GDPR and HIPAA: Cracking the privacy code
GDPR and HIPAA are two of the most prominent regulations that aim to protect the privacy and security of personal data. General Data Protection Regulation (GDPR) is a EU law that went into effect on May 25, 2018 setting a new level of transparency and empowering individuals to gain greater control over their personal data. HIPAA, Health Insurance Portability and Accountability Act of 1996, is a US regulation designed to limit the use of protected health information (PHI).
Healthcare organizations that operate in the US and the EU need to comply with both HIPAA and GDPR when handling personal data of individuals in those regions. For example, a US research entity that conducts clinical trials in the EU needs to follow both HIPAA and GDPR rules when collecting and processing personal data of participants. Similarly, a EU healthcare provider that offers medical tourism services to US patients needs to comply with both HIPAA and GDPR when using and disclosing PHI of those patients.
GDPR and HIPAA have certain similarities since at the core they are about security but they also have some particular distinctions:
- For starters, GDPR covers any type of personal data that can identify an individual (name, email, location, IP address), while HIPAA is more concerned with health-related information (medical records, diagnoses, treatments).
- Under GDPR, individuals have the right to tell an organization to erase their data, without undue delay. HIPAA doesn’t have this right to be forgotten. Instead, covered entities must follow the state law regarding the retention period for medical records.
- Fines for non-compliance, too, are different: GDPR imposes penalties up to €20 million or 4% of the annual turnover, while HIPAA fines range from $100 per violation or $1.9 million per year, or even imprisonment up to 10 years.
When building a healthcare solution, developers need to follow comprehensive HIPAA and GDPR checklists as well as industry best practices. However, no matter how secure the software is, the investment can be completely undone if it is deployed on a vulnerable server or if physical security safeguards are not in place. Thus, it's crucial to understand that complying with the standards is a shared responsibility and clients have to do their part (choose a reliable hosting provider, educate and train their staff, etc.) to minimize non-compliance risks.
Protecting data security and privacy
First of all, every healthcare software development project is unique, and although there are general guidelines on how to achieve compliance, each case requires a tailored approach that would take into account all the specifics. At Symfa, we prepare detailed checklists for developers as well as for the client to provide guidance and make sure both parties are aware of their responsibilities.
That said, let’s consider the most common data security measures.
In an increasingly hostile healthcare environment, simple login and password may not be enough to protect sensitive health information. According to the Verizon 2022 Data Breach Investigations Report, over 50% of all data breaches involved stolen credentials.
This is where multi-factor authentication (MFA) can help. MFA offers an extra layer of security by asking users to verify their identity using two or more factors: something they know (e.g., a password), something they have (e.g., a smartphone), or something they are (e.g., a fingerprint). This way, even if one factor is compromised, the attacker still needs to obtain the other factors to access the user's account.
Both HIPAA and GDPR agree that in order to protect sensitive health information from exposure it is necessary to regulate who can access what data and how. For instance, a receptionist may just need a patient’s billing information while a physician will need a full patient history.
Access controls are the mechanisms that provide authorized users with the right to access the minimum necessary information to perform their job functions. There are different types of access controls but Role-Based Access Control (RBAC) is often considered to be the most appropriate under GDPR and HIPAA. RBAC provides access to personal data based on a user’s role within the organization. This model is flexible and relatively easy to manage as permissions are assigned to roles rather than individuals.
However, some roles may still have more access than they need, or some users may have multiple roles that conflict with each other. To further boost data protection and minimize the attack surface, the Principle of Least Privilege (POLP) can be implemented. This is a finer-grained approach stating that users should only have access to resources they need to do their job, no more. Implementing POLP requires reviewing and refining roles and permissions regularly, applying separation of duties, enabling monitoring and auditing mechanisms, and more.
Although neither HIPAA nor GDPR explicitly mandate data encryption, both standards mention this safeguard as an appropriate data security measure and it is considered a best practice to protect personal data and mitigate risk.
Again, neither standard specifies an encryption method in order to accommodate for the fast-paced technological progress. But as of today, it is recommended to use strong forms of encryption like AES 128, 192, or 256-bit for highly sensitive information.
Another appropriate data security measure is data pseudonymization. It refers to the processing of personal data in a way that prevents direct association with a particular data subject unless additional information is used. In simpler terms, it is about replacing sensitive data with realistic fictional data. The essence of pseudonymization is straightforward – it maps identifiers like names, email addresses, and more to pseudonyms. The key requirement is to ensure that the pseudonym "pseudo1" linked to the identifier "id1" remains distinct from the pseudonym "pseudo2" linked to the identifier "id2."
European Union Agency for Cybersecurity explores main pseudonymization techniques and policies from the simplest methods like counter and random number generator to more sophisticated approaches like cryptographic hash function and message authentication code. And just like with encryption, healthcare software development vendors choose the most appropriate pseudonymization technique depending on the type and sensitivity of data, the risk of de-identification and the purpose of the healthcare solution.
Regular data backups are an important part of any data management strategy as they protect against data loss in case of human errors, virus attacks, hardware failures. According to HIPAA Security Rule, covered entities must regularly back up copies of ePHI as part of their contingency plans. Best practices for a good data backup strategy include:
- Data redundancy. Preferably implement the Three-Two-One Rule: keep three copies of data on two storage platforms, one of which is offsite.
- Data encryption. All sensitive health information, including data backups, must be encrypted using the appropriate mechanism, as we discussed earlier.
- Data transfers. Not only data at rest needs to be encrypted, data transmitted over networks must also be encrypted to protect from unauthorized access.
- Data restoration. It’s necessary to ensure that backup data can be restored or retrieved to its original or new location.
- Backup monitoring. Regularly test and monitor data backups to stay on top of any potential issues.
The bottom line
The healthcare sector remains an enticing target for cybercriminals, with data breaches not only threatening the privacy of patients but also undermining trust in healthcare institutions. Standards like GDPR and HIPAA are essential frameworks that aim to ensure data security, but they require a holistic approach and joint efforts from healthcare providers and software vendors alike.
At Symfa, we don’t leave our clients hanging – in addition to delivering a compliant healthcare software solution, our experts can provide you with extensive checklists to help you stay ahead of the compliance game.