The French supervisory authority (CNIL) has once again fulfilled its role of control and sanction to guarantee the protection of personal health data with a decision made public on October 14, 2021. This decision puts in default the company Francetest so that it complies with the data protection regulations. Indeed, on anonymous reporting, the CNIL found serious breaches, particularly related to the hosting of health data, the recording of interventions on this data and the authentication process.
Several hundreds of thousands of screening test results have thus been shared between different health organizations while being insufficiently secured. The case is serious because the risks are real in the event of a leak.
This company is far from being an isolated case: during its inspections, the CNIL often finds negligence in the protection of personal data, which could easily be avoided. The processing of health data, as sensitive data, is particularly monitored by this body which has made it a priority theme in 2021.
Whether you work in a private practice or in a university hospital, the protection of medical data is essential and contributes to privacy and medical secrecy. While all healthcare professionals are concerned, the obligations, in particular with regard to the period for which the personal data are stored, are not strictly the same depending on whether this data is used for healthcare or research purposes (in this regard, consult the standards published by the CNIL).
Remember that the impact of a data breach can indeed have serious consequences for the data subject (phishing attempt, identity theft, use of the social security number, sale of data to unscrupulous organizations).
How to reduce the risk of data breach? How can you be sure that the health data yu are handling is sufficiently secured? Ventio gives you 8 recommendations to improve yourself.
Ready to take a look at your level of security?
- Be aware !
Raise awareness by (re)reading, for example, the practical guide of the National Order of Physicians and the CNIL (in French).
- Fight fiercely your bad habits as well as those of your collaborators.
The most classic case is that of an open computer session. Would you leave your home with the door open? To deal with this problem you can set up an automatic lock after a few minutes of inactivity. No tolerance for negligence!
- Do a full scan of your computer system.
You’ve closed the door, but don’t leave the key under the doormat. Check with your IT provider that your passwords are difficult enough to guess, that your data are encrypted, and that your operating systems and anti-virus are up to date. Access to your computer network must be secured by a firewall, and you must have backups. If one of these elements is faulty, you risk a data leak and a formal notice from the control authority in the event of an inspection.
How do you ensure that your IT is well protected from unauthorized access? Have you heard of penetration testing? Specialists put themselves in the shoes of a hacker and report to you how they could enter into your system.
- Do not send sensitive documents unencrypted.
For the exchange of documents between professionals or with patients by e-mail, you must use secure messaging and/or encrypt attachments containing sensitive information. Contact your IT service provider if you have any doubts. Soon in 2022 you will have ‘the digital health space‘ to exchange sensitive documents in France.
- Do not trust just anyone to process your data!
If you use a service provider in France for the hosting of health data, it must have the HDS (Health Data Host) certification, and therefore, for example, be part of this list. If not, quickly migrate your data to a certified provider.
- Pay attention to your complementary tools.
If you use a service provider to make appointments, they must guarantee that they comply with the GDPR and do not go beyond your instructions. This must be done by a subcontract on which you must be vigilant. For an online service, find out about the personal data protection policy, and keep track of the terms of service. Once the service has been provided, make sure that personal data is not kept beyond a reasonable time by your service provider.
- Find out about the regulations that apply to you
For example, if you want to perform research with your patients’ data, you need to conduct a privacy impact assesment, that is, anticipate the potential consequences for your patients in the event of a breach or corruption of their data. You will be able to anticipate measures to prevent and manage this in accordance with Articles 35 and 36 of the GDPR.
- Traceability and anticipation…
Keep and maintain records of your processing, your data media and your actions for data security. These are the elements that the supervisory authority will look at in the event of a control.
Common sense, good practices and awareness are the first elements towards compliance.
In view of the stakes and the penalties incurred, it is nevertheless recommended to seek support in securing your data in order to implement compliant processing.
A large-scale sensitive health data processing project? Do you need to assess your level of security, compliance, anticipate or respond to obligations or requests from the supervisory authority in France (CNIL)? Ventio can provide you with valuable advice and offer you various support ranging from compliance auditing, privacy impact assesment or interfacing between you and the supervisory authority… Fly with us!