GDPR in healthcare: critical issues and possible solutions

By | Saturday August 20th, 2016

The General Data Protection Regulation is certainly innovative and in line with the current requirements for data security. It is structured in such a way as to ensure consistency, balance and control of the powers of the stakeholders involved. It aims to achieve, in the short and medium term, some “hard” goals. Most public and private companies, to date, does not have the features and resources to adapt, and many issues still remain unresolved after the entry into force of the Directive 95/46/EC.
Few subjects, over the years, have invested in a strategy designed to achieve data security objectives, because privacy and information security is still considered a computer problem. Privacy issues are taken into account only if occurs a damage.
The recent incidents related to the mass surveillance of citizens, by the leading nations in information technology, have revealed how the population is “spied” by illegal and offensive means: the freedom of natural persons was harmed. The public trust in institutions is decreasing, as well as the perception of security in information technology.
It is disconcerting that awareness by operators and suppliers is not consequently increased. The application of privacy policies into business processes is often considered a bureaucratic activity that slows down and does not provides added value. For this reason, they do not have business continuity and disaster recovery plans, and staff dedicated to IT security.
GDPR provides that business and data protection run in parallel, hand in hand, and imposes onerous penalties for those who do not adapt. Nevertheless, the organizational structures of many public and private entities are verticalized in silos that do not interface with each other. Information sharing and multi-disciplinary approach, components required for the correct application of an information security governance, clashe with this “old school” of thought.

Category: Impact, Risk and Measures Tags: , , ,

About Giampaolo Franco

Giampaolo Franco, degree in Computer Science, Certified Information Security Manager (CISM). Dr. Franco has more than 10 years of experience in governance, risk management, and compliance at Azienda Provinciale per i Servizi Sanitari (APSS, the main healthcare provider of the Autonomous Province of Trento). He is involved in several activities at APSS, including business continuity and disaster recovery, risk analysis, privacy compliance, awareness, internal / external audits, incident management, optimization and quality control of IT processes. Previous work experiences include project management, analysis and programming for several financial institutions. He has also been a consultant for the University of Trento, working in a project aimed to define organizational and security aspects related to the introduction of integrated models of digital teaching in school. Dr. Franco continues to pursue research, education and awareness activities related to information security for the Public Administration with remarkable passion and leadership. He is a member of the ISACA VENICE Chapter, Oracle Community for Security and contributor of Europrivacy. In 2016 he's the winner of the European Institute of Innovation & Technology - EIT Digital pre-incubation programme with a project on Art&Technology.

Leave a Reply