GDPR status check: Healthcare faces daunting challenges
After four years of preparation and debate in the European Union Parliament, the General Data Protection Regulation (GDPR) came into force in May 2018. Now, as the one-year anniversary of the most important shift in data privacy regulation in 20 years approaches, widespread changes are already being felt in the healthcare industry, which is facing multiple challenges to protect sensitive data.
The regulations mean the healthcare sector needs to rapidly deploy a more holistic approach to data management, especially considering data concerning health has special mention under the GDPR.
That’s particularly true as healthcare and other industries wrestle with GDPR compliance.
GDPR non-compliance a problem in healthcare
Jonathan Armstrong, a technology and compliance lawyer at London-based legal services firm Cordery said there are still fairly concerning levels of GDPR non-compliance in healthcare.
“Healthcare has probably been worse with GDPR compliance than most sectors, due to historical lack of investment, as well as healthcare professionals believing they are doing special work and therefore don’t have to play by the rules,” Armstrong said.
He noted human error is still the biggest issue in healthcare, and said a lot of healthcare institutions have still not trained their people adequately.
“We’ve had cases where individuals fax — they’re still using fax machines, first off — medical notes to a hospice, but in the speed dial of the machine they’ve got the wrong number,” he said. “Nobody in the hospital owns changing the number on that machine.”
Armstrong said organizations would need to allocate more resources in creating a robust data protection framework that ensures radical changes in the way data is managed.
Data impact assessments need to be made, and the healthcare industry has to look much more closely at security, with one of the most critical components being the triaging of security incidents.
“The health sector is not good at working out what is serious and what is trivial,” Armstrong said. “How does a hospital know one which is immaterial, versus one that is exposing thousands of patient records?”
Armstrong noted many healthcare organizations need to be more proactive in dealing with data security, which means mapping the incidents they have so they will know how to design a budget to prevent those breaches from happening again.
However, he warned there is also an acute shortage of good professionals working in healthcare data protection, and some hospitals have not hired wisely.
“You need a whole host of skills, particularly if you’re going to be the person triaging data security incidents,” Armstrong said. “A lot of hospitals put people with no training and background and say ‘Hey, you work out whether this is serious or not.’”
What healthcare has to do next
To ensure compliance with all aspects of the GDPR and avoid possible future sanctions, the healthcare sector needs to set up and undertake regular compliance reviews in order to identify and rectify issues.
“We’re going to see regulators checking that the work has been done — the Netherlands has already been sending questionnaires to healthcare providers,” Armstrong said.
He noted that’s likely to be a key feature of 2019, and these audits will hit the healthcare industry particularly hard, not only because of the type of data in question, but because the public cares so much about potential exposure of personal medical data.
“You can change your bank account, but you can’t change the fact that you had a triple heart bypass — you’re identifiable by your health data,” Armstrong said. “That’s a historical thing people have been concerned about here in Europe.”
One of the major impacts of the GDPR is that it extends the application of European legislation to companies outside the EU — for healthcare organizations in the United States that have business dealings across the pond, this will continue to have major ramifications.
“The main impact will be on the large U.S. healthcare providers that play in the European market — we’re going to see much more of these types of non-compliance issues where the larger operators have providers in EU and the process isn’t as good as it might be,” he said.
That issue also works in reverse.
“How are those providers in the U.S. dealing with me, as someone who carries GDPR rights with me?” Armstrong asked. “If I walk into an emergency room in New York, how are they handling my requests for medical records? That’s fairly consequential.”
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: firstname.lastname@example.org