and enable trust in how you manage privacy on a day-today basis.
