GDPR: risks and rewards for the healthcare sector

Posted on: May 2, 2018 by Ruud van der Loo

It’s no secret that the healthcare industry is a leading target for cyber criminals. 2017 saw an exponential rise in data breaches affecting both healthcare providers and industry partners, with healthcare accounting for 25% of data breaches worldwide in the first half of the year (Experian).

The primary reasons for ransomware successfully attacking hospitals are a combination of aging IT infrastructure and weak IT security practices.

Recent Atos research among 40 US healthcare leaders about their organizations ‘cyber threat response capabilities’ bore this out with three common themes emerging:

  • Cybersecurity plans were not comprehensive,
  • Uncertainty surrounds detection and recovery time and processes, and
  • Employee training on IT security is a concern.

The threats are internal as well as external.

Mishandled information, disposal error and loss accounted for nearly a third of all data breaches in 2016. This highlights the need for organizations to implement a robust program of measures that addresses individual responsibility for data security.

The question is, how will GDPR change the securing of data in healthcare and will it have a positive impact on these challenges?

What does GDPR mean for the healthcare sector?

With the new General Data Protection Regulation (GDPR) being enforced as of 25th May, organizations will be faced with more areas of risk of non-compliance and the potential for significantly increased fines. This is especially the case for healthcare providers, processing special categories of personal data where structure of care provision, the patient's data pathway and various links in the patients' data chain present a number of challenges that need to be managed.

Exploring the challenges

The risk profile of data protection has changed. Firstly, the financial penalties of non-compliance are now far more severe; the fines used to be a maximum of £500,000, but now could be up to €20million, or 4% of turnover. Secondly, it will become much easier for patients to claim for any breach of the GDPR and there are new requirements to tell data subjects about the misuse or loss of their data. So, with a long chain of information as part of the patient pathway, trusts must ensure diligence to mitigate the risks.

Being ready for GDPR

Organizations should be readying themselves to ensure their compliance with the new requirements of the GDPR by taking steps to understand their existing position.

It can help to carry out a readiness audit for your organization; providing an overview of any compliance gaps, and then risk rating those gaps against the likelihood of a breach becoming a claim against the requirements of the GDPR. Accompanying this should be a list of recommendations to help you mitigate the risks of your non-compliance

There are also benefits to the new regulations…

Despite the risks, the GDPR should serve to ease the sharing of patient data across the health/ social care divide and, consequently, make the whole patient journey more efficient. Not only this, but with patients now more interested than ever in their data, how it's used and where it can be viewed, there is the potential to harness this awareness and build rapport at point of contact, creating opportunities for patients to get more involved with their health.

Now is an excellent time for those responsible for information governance within their trusts to highlight GDPR, its risks and opportunities, to their Boards.

Wise organizations will use the introduction of the GDPR to their advantage. As an opportunity to continue to move towards a value-based healthcare approach where securing and maintaining data as well as patient trust will be crucial to the success of the industry and ultimately in improving outcomes for patients.

Read more on emerging megatrends , business transformation opportunities and technologies that will steer healthcare system forward in the years ahead in our Look Out 2020 + Healthcare report.

Share this blog article

About Ruud van der Loo
Vice-President Global Head Healthcare Market at Atos
Ruud is Vice-President Global Healthcare Market at Atos and has worked for the company since 2008. Ruud has a clear vision on the benefits of digital transformation in healthcare and life sciences. He has worked with senior Executives in healthcare around the world on how to use technology to enable them to withstand challenges they face in the fast moving world and adopt speed, agility and flexibility. The Atos Healthcare program is set up to power the shift to precision medicine by leveraging the digital shockwaves like optimizing real-time clinical delivery and the orchestration of collaboration and tele-health. Ruud has a long track record in Healthcare IT Services, with more than 20 years in senior executive management positions. In those roles he has gained vast experience in developing national and international strategies and sharing best-practices. Ruud is a strong believer in the fact that IT plays an important, maybe even the most important, role in the transformation to Value Based Healthcare.