Do you know what can happen if you share clinical information about your patients via non-encrypted messaging systems? The amendment of the European Data Protection Directive has opened a new avenue in the developed countries for data confidentiality and security as the main protagonists. Health data is covered in the provisions added by the European Data Protection Regulation (GDPR) as it is sensitive in nature. The GDPR has the same provisions as the US Health Insurance Portability and Accountability Act. (HIPAA)
Europe and the United States have taken the first steps to safeguard their citizens’ data. Both have stringent regulations that guarantee the confidentiality of this data and its secure exchange. In addition, it covers citizens as well as healthcare professionals thus establishing themselves as the pioneers in a challenge that other nations will join.
Data Security: A Physician’s Necessity
Under this premise, the Spanish start-up MedLab Media Group (MMG) has created MedsBla. The objective was to provide security and confidentiality of information to the healthcare professionals. MedsBla is more than an instant messaging application, its about providing healthcare professionals with a private workspace. MedsBla provides a corporate environment which lets you be in contact with other colleagues in your profession. The app guarantees confidentiality and the absolute security of information in accordance with European and American regulations.
“We realised that the doctors had a very important, obvious need. They could not exchange sensitive information with their colleagues. We wanted to create a secure, reliable and agile messaging system. We have achieved it; MedsBla offers them a safe environment they were looking for”, Alberto Cueto, Product Owner of MedsBla.
According to Ricardo de Lorenzo y Aparici, managing partner of the New Technologies Area of Lorenzo Abogados, “It is vital that the messaging service used complies with the obligations of Regulation (EU) 679/2016. This is the leading regulation for organisations residing or providing services to residents of the Member States of the European Union”.
Reduces infrastructure costs
MedsBla fulfils an acknowledged need expressed by the health professionals themselves, thus responding to the demand of the medical collective. Until now, doctors worked with tools virtually exposed to cyber attacks. MedsBla protects the data of healthcare professionals and the patients. It allows healthcare organizations to be more effective and efficient. MedsBla can identify the users’ needs as they arise and provides smart solutions. It also makes a wide range of personalized, effective tools available to any professional, regardless of their geographical area.
“In the United States, hospitals prefer messaging systems limited to their environment because they didn’t have a global solution. MedsBla is now that global solution”, Oleg Vorontsov, CEO of MMG.
The future doctors will remain vulnerable if they do not make a firm commitment to the protection of health data. As Kaspersky acknowledges, there is currently a high level of unprotected medical information. In an investigation, the company detected more than 1,500 devices used to process images of patients had open access. Also, a significant amount of web applications had vulnerabilities open for exploits. Exploits are commands that take advantage of vulnerable security in a system.
As long as health organizations don’t take action, unencrypted information will continue to attract cybercriminals. We all remember the impact of WannaCry. This attack is one of the most memorable Karspersky cyber attacks. For 4 days, WannaCry disabled more than 200,000 computers in 150 countries, including critical infrastructure. In some hospitals, WannaCry encrypted all devices, including medical equipment.
Sensitive data available to cyber criminals
A novelty of the new European regulation is that it includes genetic and biometric health data, all of a unique nature. For this reason, they are subject to more restrictive conditions regarding their use, according to Govertis Advisory Services.
In recent months, there is a lot of buzz around the tightening of data surveillance. But doctors are mostly unaware of the dire implications. They may have to resolve queries with applicants that do not work under the umbrella of GDPR or HIPAA.
Ease of access to new age tools has led some professionals to make their inquiries via mobile. Increasingly, doctors share information with their colleagues without thinking about cybersecurity or ethical implications.
The introduction of communication technologies is a breakthrough in medicine. It is, however, important to be cautious with the use of this tech. Instantaneous communication systems allow promptness. But making a medical consultation in this way can unknowingly lead to security leaks that goes against GDPR.
Juan José Rodríguez Sendín, president of the Commission of Spanish Medical Collegiate Organisation (OMC) stated, “This is a very clear question: Deontology does not make a medium safe or unsafe. Every doctor knows that clinical information is highly sensitive, so using tools that don’t guarantee the protection of this data is a risk that can be condemned. It is not justified deontologically”. Rodríguez Sendín acknowledges that sometimes doctors are unaware that they are committing an illegal act. “They live in the past times,” he adds.
Many of these messaging services are global platforms exposed to computer attacks. In July 2018, the personal data of at least 1.5 million Singaporeans was hacked. Amongst the pirated information was, medical reports of about 160,000 patients. The cyber-attack accessed the database of national health institutions and seized all of their sensitive information.
The report by the Ponemon Institute reveals that digital medical records fetch an attractive price to cybercriminals. Their black market value is 50 times higher than credit card data. Ponemon’s latest published report confirms that, for the 8th consecutive year, healthcare organizations spent the highest amount on data theft. It reached $408 per lost or stolen record, nearly three times higher than the cross-industry average ($148).
In this context, health organizations must consider the need to join European and U.S. initiatives. They must strengthen security while exchanging health information. If this isn’t observed, the consequences are grim, not only for the healthcare professionals or patients but also for the organizations’ management.
As Ricardo de Lorenzo y Aparici explains, “There are still health professionals who, despite restrictive security policies with the entities with which they have an employment relationship, without even knowing it, continue to violate data protection”. Although it is not possible to generalize, “There are many professionals who, within the scope of their competencies, continue to self-manage their personal data with programs that are not even reviewed by the IT Department. With the European data protection regulation, these habits should be avoided,” he says.
Encryption of conversations and files
Ricardo de Lorenzo y Aparici affirms that applications such as WhatsApp, “are rapidly up to date due to the sanctions they receive from the Spanish Data Protection Agency (AEPD)”. “These sanctions are due to non-consented transfers of personal data that exist between this tool and Facebook, both owned by the same organisation.”
The AEPD managed more than 10,500 claims in 2017 and have imposed historical sanctions such as the one filed against Google for €900,000 for infringements of the LOPD (law prior to the GDPR). It also imposed a fine of €1.2 million on WhatsApp and Facebook for ceding personal data without consent.
It is important to point out that, with regard to health data, only the conversations between the interlocutors are encrypted, but not the sending of files or images. Hence, he stresses, “we may be violating data protection by using this tool as a method of corporate communication.”