GDPR - Is healthcare ready?
The General Data Protection Regulations (GDPR) are set to become implemented across Europe. From outdated technologies and processes, to the way in which patient care is delivered – technology and healthcare providers alike are seeking to overhaul traditional ways of working to ensure healthcare becomes increasingly connected and patient centric.
However, the launch of GDPR is set to further create complexities across a number of avenues.
“GDPR will impact nearly all organisations with operations in the EU, but healthcare organisations will be affected more than most. Special category data, which includes information about an individual’s health and treatment may only be processed within strict compliance rules. Safeguards around keeping individuals fully informed, sharing data with others, and maintaining data securely is increasingly difficult for highly sensitive information. Particular issues are set to arise for healthcare organisations as they update their policies and procedures around the collection, storage and use of patient data.
“Recent worldwide cybersecurity attacks hit many healthcare organisations hard. GDPR will place additional requirements on organisations in various areas. From requiring built in technical and organisational data protection from the outset, maintaining appropriate levels of security and data hygiene, to keeping tabs on outsourced processing. These requirements will drastically increase the demands on organisations to maintain effective cybersecurity policies. This will apply to healthcare establishments all the way through to providers of services using connected devices and apps.
“A pillar of the reform being brought in by the GDPR is transparency,” she continues. “Individuals will need to be given clear and specific information about what is being done with their personal information. Providers of connected devices and apps will need to fully disclose what the service provider intends to do with collected data. Broad statements like “we may use your personal data for research purposes” buried within lengthy terms and conditions are no longer acceptable. More definitive information will have to be provided. Further still, where children or vulnerable adults are concerned, information will need to be provided in a way that is accessible to them.”
Andrew Earnshaw, healthcare expert at PA Consulting Group further highlights the complexities (and need) for increased data sharing across the industry. “GDPR has reinforced key complexities of data sharing in a shared care record, most notably the concept and mechanisms surrounding data sharing consent and opt-outs,” he says.
“The GDPR is an important consideration for all organisations and the National Health Service (NHS) is no exception. The NHS already adheres to a range of additional Information Governance (IG) regulations and policies that have existed long before the GDPR was considered – some of which are more stringent than the GDPR.
“However, one of the more complex elements reinforced by the GDPR is the mechanism of consent – especially the need for clear affirmative action (opt-in rather than opt-out), clear explanations of the terms of consent, and the new requirements surrounding parental consent for children – particularly as the definition of a minor in the UK is set to be 16.
“Shared care records mix direct care uses with implied consent exceptions with secondary care uses, which will now require explicit affirmative action,” he continues. “In many cases, the GDPR presents an opportunity to raise the awareness of IG across the NHS to improve patient care.”
With over 20 years’ experience in cyber security issues within the Public Sector, Graeme Stewart, Director of Public Sector UK&I at Fortinet notes the ways in which the industry will become challenged with regards to data protection.
“The NHS faces data protection challenges which are not only presented by the transition from paper to electronic, but also by the rapid pace of the technological changes available to it. Some technical examples are incorporating virtualisation and cloud computing.
“In the last decade, transformation was about taking existing processes and making them online (mirroring the e-Gov programmes across Local and Whitehall Government). Now, the opportunities offered by tech is such that NHS IT security has a much bigger job as they need to secure the entire infrastructure supporting the delivery of critical clinical applications and protect all data.
“A medical record is worth 10 times a credit card number on the black market, making them very valuable targets. It’s no wonder that 34.4% of all breaches worldwide are hitting the healthcare industry.
“From digitising patient records to medical devices and wearables, all these are expanding the attack surface,” he continues. “The diverse nature of healthcare enables different devices to access the Internet (even though they are not designed for this) making them easy targets; with many outdated applications and systems that don’t include security as a priority.
“Whether or not the NHS will be subject to the same stringent fines as businesses under GDPR remains to be seen. However, austerity across the organisation will certainly make it more difficult for the NHS to reach GDPR compliance.”
Simon Townsend, CTO, EMEA at Ivanti, works with a number of NHS and healthcare organisations, including the Arden & GEM Commissioning Support Network and The Priory. He has echoed Stewart’s thoughts surrounding the underlying technological challenges the NHS is presently facing.
“The NHS is relying on legacy systems, so they are completely underequipped for a cyberattack, and for this same reason they are also unprepared for the in-depth compliance requirements of the GDPR.
“The post-breach reporting process requires organisations to demonstrate how they were prepared for a data breach, but then why the attack got in anyway; they also need to communicate with all customers (or patients) effected, articulating a remediation plan; they need to run through their remediation plan, fix the breach and lock down all leaked data; and they also need to provide an in-depth report to the relevant “supervisory authority” of their EU member state.
“All in 72 hours. This simply isn’t possible if, as in the case of some trusts, you’re relying on an operating system that hasn’t seen a release for sixteen years,” he says candidly.
“WannaCry was so damaging as some trusts were using unpatched Windows 7 systems and some were using completely unsupported Windows XP systems.
