ESCRS - Compliance is a must ;
ESCRS - Compliance is a must ;

Compliance is a must

How GDPR protects both ophthalmologists and their patients

Compliance is a must
Aidan Hanratty
Aidan Hanratty
Published: Friday, December 7, 2018
[caption id="attachment_13523" align="alignleft" width="200"] Brian Honan[/caption]
Data is the new oil. So says Brian Honan, CEO and Principal Consultant in BH Consulting, a Dublin, Ireland firm that specialises in cybersecurity and information security advisory services. Just like oil, when data is mishandled or dealt with inappropriately, it can have devastating consequences for all involved, Mr Honan told the Practice Management and Development programme at the 36th Congress of the ESCRS in Vienna, Austria. A person’s basic information can be worth at least $5 (€4.40). That’s information such as their name, address, mother’s maiden name and so on. The more information criminals have about a subject, the more that subject can be profiled for scams or further exploitation. Health and medical records, meanwhile, can be bought and sold online for $50 (€44) to $60 (€53). So, it makes sense to keep the data that your patients entrust to you safe. There are many things to be said about the General Data Protection Regulation (GDPR), which came into force in May 2018. It takes precedence over all existing data protection laws throughout the EU. It applies to residents, not citizens of the EU. Data can be anything from a subject’s name or address to more specific information such as bank details, x-rays or the GPS location from their phone. Of particular interest is medical data, which falls under the area of special category data. GDPR states that: “Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole.” Such data requires a higher level of protection, so anyone processing a lot of such data must do a data protection impact assessment, which involves an assessment of the risks of any breach of security as well as an assessment of all measures to address such risks. What many people have noticed about GDPR is the severity of the potential punishments in the wake of a security breach: €20m or 4% of total worldwide annual turnover – whichever is higher. So, there is a lot at stake for data processors. US communications giant Verizon report that 84% of security breaches are down to poor passwords. That means that the time for “password” and “password1” is gone. What can practices do to protect their patients’ data? Mr Honan recommends first of all that you identify what data you hold, and how. Is it on a computer or in a filing cabinet? Is it on devices that are encrypted and secure? Do your employees have access? Do they take it with home with them? Mr Honan says that if you send business information via a personal email address, you may have inadvertently breached GDPR by transferring data outside the EU to the US, if that is where your email provider is based. It’s important to establish policies for any subject access requests that come in. Data subjects have the right to access any data you may hold on them, be it in total or regarding specific dates. Data processors have 30 days to respond to any such requests, otherwise subjects can go to data regulators and complain, which could lead to punishments and fines. Policies should be in place for dealing with data – who is allowed to handle patient information? Where can it be stored and how? Who is allowed access? “Once you've these things written down as a policy, it is easy to communicate and it dictates to the whole organisation what is allowed and what’s not allowed,” Mr Honan advises. Keeping systems up to date is key, as is installing and maintaining anti-virus software. “Monitor and respond” is the best approach. “If someone suddenly starts accessing patient records at 2am on a Sunday morning from somewhere in China and they just left the office to go home to London, well then that should ring some alarm bells.” Furthermore, just as medical colleagues share practical experience at meetings like the 36th Congress of the ESCRS, so they should share information on data management and protection. “You guys are the experts in your industry. You know what data is important to you. If you suffer a security breach, wouldn't it be good to be able to share with somebody else so they don't suffer the same thing?” Mr Honan asks. FREE RESOURCES He recommends security awareness training for your staff. As well as that, there are a number of free resources to help keep practices informed. The European Union Agency for Network and Information Security (ENISA) has free information on data protection and how you should protect the data entrusted to you. The UK Information Commissioners Office has a step-by-step Self-Assessment Tool that guides users through what is needed to protect information. The Irish Data Protection Commissioner has a website called http://gdprandyou.ie that gives advice for both individuals and organisations on what one should know and what one should be doing. Mr Honan pointed out ISO 27001, the international, globally-recognised standard for managing risks to the security of information you hold. It sets out the requirements for any information security management system, which is a systematic approach to managing sensitive company information so that it remains secure. “At the end of the day,” Honan says, “your computer is only as secure as the person who uses it.” Brian Honan: brian.honan@bhconsulting.ie
Tags: Cyber security, GDPR, practice management
Latest Articles
From Lab to Life: Corneal Repair Goes Cellular

Long-awaited cellular therapies for corneal endothelial disease enter the clinic.

Read more...

Balancing Innovation and Safety

Ensuring access to advanced cell therapies amid regulatory overhaul.

Read more...

With Eyes on Its Future, ESCRS Celebrates Its Past

Winter Meeting offers opportunities to experiment with new concepts and formats.

Read more...

Piecing Together a Solution

What is the best use of robotics and AI in cataract and refractive surgery?

Read more...

Advances in Toric IOL Alignment

Biomorphometric approaches offer high precision and increase efficiency.

Read more...

Library of Short Videos Complements Educational Offerings

Read more...

Tackling Waste in Retinal Surgery

Reducing waste from intravitreal injections is an achievable goal.

Read more...

The Modern Era of Refractive Surgery

New technologies for screening and treatment qualify more patients for intervention.

Read more...

Monofocal Plus Finding the Balance

Enhanced monofocals may be the future standard of care in cataract patients.

Read more...

Growing Options Optimise Outcomes in Cataract Surgery

Understanding the promise and potential problems of AI-based IOL formulas.

Read more...

;