By Christopher Gerg, Datica CTO & CSO
Guest Blog Post
You’ve developed a healthcare application and started that business in the U.S. Check. You work with healthcare data of U.S. citizens. Check. You are in the early stages of funding and building your business. Check. So, what’s the big hoopla over the new European Regulation that goes into effect this month (May 2018) and what does that have to do with your business?
GDPR, which is an acronym for the General Data Protection Regulation, developed out of an effort to protect the data privacy of European citizens. Well, Europeans are over there; we are over here. Probably doesn’t apply to your business, right? Well, not so fast. GDPR will go into effect on May 25 and at that time will apply to all personal, individually identifiable data storage of EU citizens’ data which impacts healthcare providers, payors, life sciences and digital health companies located anywhere.
GDPR: Does it apply here
Even small digital health companies in their earliest stages must consider scaling. Founders and corporate executives should continually think months and years ahead to how the company will grow and flourish. One component of that growth in healthcare is compliance. Complying with the exacting standards of simply HIPAA and HITRUST can be overwhelming, so should you worry about another regulation thrust on the industry even if you are not currently working in the EU? Let’s consider all the questions that will help you answer that question:
● Are you contemplating working with EU healthcare providers?
● Do you think your business could ever expand to the EU?
● Do you employ any EU citizens? (This would bring the data you have on that employee into your HR and payroll records.)
● Considering your current product(s), is it possible that you could potentially collect EU citizen health data in that collection, control, storage or management of that data?
If the answer to any of those questions is a YES, then you need to quickly expand your compliance program and posture to minimize your risk.
Rolling the Dice on GDPR Risk
Penalties for violating GDPR are stiff. The costs range from $20 million to 4 percent of global revenue, whichever is highest. When you consider that either of those figures could sink most healthcare vendors today, you quickly understand the consequences of leaving compliance with this new EU regulation out of your top business initiatives.
As you evaluate GDPR compliance you’ll also want to pay close attention to the stricter breach reporting requirements under GDPR. The timeline for reporting breaches is a short 72 hours from first becoming aware of a breach. Compare that to typical breach reporting under HIPAA. Most breach reporting times outlined in Business Associate Agreements (BAAs) fall in the order of days, weeks and even months, versus hours. Committing to a 72-hour breach reporting requirement will mean serious adjustments technically and operationally. Additionally, GDPR breach reporting is more prescriptive and aggressive than the requirements under HIPAA, or likely any other compliance framework. You’ll also find that the actual type of data covered differs between HIPAA and GDPR. The new EU regulation is concerned with “personal data,” which is a much broader scope than with HIPAAs sole concern around “protected health information (PHI).”
Health Data Access Under GDPR
Explicit consent is something you’ll quickly notice in the GDPR guidelines. Consent is needed for any data processing or access. Under GDPR, personally-identifiable data can only be accessed in the following ways:
● With explicit consent from the individual
● For health and social care
● For public health (cross-border containment is the example here)
The exactness of GDPR data access is laser focused on consent while health data access permissions and uses under HIPAA fall in the broader areas of 1) treatment, 2) payment, and 3) healthcare operations.
Another area of GDPR to carefully weigh when it comes to your business is how easy it will be for your business to comply with access and deletion of all that data. Healthcare data is extensive compared to other types of data, like payments. One of the long-standing strategies in the payment card industry has been scope reduction. Consolidating and isolating the cardholder and payment data in as few places as possible to make protecting it easier. The opposite has been the case in healthcare industry, which has been a challenge. Making the data usefully accessible has necessitated its proliferation throughout healthcare enterprises. Granting access to all personal health data or having the ability to delete all health data is a high bar to meet.
Data Protection by Design and Default
Security and compliance are often afterthoughts or even possibly perceived as unnecessary boxes to check. GDPR may quickly change that business thinking here and abroad. GDPR anchors risk assessment, analysis, and management to the entire lifecycle of products and services. In this way, it is more similar to HITRUST than other, more industry-focused compliance regimes (like PCI-DSS). GDPR requires controllers and processors to conduct Data Protection Impact Assessments (DPIAs), which are simply risk assessments. These DPIAs should be performed BEFORE the start of development work and done periodically throughout the lifecycle of a product to ensure data is protected and secure.
GDPR is about having security as a core tenet of operations. At Datica, we’ve made compliance and security part of our company DNA. GDPR will soon ensure security is a forethought versus an afterthought for every healthcare business. Changing the fundamental approach to healthcare business operations will become a marked improvement for the industry, once we get past all the angst GDPR is causing in the market today.
For more detailed information on GDPR, including details on the EU-U.S. Privacy Shield for companies that plan to bring health data from the EU back to the United States, please read the Datica GDPR Compliance Guide. You can also register for an upcoming Datica Webinar on GDPR Regulations for Healthcare: Are you Ready on Thursday, May 24, 1:00pm CST.
Christopher Gerg is the CTO & CSO of Datica where he leads the entire engineering and security team. He is also an author of the O’Reilly Media book “Managing Network Security with Snort and IDS Tools.”