With years of planning, the European Union began enforcing its General Data Protection Regulation (GDPR) on May 25th!
While many businesses in the Philadelphia metro may think they don’t need to worry about EU regulations because they’re not based in Europe, if your business works at all with any citizens of the EU, you may be held accountable to protect their personal data to GDPR standards.
If you are working in healthcare, you likely will need to focus on two pressing requirements: (1) securing patient consent to use their personal data for business use not related to care and (2) making sure you are able to erase any instance of personal data upon a patient’s request.
While on paper that might sound easy, these requirements can be an operational nightmare if you’re not planning for adherence to GDPR. Note: If you have any questions related to current HIPAA-HITECH legislation, need advice on how to secure and maintain your protected health information (PHI) or any other personal data, consider a network security roadmap meeting.
Today I want to focus on the recent GDPR legislation and help you navigate through compliance changes—especially if you are working even remotely with EU citizen data, put in a context of how your business either has to be even more vigilant than requirements from HIPAA legislation.
Here are the top 4 improvements that even healthcare offices compliant with current HIPAA expectations will need to change in order to keep to GDPR:
Digitize your paper—over 40 percent of healthcare offices around the country (and around Philadelphia) still rely on paper records. One big reason for the continued use of paper reports is that many of us prefer reading and digesting complex information—including patient records and files—from paper rather than reading on screen.
If your office has accumulated filing cabinets full of paper, the task of digitizing files is overwhelming. Security experts underscore that digital files are much more secure than paper versions, and provide greater levels of data protection and privacy than paper.
With digital copies of patient files, your IT Support can identify who accessed what when. Fortunately, there are many technologies to digitize paper documents in bulk. If you continue to have backlogs of files to digitize, ask us for recommendations to easily digitize your files. GDPR will require you to digitize your paper.
Continued manual workflows—a large number of healthcare processes remain inefficiently on paper. Work processes, admissions, prescriptions and discharges are not always automated. Without digitized information transfer, patient data remains out in the open for anyone to read. Digital security measures, including encryption allow for personal information to remain secure when stored in a database or transmitted to another office.
One common example is the prescription process. If a doctor prescribes medication from a paper tablet, that data may be seen by many unauthorized eyes in the office and at the pharmacy or has a greater risk of being misplaced or lost. There are no protections preventing folks from reading it and no backup if lost.
Automated workflows provide an audit trail of what data is sent to whom, and can identify where it resides. You can prove the data is encrypted and ensure data not being used for anything other than activities related to a patient’s healthcare.
Printers need to be secured—one of the biggest problems that remain for many healthcare offices is the problem mitigating data breaches and security risks relating to their printers. With GDPR’s intense focus on data privacy, paper documents are a huge security risk to compliance.
Very likely, your office has a secured printer. But even more likely, you have other printers that are not protecting files containing sensitive information. Your workers might print documents containing sensitive information to the wrong printer or may forget to retrieve files. Perhaps one printer is physically secured (where only authorized people have access), and another printer may be open and accessible to unauthorized folks.
To alleviate printer security concerns, healthcare can apply device-level controls to make sure printed data is secure. Some examples, include devices that will only release printing jobs after authorized worker validates their identity on the device, only print from certain file destinations or restricts scanning or faxing documents to pre-approved destinations. If you’re not sure what to do with your devices, consider a network-wide security assessment.
Overall improved document management—GDPR and HIPAA aim to get healthcare offices to improve their operational efficiency through improved document curation and management. GDPR makes sure your office is protecting and curating personal data focused at giving individuals assurances that they own and have the rights over their data. Your office is given a great deal of responsibilities to ensure that data is secure and used for intended reasons.
Have you been thinking about security that actually protects your users and clients? Will you be able to keep up to growing cybersecurity legislation? Contact us TODAY for a free network security roadmap meeting!