GDPR: risks and rewards for the healthcare sector
It’s no secret that the healthcare industry is a leading target for cyber criminals. 2017 saw an exponential rise in data breaches affecting both healthcare providers and industry partners, with healthcare accounting for 25% of data breaches worldwide in the first half of the year (Experian).
The primary reasons for ransomware successfully attacking hospitals are a combination of aging IT infrastructure and weak IT security practices.
Recent Atos research among 40 US healthcare leaders about their organizations ‘cyber threat response capabilities’ bore this out with three common themes emerging:
- Cybersecurity plans were not comprehensive,
- Uncertainty surrounds detection and recovery time and processes, and
- Employee training on IT security is a concern.
The threats are internal as well as external.
Mishandled information, disposal error and loss accounted for nearly a third of all data breaches in 2016. This highlights the need for organizations to implement a robust program of measures that addresses individual responsibility for data security.
The question is, how will GDPR change the securing of data in healthcare and will it have a positive impact on these challenges?
What does GDPR mean for the healthcare sector?
With the new General Data Protection Regulation (GDPR) being enforced as of 25th May, organizations will be faced with more areas of risk of non-compliance and the potential for significantly increased fines. This is especially the case for healthcare providers, processing special categories of personal data where structure of care provision, the patient's data pathway and various links in the patients' data chain present a number of challenges that need to be managed.
Exploring the challenges
The risk profile of data protection has changed. Firstly, the financial penalties of non-compliance are now far more severe; the fines used to be a maximum of £500,000, but now could be up to €20million, or 4% of turnover. Secondly, it will become much easier for patients to claim for any breach of the GDPR and there are new requirements to tell data subjects about the misuse or loss of their data. So, with a long chain of information as part of the patient pathway, trusts must ensure diligence to mitigate the risks.
Being ready for GDPR
Organizations should be readying themselves to ensure their compliance with the new requirements of the GDPR by taking steps to understand their existing position.
It can help to carry out a readiness audit for your organization; providing an overview of any compliance gaps, and then risk rating those gaps against the likelihood of a breach becoming a claim against the requirements of the GDPR. Accompanying this should be a list of recommendations to help you mitigate the risks of your non-compliance
There are also benefits to the new regulations…
Despite the risks, the GDPR should serve to ease the sharing of patient data across the health/ social care divide and, consequently, make the whole patient journey more efficient. Not only this, but with patients now more interested than ever in their data, how it's used and where it can be viewed, there is the potential to harness this awareness and build rapport at point of contact, creating opportunities for patients to get more involved with their health.
Now is an excellent time for those responsible for information governance within their trusts to highlight GDPR, its risks and opportunities, to their Boards.
Wise organizations will use the introduction of the GDPR to their advantage. As an opportunity to continue to move towards a value-based healthcare approach where securing and maintaining data as well as patient trust will be crucial to the success of the industry and ultimately in improving outcomes for patients.