Complying with Data Protection Legislation and Meeting the Changing Needs

When globalization and the Internet grew, data started to travel through international borders. This free flow of data then created the need for regulations that governed various aspects of data collection, quality, security, and usage. In the 1980s, Organization for Economic Cooperation and Development (OECD) created the 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Consequently, the laws have evolved since to tackle newer risks and changing needs.

The concept of data privacy has evolved over the years, while the word ‘privacy’ holds high significance now among the common man and businesses alike. In 2004, the U.S. government had decided to ensure that patient data was stored in an electronic health record system by 2014. Today, the digitalization of records has helped the healthcare industry serve its patients better. However, with this move, the need for privacy, confidentiality, and security became imminent as records were accessed by doctors, medical providers, pharmaceutical companies, and other family members. As digital exchange of information increased, several rules and regulations were established to govern the privacy of patient data. Over the years, several privacy acts have come into existence, including HIPAA, GDPR, CCPA, PIPEDA.

• The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed to protect individuals’ health information. The Act prevents sensitive information pertaining to patient health from being disclosed without the patient’s consent or knowledge.
• General Data Protection Regulation (GDPR) came into existence in 2018. Created for data protection and privacy in the EU and EEA, GDPR is considered one of the most robust privacy laws in the world that aims to give EU citizens control over their personal data
• The California Consumer Privacy Act (CCPA) was established in 2018 to give consumers better control over the personal information collected by businesses.
• Personal Information Protection and Electronic Documents Act (PIPEDA) defines the roles for private organizations to collect, use, and disclose personal information.

However, the implementation of these laws does not guarantee complete data protection. These laws, while useful, are not comprehensive enough to cover the complexities of data privacy and management. With newer technologies such as Artificial Intelligence coming into play, the need for renewing privacy laws has become important now more than ever. It is observed that the existing laws, such as HIPPA, still have gaps with respect to security and privacy definitions.

In recent years, the healthcare industry has fallen victim to ransomware attacks and data breaches leading to loss of reputation, money, and trust. With the advancement in ICT technologies, healthcare providers offer better service to patients by digitally accessing their history through stored Protected Health Information (PHI), which includes the patient’s name and address, the medical treatment provided, medical conditions, social security number, etc. As confidential information is stored in a location accessible by different people, the risk for breach increases. Listed below are some of the different types of privacy risks for healthcare organizations —

• PHI risk – Frequent complaints include impermissible uses of PHI, lack of safeguards of PHI, and disclosure of more than the minimum necessary PHI to unauthorized parties
• System vulnerability risk – Use of old legacy system without proper security updates
• Firewall risk – Open access to data without proper authentication
• Cybersecurity risk – Malware and ransomware attack through phishing emails and malicious links

According to a recent report from Gartner, 50% of large organizations will adopt privacy-enhancing computations by 2025 for processing data in untrusted environments or multi-party data analytics use cases. While the path to complete data protection is being paved, it is crucial for organizations to focus on the best practices while remaining compliant. As one of the comprehensive privacy laws in the world, GDPR requires the appointment of a Data Protection Officer (DPO) to oversee the company’s data protection strategy and ensure compliance with the regulation. GAVS recommends:

• Regulatory compliance management – Compliance with data privacy laws helps protect the information stored within the system.
• Endpoint protection – Enabling multi-factor or dual authentication (MFA) ensures the data is always protected to avoid unauthorized access.
• Anomaly detection – Artificial intelligence can be leveraged to test for usage anomalies and alert concerned teams proactively.
• Disaster recovery – Create off-site data backup for faster recovery in case of malware or phishing attacks.
• Employee training – Educate employees across the organization through security awareness trainings to avoid human negligence, errors, or internal bad actors.

GAVS has also conducted a webinar, ‘Emerging Risks on Data Protection in Healthcare.’ To watch, click here.

GAVS offers a range of data privacy services and solutions designed to protect an organization’s information over the entire data lifecycle – from acquisition to disposal. To learn more about our offerings in the healthcare segment, please visit https://www.gavstech.com/healthcare/.

https://www.sciencedirect.com/science/article/pii/S1110866520301365
https://blog.rsisecurity.com/top-emerging-security-threats-in-healthcare/
https://www.gartner.com/en/newsroom/press-releases/2021-03-23-gartner-identifies-top-security-and-risk-management-t
https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-about-new-role-required-gdpr-compliance