Privacy risks related to technological and organizational obsolescence in healthcare

By | Thursday December 29th, 2016

The personal health data are the set of information useful to reveal the state of health of a person and consist of personal medical history, results of instrumental and laboratory tests, diagnostic images, medical reports and other sensitive information. The nature of this data is to be at the center of the activities of health facilities. Healthcare organizations, to achieve a continuous improvement, must give to citizens quality data, secure and easy to use. The above-mentioned objectives must also be pursued with limited resources, within a regulatory framework and in a technology scenario constantly changing.

Healthcare organizations are therefore called to standardize and simplify processes, identifying clear specific objectives achievable and monitorable over time. One of these is surely the identification and disposal of obsolete technologies and processes. These critical issues, in fact, not only hinder the standardization and simplification of processes, but add inevitably complexity, exceptions and redundancies in healthcare organizations, resulting in increased risks and costs.
The framework of economic constraints mentioned above tends to extend the software life cycle and the duration of electro-medical equipment that handle sensitive personal information.

In addition to the cases of technological obsolescence mentioned previously there are those of an organizational nature. A typical example is given by personal health data protection management, a topic repeatedly reviewed by the legislator. The ever changing regulatory environment makes difficult to manage the clinical data in an agile perspective and long-term. As a result, the individual professionals within healthcare organizations, often consider the data protection an obstacle to the timely delivery of clinical procedures. Most national health structures delegate to the CIO the responsibility to define and manage data protection policies. The CIO, however, is not capable of performing this task alone: its mission is to ensure the delivery of services in terms of automation, innovation and efficiency, and not define company policies on data protection. Entrusting to the Chief Information Officer (CIO) the management of healthcare data security is in blatant contradiction with the ISO27001 information security standards and the General Data Protection Regulation 2016/679 (Art. 38, paragraph 6) which expressly prohibit to delegate data protection responsibility to figures subject to potential conflicts of interest, according to the principle of the segregation of duties.
The grouping of tasks and responsibilities of different nature within a single person or organizational unit, in fact, could allow the same actor to make mistakes, frauds and violations on personal data, finding himself in a position to cover up his act and exposing the company under serious risk.

Share with...Tweet about this on TwitterShare on LinkedInShare on Google+Share on Facebook
Category: Data Protection Officer Impact, Risk and Measures Tags: , ,

About Giampaolo Franco

Giampaolo Franco, degree in Computer Science, Certified Information Security Manager (CISM). Dr. Franco has more than 10 years of experience in governance, risk management, and compliance at Azienda Provinciale per i Servizi Sanitari (APSS, the main healthcare provider of the Autonomous Province of Trento). He is involved in several activities at APSS, including business continuity and disaster recovery, risk analysis, privacy compliance, awareness, internal / external audits, incident management, optimization and quality control of IT processes. Previous work experiences include project management, analysis and programming for several financial institutions. He has also been a consultant for the University of Trento, working in a project aimed to define organizational and security aspects related to the introduction of integrated models of digital teaching in school. Dr. Franco continues to pursue research, education and awareness activities related to information security for the Public Administration with remarkable passion and leadership. He is a member of the ISACA VENICE Chapter, Oracle Community for Security and contributor of Europrivacy. In 2016 he's the winner of the European Institute of Innovation & Technology - EIT Digital pre-incubation programme with a project on Art&Technology.

Leave a Reply