I’m kind of glad that ransomware has hit healthcare, and hit the headlines. That might seem somewhat of an odd attitude from somebody who has lived and breathed cybersecurity since long before the term was coined, but bear with me. Because some criminal endeavours are now actively targeting the healthcare sector with carefully crafted spear-phishing campaigns, NHS security teams are working quickly to strengthen their security posture and keep ransomware at bay.
This is a good example of how bad news can often be the catalyst for change. The looming shadow that is the European Union General Data Protection Regulation (GDPR) compliance date of 25 May 2018 might just be another.
It still applies to EU
Don’t be fooled by the EU prefix. Despite the triggering of Article 50 and the Brexit process, GDPR remains a reality. Not only does it come into force before the UK will have left the European Union, but both the government and information commissioner have confirmed the regulation will still apply. That means much tougher penalties under the Data Protection Act remit, and it also means plenty of changes when it comes to how organisations handle, protect and move personal data.
I can almost feel the mass shuddering at Article 37 of the GDPR, which requires organisations to appoint a named data protection officer with responsibility for managing data security, including cyberattacks. That person needs, the regulation states, to be “designated on the basis of professional qualities” and in particular must possess “expert knowledge of data protection law and practices”.
Using my principle of picking the positive out of a crisis, I can see that the realities of GDPR should help drive cybersecurity issues further up the agenda of NHS trusts. That has to be a good thing. Of course, I am not a lawyer so I cannot address the small matter of whether NHS information governance policies and processes will need to change dramatically, or what the likely financial risks from non-compliance after May 25 might be. Luckily, I have been speaking to a number of lawyers with a whole heap of smarts when it comes to GDPR. Here’s what they have been telling me.
New requirements
Emma Godding is senior associate and information lawyer for Bevan Brittan LLP. That question I just posed about whether information governance policies and processes will need to change? According to Emma, the answer is a big fat yes – despite GDPR having similar general concepts to existing data protection legislation.
“GDPR places a number of new requirements on data controllers such as NHS bodies,” she warns, continuing “it also provides individuals with an increased level of control over their data, and a number of complex new rights in relation to it”. The takeaway from Emma is that NHS bodies will need to prepare for these significant changes in advance of the introduction of the GDPR and, if they don’t, then regulatory action is likely.
And, of course, there’s the right of individuals to bring claims for compensation for “damage and distress” against organisations which breach their data rights. The double whammy being that the regulator for data protection, the ICO, gets increased fining power as well: up from a maximum £500k to €20m (£17.2m) or more.
Documentation is important… but not enough
Jocelyn Paulley is a director at Gowling WLG and told me that, in practice (pardon the pun), GDPR means all NHS trusts and GPs “documenting how the controller complies with the principles and obligations within the GDPR”.
This documentation will take many forms, of course, but in part will be existing policies, training material and privacy notices. New documentation will come in the form of “schedules of data that is processed, privacy impact assessments and evidence of attendance at training, deletion of data in accordance with policies, consent (where consent is the condition for processing), internal audits etc,” says Jocelyn.
To be truly accountable though, documentation is not sufficient. “The culture of organisations will need to change to embrace privacy as part of day-to-day operations and ways of working,” Jocelyn warns. Changing culture and behaviour is a big challenge. That’s true anywhere, but perhaps especially so within the NHS.
Yet the consequences of failing to comply with GDPR are serious for the cash-strapped NHS, as those fines are truly eye-watering. “Spending money to change a policy is an easy win,” Jocelyn concludes. “But with so many other pressures on the healthcare system, even a hefty financial penalty seems unlikely to catalyse a change in the attitude to privacy.”
A major impact
The last lawyer I consulted (pardon the pun yet again) was Aaron Simpson, a partner at Hunton & Williams LLP. He is in no doubt that GDPR will have a major impact on the information governance processes of NHS trusts.
“GDPR will require NHS trusts to evaluate and revise the ways in which they seek consent for the processing of health-related data; update their privacy notices,” says Aaron, adding that trusts will have to “implement effective policies and procedures to ensure compliance with the GDPR, comply with enhanced and new rights of individuals in relation to their personal data, such as the right to erasure, appoint a data protection officer, carry out data privacy impact assessments in relation to new data processing, and develop inventories of the personal data they hold and process”.
The good news from a cybersecurity perspective, if you’ll excuse me that luxury, is that unlike current data law the GDPR will require NHS trusts to notify the Information Commissioner’s Office of any breaches involving personal data within 72 hours of detection. There are some exceptions, such as if the breach is unlikely to result in any risk to the individual. “In some cases,” Aaron explains, “NHS trusts will also be required to report data breaches to individuals themselves”.
Controlling the risk
Why is this such a good thing? Well to comply with these obligations, and they’re particularly onerous with respect to timing, NHS trusts will need to implement a cybersecurity risk management programme, including carefully considered policies and procedures designed to prevent, detect and respond to any data breaches.
“When dealing with reported data breaches,” Aaron continues, “the ICO places a strong emphasis on the controls the organisation has in place, and will have the power to fine NHS trusts up to €10m for a failure to comply these obligations”.
If GDPR manages to instil a culture that promotes responsibility and security when handling personal data, and if it acts as a catalyst to ensure every trust has a formal cybersecurity risk management programme, then I’ll be a happy bunny and so should you. Sure, you could argue that the NHS already has to comply with pretty strict rules when it comes to handling data. But GDPR will bring these requirements into sharp focus, and the changes that will need to be made to achieve compliance will have to include improvements to data security processes.
21 April 2017 @ 12:34
Thanks Mark, always good to know someone is reading 🙂
21 April 2017 @ 12:04
Great article, thanks for writing this. Really helpful.
10 April 2017 @ 10:35
I think you’ve hit the nail firmly on the head there John. I was talking to a security consultant friend of mine and he pointed out that “the hard commercial interface between insurance companies and NHS trust management” is where things will get really problematical. So, imagine the scenario of a data breach with consequential ‘damage’ to patients that is demonstrably proven to be down to either bad practice or simple incompetence. It’s not outside the realms of possibility that the insurers will play their get out of jail card, and refuse to pay (assuming they had agreed to cover such losses to start with of course.) As my friend concludes “the various NHS trusts and surgeries and their management and all of their staff will all end up being directly exposed.” And there lies the rub, with that potential for legal, and so financial, liability for a breach to become personal…
7 April 2017 @ 20:41
Perhaps more importantly, where is the time going to come from? The responsibilities on practices will be onerous, and clinicians have quite enough to do as it is without having to learn the ramifications of a complex discipline such as cybersecurity. Currently MANY clinicians are frightened to share data in case inadvertently they fall foul of the law: I can’t see the GDPR helping this in any way. Indeed, the duties placed upon practices look obsessionally burdensome – just the sort of thing that gives maximum opportunity for busy, dedicated clinicians to be trapped into a procedural mistake, and thus open themselves up to an even bigger fine (and then regret the day they ever started practising as a GP). And this is in relation to a profession that has confidentiality written on its corporate heart!
6 April 2017 @ 12:41
Bigger question , where is the funding going to come from to do this properly? Not enough cyber security experts nationally let alone in the NHS.