cybersecurity & data challenges
TRANSCRIPT
CyberSecurity Essentials Risks and How to Protect your Company Basic EU Legislation on Data Management
Health Data and Regulations
DIGITAL HEALTH SERVICE
Health data are "all data pertaining to the health status of
a user”. This includes ECG, weight and other biometric
data tracking, blood pressure, healthcare payments,
prescriptions, diseases .. and many more, in addition to
user identifiers (including random numbers or dynamic IP
addresses of users)
Health data is considered privacy sensitive and service providers have a criminal law
responsibility for its management.
GDPR defines high level requirements and principles that define
WHAT must be done
GDPR
Privacy and Security by Design
ConsentRight to data
portability
Right to be
forgotten
DPIA
Data
Retention
policy
Sensitive data
mgmt
Companies must figure out HOW to implement GDPR requirements with the
help of Security specialists
Data and application security
requirements
Technical implementation of
data protection requirements
Administrative requirementsGDPR
Privacy and Security by Design
Consent
Right to
data
portability
Right to be
forgotten
DPIA
Data
Retention
policy
Sensitive
data mgmt
implies a set of
practical requirements
GDPR
administrative,
technical and
security
implications
The work of customers, partners and healthcare institutions – you
need to identify HOW to implement requirements
Administrative/Legal
Data Protection
Security
- privacy policy
- terms and conditions
- ensure data processing is legal
- internal documentation
- have a DPO for large processing
- risk assessments
- legally valid audit logs
- collect and enforce consents
- data portability
- right to be forgotten
- have a DPO for large processing
- other GDPR and national requirements
- data encryption
- secure data transfers
- secure indexing for search
- API security (auth and permissions)
- encrypted data backups
- disaster recovery and SLA
and many more
and many more
and many more
The work of customers, partners and healthcare institutions – you
need to identify HOW to implement requirements
Administrative
Data Protection
Security
- privacy policy
- terms and conditions
- ensure data processing is legal
- internal documentation
- have a DPO for large processing
- risk assessments
- legally valid audit logs
- collect and enforce consents
- data portability
- right to be forgotten
- have a DPO for large processing
- other GDPR and national requirements
- data encryption
- secure data transfers
- secure indexing for search
- API security (auth and permissions)
- encrypted data backups
- disaster recovery and SLA
Typical cloud (IaaS) guarantees
Technical requirements
to ensure compliance
and security
Administrative requirements
The work of companies, lawyers and security experts consist in
identifying HOW to implement requirements
Administrative/Legal
Data Protection
Security
- privacy policy
- terms and conditions
- ensure data processing is legal
- internal documentation
- have a DPO for large processing
- risk assessments
- legally valid audit logs
- collect and enforce consents
- data portability
- right to be forgotten
- have a DPO for large processing
- other GDPR and national requirements
- data encryption
- secure data transfers
- secure indexing for search
- API security (auth and permissions)
- encrypted data backups
- disaster recovery and SLA
Typical cloud (IaaS) guarantees
Administrative requirements
HIGLY RISKS AND COSTLY
Non-compliance can leads to huge fines and
possible business problems.
Requires: time, resource and a lot of
knowledge from dev, data experts.
Implementing all requirements is risky and costly
KNOWLEDGERESOURCE
S
COSTS
Time is money. Security and
compliance expertise are
expensive.
Learning curve, development, testing,
maintenance, updates, reliability and
uptime.
It’s hard to find security and
compliance knowledge. In addition
security is not your core business.
implementing in house can cost ~500K for a 5-year project
TIME
HACKS
+ 800% of Health hacks from
2014.
FINES
up to 20M for violations with GDPR. In
2016 35 companies has been fined in
UK for £3.2M
RISKS
NO GO!
From hospitals, insurance or other
customers due to non compliance,
lack of trust & security assessments.
for data breaches and non-compliance
Interoperability
Secure data storage
Legal compliance
To Consider :
-patient profiles
-data streams
- ECG measurements
-locations
- activity tracking
Global and EU Compliance
Compliance with the current and
forthcoming EU,Member States and US
data protection & security regulations on
healthcare (e.g. GDPR, HIPAA, ePrivacy,
etc).
Encryption of data in transit and at rest ,
access control panels, data backup, audit
logs, and many more to ensure security
and compliance.
CE marked or ISO 13485 certified medical software or devices. You will need to provide
documentation, release updates and tests that you need to include in your Quality
Management System to certify your medical product.
Risk assessments and documentation to
enable you to work with hospitals, insurances,
or to perform technical due diligence with
investors.
EU & HIPAA LAW COMPLIANCE DATA SECURITY BE READY TO WORK WITH ANYONE
REQUIRED : ISO 9001 & 27001 CERTIFIED
&
HY IS IT IMPORTANT ?
Main Take Aways :
• Think about Data Privacy from the
outset – Development Phases
• Think Global / Compliance right away
• How to avoid data breach and risk in
manipulating data
• Data is an opportunity, but always a
threat if not taken seriously