The European General Data Protection Regulation (GDPR) aims to modernise data protection for all EU nationals.
Like many rules, there are different requirements for specific industries and, in this case, there are stricter standards for healthcare organisations – which isn’t surprising given the confidential information they are held responsible for.
As we’ve recently seen with the WannaCry hack on the NHS; the healthcare industry is not immune to a cyber attack.
In fact, because of the sensitivity of the data the NHS and healthcare organisations hold, they are a very-attractive target for cyber criminals.
With fines expected to be as high as four times a company’s turnover; healthcare organisations need to start preparing now if they want to be ready when the regulation comes into effect in May 2018.
A big problem is that, as healthcare becomes increasingly digitised and more employees use internet-connected devices to conduct everyday business; the number of potential gateways for hackers to access a network increases. This can make data protection and network safeguarding seem like an uphill struggle.
The threat of insecure mobile devices in the healthcare sector is clear.
As healthcare becomes increasingly digitised and more employees use internet-connected devices to conduct everyday business; the number of potential gateways for hackers to access a network increases
Not too long ago, CardioNet Inc, a Pennsylvanian provider of remote heart monitoring technology, and a leading supplier of mobile cardio outpatient telemetry, was forced to pay $2.5m as it was in violation of the security and privacy rules of the US regulation, the Health Insurance Portability and Accountability Act (HIPAA).
One of the company’s laptops, which contained information on nearly 1,400 patients, was stolen back in 2012.
This may seem like an insignificant piece of news for organisations in the UK, however it is a perfect example of what could happen when a company suffers a breach, fails to detect, and neglects to report it.
Put simply, what happened to CardioNet is a cautionary tale of what could be the reality for the healthcare industry when GDPR comes into effect.
Hackers are clever, persistent creatures and they will continue to exploit end-point vulnerabilities, because, more often than not, they can.
The rise of bring your own device (BYOD) and the Internet of Things (IoT) has made it much more difficult for organisations to manage their endpoints and the data on them effectively.
The challenge lies in the fact that, as stricter regulations are enforced, data is becoming much more vulnerable as it’s increasingly stored on multiple endpoints.
Therefore, to ensure that organisations within the healthcare sector can take advantage of these devices and stay compliant, a holistic approach to data management is needed.
If implemented properly, the burden will be mitigated by the reward of knowing, with confidence, where data is and where it goes; strengthening compliance and reducing risk.
Under GDPR, organisations will not be able to get by without complete visibility into all endpoint assets at all times.
If implemented properly, the burden will be mitigated by the reward of knowing, with confidence, where data is and where it goes; strengthening compliance and reducing risk
Without this, they will not be able to identify suspicious activity and take action – whether a device is connected to the corporate network or not – thus impacting their level of compliance should something go wrong.
In this hyper-connected world, businesses cannot allow their devices to ‘go dark.’ Instead, they need to maintain a constant connection and have the ability to remotely control data stored on endpoint devices to stop them becoming a catalyst for a damaging breach.
With stricter notification windows and greater levels of data accountability, organisations under GDPR will need to have a complete understanding of how they collect data, where it’s stored and how it’s managed in order to remain compliant.
The stakes are without doubt getting higher – especially when organisations are not just dealing with facts and figures, but also people’s lives.
GDPR enforcement may seem far away, but it’s not.
With under a year to go, healthcare organisations need to be strengthening their data security practices and ensuring all endpoints are adequately protected, wherever the device is located.
This is no mean feat, but the risks of not doing this now are quite simply too high.