Compliance is a must

How GDPR protects both ophthalmologists and their patients

Aidan Hanratty

Posted: Friday, December 7, 2018

Brian Honan

Data is the new oil. So says Brian Honan, CEO and Principal Consultant in BH Consulting, a Dublin, Ireland firm that specialises in cybersecurity and information security advisory services. Just like oil, when data is mishandled or dealt with inappropriately, it can have devastating consequences for all involved, Mr Honan told the Practice Management and Development programme at the 36th Congress of the ESCRS in Vienna, Austria.

A person’s basic information can be worth at least $5 (€4.40). That’s information such as their name, address, mother’s maiden name and so on. The more information criminals have about a subject, the more that subject can be profiled for scams or further exploitation. Health and medical records, meanwhile, can be bought and sold online for $50 (€44) to $60 (€53). So, it makes sense to keep the data that your patients entrust to you safe.

There are many things to be said about the General Data Protection Regulation (GDPR), which came into force in May 2018. It takes precedence over all existing data protection laws throughout the EU. It applies to residents, not citizens of the EU. Data can be anything from a subject’s name or address to more specific information such as bank details, x-rays or the GPS location from their phone.

Of particular interest is medical data, which falls under the area of special category data. GDPR states that: “Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole.” Such data requires a higher level of protection, so anyone processing a lot of such data must do a data protection impact assessment, which involves an assessment of the risks of any breach of security as well as an assessment of all measures to address such risks.

What many people have noticed about GDPR is the severity of the potential punishments in the wake of a security breach: €20m or 4% of total worldwide annual turnover – whichever is higher. So, there is a lot at stake for data processors. US communications giant Verizon report that 84% of security breaches are down to poor passwords. That means that the time for “password” and “password1” is gone.

What can practices do to protect their patients’ data? Mr Honan recommends first of all that you identify what data you hold, and how. Is it on a computer or in a filing cabinet? Is it on devices that are encrypted and secure? Do your employees have access? Do they take it with home with them?

Mr Honan says that if you send business information via a personal email address, you may have inadvertently breached GDPR by transferring data outside the EU to the US, if that is where your email provider is based.

It’s important to establish policies for any subject access requests that come in. Data subjects have the right to access any data you may hold on them, be it in total or regarding specific dates. Data processors have 30 days to respond to any such requests, otherwise subjects can go to data regulators and complain, which could lead to punishments and fines.

Policies should be in place for dealing with data – who is allowed to handle patient information? Where can it be stored and how? Who is allowed access? “Once you’ve these things written down as a policy, it is easy to communicate and it dictates to the whole organisation what is allowed and what’s not allowed,” Mr Honan advises.

Keeping systems up to date is key, as is installing and maintaining anti-virus software. “Monitor and respond” is the best approach. “If someone suddenly starts accessing patient records at 2am on a Sunday morning from somewhere in China and they just left the office to go home to London, well then that should ring some alarm bells.”

Furthermore, just as medical colleagues share practical experience at meetings like the 36th Congress of the ESCRS, so they should share information on data management and protection. “You guys are the experts in your industry. You know what data is important to you. If you suffer a security breach, wouldn’t it be good to be able to share with somebody else so they don’t suffer the same thing?” Mr Honan asks.

He recommends security awareness training for your staff. As well as that, there are a number of free resources to help keep practices informed.

The European Union Agency for Network and Information Security (ENISA) has free information on data protection and how you should protect the data entrusted to you.

The UK Information Commissioners Office has a step-by-step Self-Assessment Tool that guides users through what is needed to protect information.

The Irish Data Protection Commissioner has a website called that gives advice for both individuals and organisations on what one should know and what one should be doing.

Mr Honan pointed out ISO 27001, the international, globally-recognised standard for managing risks to the security of information you hold. It sets out the requirements for any information security management system, which is a systematic approach to managing sensitive company information so that it remains secure.

“At the end of the day,” Honan says, “your computer is only as secure as the person who uses it.”

Brian Honan: