Since the arrival of HIPAA more 20 years ago, healthcare organizations and professionals have become painfully aware of the price for not safeguarding private medical information.
In fact, more than 171,000 privacy rule complaints have been recorded since 2003, resulting in millions upon millions of fines. Three data breaches in 2013 cost Advocate Health System $5.5 million, while New York Presbyterian Hospital and Columbia University paid a combined $4.8 million to settle charges from a 2010 breach. The list goes on.
But, as the world becomes more globalized, and personal data is stored and stretched beyond national borders via the cloud and web servers all over the world, healthcare organizations are no longer the only entities being held liable for the data they hold. Governments are increasingly concerned with protecting the privacy of their citizens, and the new General Data Protection Regulation (GDPR) is the latest data protection law to sprout up amid growing privacy concerns worldwide.
On May 25, 2018, the European Union (EU) will begin enforcing heavy fines on companies that don’t comply with GDPR, which ensures the protection of EU citizens’ personal data. The new regulation not only applies to organizations within the EU, but any other organization outside of the EU that offers goods or services to, or monitors the behavior of, EU citizens.
Unlike HIPAA, which has a maximum fine penalty of $1.5 million per year for violations of an identical provision, GDPR fines can cost up to $24 million or four percent of the violator’s annual global revenue, whichever is higher. To put it plainly, GDPR could have a monumental impact on business processes across all sectors, globally. In fact, experts agree GDPR could be much more significant than HIPAA, not only punitively, but also in scope.
Preparation is key. But, according to a survey conducted by a leading information security company, the healthcare sector is the least likely of all industries to be ready for GDPR, with only 17 percent of organizations indicating they will have systems in place to address the new regulations. I don’t disagree with those results. In fact, I’ve talked to dozens of healthcare providers across the U.S., and most of them are still minimally aware GDPR will apply to their organization.
Fortunately, there’s still time to prepare. Here are seven things you need to know or do to get ready for GDPR compliance:
1. It’s Not New
While there are security requirements, GDPR is primarily about privacy, with many of the provisions directed toward consent and the right to share or be forgotten. While not widely prevalent in the U.S., many of the data privacy requirements of GDPR are not new to the EU. The vast majority of the requirements of GDPR are based on the UK’s Data Protection Act of 1998 and the prior General Data Protection Directive. So, for those who find GDPR confusing, it’s helpful to go back and look at the root of this effort to see its genesis and original intent.
2. Have a Plan
As with most regulatory requirements, you must have a plan. There are a couple of constraints to this, but I can’t overstate that your plan must start with an effective standards-based risk assessment, the scope of which will define the data in question. While GDPR originates from the EU, following the cybersecurity frameworks of NIST (National Institute of Technology) will be essential for your organization in keeping a defensible position if you are flagged for non-compliance.
It’s not enough to meet the strict guidelines and provide a policy framework to the EU. Organizations will have to also provide evidence that the policy has been implemented, show that it works and prove it’s being enforced. Additionally, plans must show that organizations are making progress toward full compliance at each of the cascading deadlines that are detailed in the regulation. Because GDPR is so vague, it’s not quite understood exactly what sort of documentation or evidence will be required, but the EU will provide further details before the end of the first compliance period.
3. Classify Data
Organizations will be forced to classify their data, something all organizations should do anyway, simply because data classification helps you understand your assets, where they are located, and which are worth protecting at all costs. Unlike HIPAA, which has settled on a definition for electronic protected health information, GDPR remains vague at this point, but we can expect the scope of personal data protection to be big. We’ll likely see a data set that will include photos, IP addresses, social media posts, cookies that your browser may have dropped from an endpoint, individual likenesses, biometrics and more.
4. Appoint a Data Protection Officer (DPO)
There are a couple of exclusions for this, but a Data Protection Officer will be required for the vast majority of those who are subject to GDPR. The person you appoint to this position will not be like a HIPAA security officer. I use this example because anyone can play the role of HIPAA security officer. In fact, it’s more of a role than a title, and it doesn’t have to be a full-time position. In contrast, the GDPR language specifies a DPO must be a person with “expert knowledge of data protection law and practices.” This requirement in and of itself is not a problem, simply because there are plenty of attorneys that fit that bill. The problem is the DPO also needs to be an expert in security. I hate to be a pessimist, but I only know one or two people on the planet that fit that description.
This is one of the areas I predict will see an amendment before the end date of the first compliance period because it’s too broad — and nearly impossible to fill the position because these people just don’t exist.
5. Report Breaches of Personal Data
For GDPR, the breach definition includes the loss, destruction, alteration and access of personal data. Breaches, which must be reported within 72 hours of identification, become reportable if there is undo harm or an identifiable impact toward the rights and freedoms of the data subjects. This is not how we measure or determine HIPAA breaches, which are more binary and atomic in nature. The boon and the bane of GDPR is that it is so vague, so it is imperative to develop an incident response capability that can be easily defended in the event of a breach.
6. Provide Subject “Right of Access”
GDPR will require organizations to provide details, upon request, of what data is being collected and how it is being handled. We’ve seen these types of requirements in the past in the education sector with FERPA. However, GDPR will also require covered entities to provide a right to erasure, or a right to be forgotten. This means if a data subject requests their data be removed, you have to remove all their data and be able to prove that it no longer exists. The trouble is, it’s difficult to prove a negative – or, something that doesn’t exist.
7. Implement “Protection by Design”
Admittedly, cybersecurity tends to be an afterthought and is typically implemented after networks and processes already are established. This can’t happen with GDPR. The EU wants to see evidence that there is “protection by design,” meaning applications are built in such a way that privacy is part of the original framework or architecture. Unfortunately, that’s not a very common practice in today’s world, as most organizations handle their cybersecurity with a reactionary approach. For some, this will be one of the most challenging aspects of the regulation. Either way, the regulation states that organizations must implement “reasonable” data protection measures that support both security and privacy. What is meant by “reasonable?” That’s the million-dollar question. It’s going to be the responsibility of organizations to define what “reasonable” actually means.
GDPR is vague at best. We’ve seen numerous areas in the regulation that can be open for debate. But, the important thing to remember is if you can show that you are protecting the data in question, much like you do with the data that’s liable under HIPAA regulations, then you will start to put yourself in a defensible position and shouldn’t run into too many issues.
Will we get more clarity as we move closer to the deadline? Of course. In the meantime, use this as a roadmap toward reaching your compliance goals and don’t hesitate any longer.
Reg Harnish is the CEO of GreyCastle Security, a leading cybersecurity services provider dedicated exclusively to cybersecurity and the practical management of cybersecurity risks.