- The use of AI will continue to present challenges within health
- The National Institute of Health rolls out its $1.45bn All of Us health initiative
- Johnson & Johnson tops the diversity board
“The reason for this is political. In 2004, the Office for Government Commerce signed a deal with Microsoft to provide all desktop software within the NHS – from operating systems to Office programmes. The NHS had the latest of everything and were kept secure and patched up with help from Microsoft. Then, in 2010, around the time that the austerity period began, the government scrapped the agreement. The NHS had been using £270mn worth of Microsoft software for less than £65mn a year, so were unable to cope, and individual trusts were effectively left to fend for themselves.
“Post WannaCry, the NHS did sign a new agreement, specifically for cybersecurity, with Microsoft – the custom support agreement and Enterprise Threat Detection Service (ETDS) provided the NHS with patches and updates for all existing Windows devices operating as XP, Windows Server 2003 and SQL 2005,” he continues.
“However, in January of this year, it was exposed that only 2% of the NHS had actually deployed the ETDS. The latest update is that all NHS trusts tested for vulnerabilities by the civil service didn’t meet standard requirements, meaning that they are most definitely not ready to face another attack like WannaCry.
“Ultimately, individual NHS trusts do not have the time or budget to upgrade their systems so that they are prepared for a cyberattack or the repercussions threatened by the GDPR. The solution has to come from the top, and ideally would come in the form of a similar licensing agreement to the one that was scrapped in 2010. Austerity or not, the NHS needs up-to-date devices and systems in order to cope with the modern technology landscape, or a lot of money and even lives could be at stake.
James Kilmister, Director for Health and Care at Civica has stated that although many principles of GDPR have been understood, the industry will continue to present unique challenges within the storage of confidential data.
“A person’s right to be forgotten could conflict with the legal requirement to retain data following a patient's, or resident's, discharge or death,” he says.
“It is a legal requirement for all healthcare providers to retain records for a prescribed period in case of query. This will need to be tracked closely to both ensure the record is not disposed of prematurely, or the subject is denied a disposal when it is valid to do so. This is further complicated by the different rules which may apply in different regions of the UK. For example, retention rules could be different in Scotland, when compared with England and Wales.
“A further complication is that in healthcare, a subject access request may not always be coming from the subject themselves. Power of attorney is commonplace, and for children this needs to come from a parent or an authorised adult. Suitable processes will need to be in place to ensure personally identifiable data (PID) is only made available to authorised persons,” he adds.
“We also must not forget that all health services are locally inspected. Even where data is held securely on centralised systems, there will almost certainly be patient identifiable data (PID) held in local storage, probably in hard copy. Organisations will need to maintain an accurate inventory of all their PID sources, whether electronically or on paper. This will ensure that where a subject access request is forthcoming, or a disposal request received, they are able to provide total coverage for all sources of data.
“Healthcare providers need to have a firm strategy in place to ensure they comply with regulation, taking this all into consideration.”
The change in GDPR will also significantly impact the pharmaceutical sector, in more ways than one.
“New big data rules threaten effective drug development. Pharma companies’ ability to run efficient clinical trials is in danger of being seriously compromised not only by GDPR but also by a hardening of attitudes on data privacy globally,” he explains.
“Successful trials rely on participants having the confidence that their role and the information they provide will be confidential while pharma companies need the reassurance that data privacy is being respected and that therefore the information, data and feedback they receive is as reliable as possible.
Bara Mustafa, Data Protection Officer at blockchain healthcare company, Medicalchain, has further outlined the potential ramifications of GDPR:
"GDPR will have a huge impact on healthcare organisations, particularly large hospitals which typically have as many as 500+ different systems holding patient data. Aside from the operational challenges of hosting so many different processes and systems, it is likely that any data relating to health will be subject to an even higher standard of protection than other forms of personal data, particularly with regard to patient consent.
“There are three key areas, which will be heavily impacted by the advent of GDPR,” he explains:
1. Purpose & Consent
“Organisations will be required to ensure data is only collected for a specified and legitimate purpose, and processing that data is limited to that purpose alone. In most cases, the organisation will require explicit permissions from the individual to collect, store and process that data.
2. Subject Access Requests
“Individuals will have the right to see what data is stored on them. This has the potential to impact healthcare providers and organisations, most dramatically, as patients will be able to submit requests for the data that is stored about them within the organisation. The request can be made in any form and to any person within the organisation (reception, email, etc) and organisations are not allowed to redirect the individual, for example, by providing a form online.
“Time limits are set on how long an organisation has to respond to the requests and requests must be dealt with at no charge to the individual.
3. Data Breach Notification
“Under GDPR, organisations will have to inform the Information Commissioner's office and the data subject, of any high-risk breach within defined timeframes. Organisations will have to ensure the correct level of protection for data they hold (for example, by utilising encryption) and should have policies and practices in place to ensure that only authorised parties have access to the data."