After every major data breach, people wonder how secure their personal data is. They briefly panic about it, but within days they have forgotten. For companies, the story is similar. All too often, they are lulled into a false sense of security about their own data security policies. However, in healthcare, the risks are much higher. So, in this blog, we look at why data security is so critical in healthcare.
What is data security?
Data security or information security is the catch-all term for all the measures you need to take to protect the data you store. This covers everything from ensuring a thief can’t steal your server through to policies relating to user data access.
Physical requirements
Physical data security can be thought of like physically protecting your office. You install strong doors, locks, and maybe even shutters on the windows. For a computer, physical security covers several aspects. Data centres (where your cloud servers are physically located) have extreme physical security to prevent anyone from getting unauthorised access to your hardware. Modern servers include hardware security modules that mean if you remove the hard drive it will be unreadable in any other server. Certain aspects of network security also count as physical security. Specifically, the strong firewalls that most data centre and cloud operators offer.
Technical requirements
Technical data security approaches are analogous to things like burglar alarms, double-locking doors, 7-lever deadlocks, etc. In general, technical requirements are implemented in software. Probably the most obvious of these requirements is password protection and user management. More generally, this means what computer geeks call AAA (authentication, authorisation and accounting). In other words, checking who a user is, checking what they can do and then recoding details of what they did. One thing to be really careful with is password storage. One of the most common data security gotchas is failing to properly protect your password file. The other major technical requirement is encryption. This helps ensure that the data is safe even if someone breaks into your system either virtually or physically.
Administrative requirements
Administrative requirements for your office security typically involve things like visitor passes, rules about visitors being accompanied at all times, and maybe rules about locking your computer when you are away from your desk. From a data security standpoint, there are several things to consider. For a start, you will need policies relating to data access, passwords, etc. These need to be considered at the same time as you work out your technical user management measures. You may want to look into getting suitable certifications, such as ISO 27001. These will help ensure that you are taking the necessary data security steps.
Securing personal data
All the above steps apply to any data you store. However, some data needs stronger protections. Within the EU, personal data must be stored in compliance with the General Data Protection Regulation. Many people think GDPR compliance just means all the annoying popups about cookies and agreeing to privacy policies. However, GDPR also adds some significant technical and administrative requirements as summarised in the following table
|
Technical |
Administrative |
|
Consent tracking |
Data protection impact assessment (DPIA) |
|
Audit trail |
Data processing agreement (DPA) |
|
Right to be forgotten |
Privacy policy |
|
Right of access |
Data protection officer (DPO) |
How about health data?
Under GDPR, health data receives much stronger legal protections than other personal data. These have a particular impact on the technical measures you need to implement. For instance, you will need to pseudonymise your data – that means storing sensitive and personal data in separate locations. At least one of these sets of data should be protected with strong application-level encryption.
What are the risks?
In every business, the CFO will want to see a good ROI before committing to spending any money. For data security, it’s all too easy to view it as wasted money. Potential customers often claim “we’ve got information security covered because we use AWS” or “Azure sorts all our data security issues”. However, even your cloud operator makes it clear that they are not liable for these things. So, how can you convince your CFO that spending money on this is essential?
Reputation and trust
Healthcare companies rely on their reputation and the trust of users. If you don’t protect your users’ data, you will lose their trust instantly. This will have a direct impact on your revenues and has the potential to drive you out of business. Even if the problem seems minor, bad headlines can cause significant harm. Equally, you can help build your reputation by highlighting the strength of your data security.
Fines and legal penalties
Under GDPR, companies face potentially huge fines – up to 4% of their global turnover for the previous year. In an industry where profit margins are only a few percent, this can make the difference between profitability and posting a loss. Over recent months, we have started to see more and more significant fines being imposed. And data protection authorities in many countries are proactively auditing companies to check for compliance.
What next?
Here at Chino.io, we are the experts in data security for healthcare. Our technology makes it easy to implement all the requirements for both HIPAA and GDPR. We offer expert advice and consulting to ensure you are storing all health data in a secure and compliant manner. Contact us now if you would like to know more, or download our eBook on building compliant digital health applications.
