How GDPR applies to cybersecurity in healthcare

GDPR stands for General Data Protection Regulations. It is a set of laws put in place to protect the data of EU citizens. The introduction of GDPR increased the level of data protection needed and required businesses to handle data more securely. Previously, industries were regulated with a mismatch of different laws and regulations. GDPR was introduced to bring together one set of laws that are applicable to all EU citizens. GDPR applies to any organization processing EU citizen data, so not only does it apply in EU countries but any country which may come into contact with EU citizen data, some therefore see this as a global regulation.

Before GDPR came into force in May 2018 healthcare organizations already had many different data practices and policies in place to ensure the security of patient data. Let’s take a look at the main GDPR rules that apply to the healthcare industry, and how technology can help healthcare organisations ensure they are compliant.

Personal data definition

The definition of personal data was widened as part of the GDPR regulations. Personal data is considered any data that can identify an individual. As part of the GDPR law, personal data is categorized into three areas relevant to the healthcare industry. These are key areas that compliance officers need to be aware of within the healthcare industry, as personal data must be protected as part of GDPR law.

1

Health data – any information about a person’s health, this includes any diagnosis, treatment, or medication the individual may be taking, now and in the past.

2

Genetic data – this includes any test details, information on characteristics or genetic conditions, family information and genetic predispositions.

3

Biometric data – fingerprints, scans, any physical characteristics, or behavioral characteristics.

Access and the right to be forgotten

Under GDPR regulations patients can request access to the data that a healthcare organization holds on them. Once requested the company has 30 days to respond and provide the data or a reason / exception as to why they cannot provide the data. Hospitals and other healthcare providers hold vast amounts of data on patients, especially in the case of patients with a long medical history. Being able to provide a response to these requests within the GDPR timeframe can cause issues for some healthcare providers. NHS England provides detailed information about their GDPR compliance including the right to access data. This notes that in cases where accessing the data may cause serious harm (physical or mental) to the person requesting access or other individuals it can and will be denied[1].

In addition to data access patients have the right to be forgotten. This right to be forgotten can cause issues for healthcare organisations who hold valuable data. Healthcare professionals must be able to identify the data that can and cannot be erased[2], and they must also have the technology in place to locate and permanently erase this data.

Healthcare providers need to be prepared when it comes to patients’ request on their right to access their own data and the right to be forgotten. They must have the technology and resources in place to be able to quickly deal with these requests in order to comply with GDPR laws.

[1]https://www.england.nhs.uk/contact-us/privacy-notice/nhs-england-as-a-data-controller/

[2] There are specific circumstances where health data cannot be erased for special category data. This is the case when the data processing is mandatory in public health purposes or occupational medicine.

Failing to comply with GDPR

If a healthcare organization fails to comply with GDPR the consequences are large fines. The fines can reach up to 20 million euros, or 4% of the company’s turnover. In addition to the large fines, GDPR laws make it far easier for patients to claim for a breach of their data. Healthcare organizations are also legally obliged to inform patients if their data has been lost, misused, or stolen, further increasing the likelihood of patient claims.

What can healthcare companies do to comply with GDPR?

Proactively minimizing cybersecurity threats has become critical in order to protect patient data, comply with GDPR regulations, and avoid large fines.

At Atos we have several end-to-end technological solutions to actively prevent cybersecurity issues in the healthcare industry. We can implement solutions to ensure data is correctly secured, but available to be accessed when needed, complying with GDPR regulations. You can find full details of our solutions in our healthcare cybersecurity whitepaper.

Our solutions include:

  • Identity and access management
  • Digital signatures
  • Cloud security
  • Trusted digital identities
  • Connected medical device security
  • Advanced detection and response

These are just a few examples of how Atos can help protect patient data and improve cybersecurity in compliance with GDPR regulations. Find our more information on our end to end healthcare cybersecurity solutions or contact our healthcare team.

Related resources

Offering

GDPR: The journey to compliance

Discover our program to ensure continuous GDPR compliance.

Video

Secure data journey with Atos

With its innovative technologies, Atos is continuously protecting organizations with GDPR compliant services, ensuring no breaches and no abuse of personal data.

Blog

GDRP-Risks and rewards for the healthcare sector

GDPR should serve to ease the sharing of patient data across the health/ social care divide and, consequently, make the whole patient journey more efficient. Learn more about the risks and rewards related to GDPR.