Few industries find themselves with as many rules, regulations and standards as the healthcare sector. Perhaps only finance is required to devote the same level of resource to ensure that procedures set out by local, regional and international governing bodies are adhered to. And of course, one of the biggest challenges is actually in simply keeping up with the changing face of compliance. It’s not static, and it can take a lot of effort to ensure that new regulations are planned for well in advance. With this in mind, we’re going to take a look at what 2018 is likely to hold for compliance officers and the wider organisation when it comes to the healthcare industry.
Naturally, in the information age, it’s information and data that provide the main compliance issues. This goes for most industries, and certainly includes healthcare, which is becoming increasingly data dependent. It’s undoubtedly a slow process - many hospitals in the UK and across the world are still heavily reliant on paper documents, but we are nonetheless at a point where data is of critical importance. As a result, there are two major issues of compliance that are going to be important in 2018, and they poth pertain to IT. The first is a massive change - GDPR, and the second is the continued effort against cybercrime.
Let’s discuss GDPR first.
The General Data Protection Regulation is an EU regulation that comes fully into force on the 25th of May 2018, and it makes sweeping changes to the way in which any collector or processor of an EU citizen’s information, collect, use or store that information. It’s designed to give more control to the citizen, and ensure that organisations aren’t misusing information either.
From now on, organisations won’t be able to collect or process private information without having good legal grounds to do so. This will usually mean that collection and processing of data is absolutely essential to the carrying out of a service that the person has requested, or consent has been given and recorded. In addition, GDPR allows EU citizens to request to see data held about them, and also delete it if there’s legal grounds to do so.
What qualifies as personal information? Almost anything that isn’t very obviously in the public domain, including everything from email addresses and physical addresses, to medical records. It’s a hugely broad term, and as a general rule, if it’s information about a private citizen, it comes under GDPR. In addition, it’s worth noting that there are three additional definitions that GDPR mentions that pertain more specifically to the healthcare sector. They are the following:
“Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
“Personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
“Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
GDPR is most likely going to come into play when it comes to the transfer of data between organisations. Generally, the healthcare sector is good at confidentiality, and is unlikely to fall foul of marketing mishaps. Transferring information between healthcare providers is commonplace however, and in order to be on the safe side, new consent acquisition is likely to be required. And more importantly, evidence of this.
The new rights around subject access requests are also something to think about, but again most healthcare organisations are already fairly familiar with the storage and recall of personal information.
Virtual College offers a number of healthcare-related courses, including those that cover data protection in the sector. Read more about them here.
In addition, there are new requirements for organisations to ensure that they file a timely report to the correct authority when any data breaches or losses occur. In the UK, this is the Information Commissioner's Office (ICO). This leads us onto the general compliance considerations for cybercrime in 2018.
While there are few other major and specific changes to cybersecurity compliance in 2018 when it comes to law, what the next year does hold is the prospect of further significant risks, which means that it’s more important than ever to be following whichever standards your organisation has chosen to use. Whether it’s ISO 27001 or a local authority requirement, it is paramount that you’re doing everything in your power to follow the guidance.
The healthcare sector is undoubtedly going to be a target, particularly when it comes to certain cyber crime methods such as ransomware. We saw the NHS hit by the WannaCry ransomware attack in mid 2017, and it’s very likely that we’ll see similar issues over the next few years. It’s often the case that even fairly basic measures that are dealt with under cyber security compliance are the ones that guard against cyber crime. It’s often not the criminal that uses ingenious methods - it’s organisations leaving weaknesses.
For further resources on compliance issues, visit our online compliance resources centre.