Guest Column | August 29, 2017

EU's General Data Protection Regulation Set To Disrupt The Medical Industry

Data Security

By Philip Piletic

When the European Union introduced its plan for regulating online Cloud services, to say it caused a major disruption would most likely be an understatement. When I first wrote about this two months ago, most of the news concerning the EU’s General Data Protection Regulation (GDPR) was focused on how it will affect companies such as Google since Cloud services through such mediums are used primarily by hundreds if not billions of normal citizens globally. But what about the Cloud services that deal in medical data — lots and lots patient data is now handled via Cloud.

GDPR In Brief

The GDPR completely targets the IT industry. And this is as far as the average person thinks of it. Nevertheless, IT is a part of every business imaginable. Cloud services a lot of times are used to offer remote IT services such as organizing Big Data and making it simpler for enterprises to digest.

The GDPR draft was adopted by the European Parliament on March 12, 2014, and became enforced on May 25, 2016. This was 20 days subsequent to its initial publication in the Official Journal of the EU. What is confusing, nonetheless, is that it won't apply until May 25, 2018. This gives companies time to prepare.

What companies outside of the EU must face is that they too are affected, even if their company is in California, USA. That's because Cloud services are used globally. Example: I run ABC Data Analytics that manages data for various types of companies. Most of the data involve clients' customer data. If any of these companies that I service are in the EU jurisdiction, then I am responsible for abiding by the GDPR.

Here are some requirements from the General Data Protection Regulation:

  • “Data can only be processed if that data is “adequate, relevant and limited to what is necessary for the purpose for which they are processed.”
  • There is a limited time for which data can be stored. This has been called the “right to be forgotten.”
  • Personal data shall be protected from unauthorized access, illegal processing and loss. In this instance, the regulation points out pseudonymization and encryption of data. Furthermore, the “ability to ensure availability and resilience of processing systems and services” plays an important role.

For me, most of the regulations set down by the GDPR is a welcome change, since companies like Google like to keep our data indefinitely no matter if we delete it or not.

How The Medical Industry Being Affected By The GDPR

The medical industry may be one of the industries hit the hardest by the GDPR. Hospitals, clinics, dentist offices, and any other institution that deals in health, whether physical or mental, must comply with the following things.

Right To Erasure (Fancy Talk For “Right To Be Forgotten”)

This covers any aspects of health data that is not considered important to scientific research under the definition of the GDPR. This pretty much means any health data collected commercially and isn't considered scientifically important. It is also safe to say this would cover clinical trials since most clinical trials are not purely scientific. It isn't clear if research that falls outside the scope of what's considered clinical research falls under this or not.

The right to be forgotten means that companies must implement technology that is able to totally and completely erase any and all personal data that they process about a person upon request. Such technology must also be implemented by any companies contracted by other firms that process data for them and/or receive such personal data from them for any reason. This is especially true when a withdrawal of consent to processing is submitted. Furthermore, withdrawals of consent may not be made difficult under GDPR guidelines.

Informed Consent Criteria

Risks related to a content-based business model are considerably decreased by the GDPR's imposition of additional and onerous requirements when it comes to informed consent. This basically means no more unreadable fine print that no one even bothers to read because the words are so tiny.

Medical institutions and medical device manufacturers and vendors must now all spend time rewriting their consent processes and the way they word their privacy policies. Meaning: Make the language easy to read by common folks so that they can make a sound decision on the matter. This may ring especially true for those in the medical industry who consider their consent processes and policies as only a cumbersome formality - they will run into problems if they aren't cautious.

Tougher Security Requirements To Protect Patient Data

There was global panic as evil individuals use what is called “ransomware” to target not only private citizens (such as Mac users) but also hospitals and other institutions that are treasure troves of personal data. But what made hospitals such prime targets is the very fact that life and death are at stake here, not just some financial information in someone's computer.

In May of 2017, hospitals were gripped by a massive cyber-attack where hackers used “Wannacry” ransomware to render hospitals virtually helpless. Medical services such as surgeries had to be cancelled or halted until their systems were back under their control. This has brought the issue of keeping patient health data safe and secure from such attacks in the future of most importance.

This means that the GDPR requires the implementation of appropriate, pseudonymization, encryption, redundancy, regular penetration tests and intrusion detection measures, and implementing a continuous process for evaluating the effectiveness of the measures implemented. Translated: Get your cyber security game up. Companies that deal in the business of data, no matter what their function is, must notify the DPA immediately - not tomorrow or five hours from now - but they mean as soon as a breach is detected, you're picking up your phone and calling the DPA.

Some companies may be gritting their teeth at the GDPR's stringent regulations, but as a fan of privacy, I think this a step in the right direction. I mean, is there still a lot of governmental issues with privacy? You bet there is. But with this new move by the EU, at least it seems someone is at the very least trying to show they care. It's actually too bad it took massive, strict regulations before companies started taking these matters seriously.

About The Author
Philip Piletic’s primary focus is a fusion of technology, small business, and marketing. Freelancer, editor and writer in love with startups, latest tech trends, and helping others get their ideas off the ground. I’d like to thank Praktika for their help with this article.