Read this post to understand how the recently implemented General Protection Data Regulation (GDPR) keeps clinical data safe, and how the right data management tools help companies stay compliant.
Searching through data to find personal information is a bit like playing the game “Guess Who?” The game consists of asking yes and no questions to determine the identity of a given character. The questions become more specific as you play, and you may be surprised at how quickly you can reveal the chosen character. Data contain similar “little clues” that disclose the identity of people, which is why it is crucial to protect this information against exploitation. Failing to do so may result in steep fines, such as the £20M British Airways was recently required to pay. This was because they did not have sufficient data security measures in place, giving hackers access to customer information.
One way to preserve people’s privacy is through data anonymization, which is achieved by removing identifying information from the data sets. For example, data may be masked (i.e. the real information is replaced with random characters), scrambled, or generalized (i.e. made less precise than the original) in an effort to conceal revealing details.
While anonymization provides a straightforward solution, this approach is not always possible to follow. For clinical trials in the pharmaceutical industry, scientists need to know the identity of participants in order to demonstrate the effectiveness of a treatment.
Why hackers want clinical data ?
Healthcare data are particularly interesting to attackers because it provides a wealth of information that they can use for nefarious purposes.
Medical data often contain personal information that hackers can use for identity theft. For instance, medical records may hold your social security number, which thieves then use to apply for a credit card under your name. You may not realize that this has happened until a while later, by which time the unpaid bills have already damaged your credit.
Health insurance fraud
Attackers may also prey on the vulnerable by carrying out health insurance fraud. In this case, they charge health insurance providers for services that they never provided, capitalizing on specific details about the victim’s condition. Once again, people may not find out about this irregular transaction until they try to access legitimate healthcare services.
Selling records on the black market
Since medical data include plenty of valuable information, many attackers end up selling the information online, with each record being worth as much as $1K. When selling large quantities of records at once, criminals may ultimately collect millions.
How we can keep data safe ?
To protect personal data from these privacy breaches, the European Union has instituted the General Data Protection Regulation (GDPR), implemented in 2018. Among its provisions, the GDPR outlines six principles relating to processing of personal data. According to these principles, personal data must be:
- Processed fairly, and in a way that is transparent to the data subject.
- Collected for a certain purpose, and not used later with different intentions.
- Limited to what is necessary to fulfill the given purpose.
- Accurate and kept up to date.
- Kept in a form that permits the identification of subjects only as long as necessary.
- Processed in a secure way, with protections against misuse or loss.
In the context of the pharmaceutical industry, the GDPR has cemented the need for following adequate methods when handling clinical trial data. In particular, the technology used for storing and accessing data needs to provide functionality that is in line with these regulations. For example, data management systems should be able to erase all of the information associated with a particular subject upon request.
Using technology to protect records
The right technology helps organizations follow the GDPR principles, providing functionality that makes it easy to access, delete, and update information. By using access control and audit trails, companies can protect individuals’ personal data, ensuring that only authorized people have access to records and tracking their history. By setting rules for automated deletion, organizations only keep information for the strict amount of time required for conducting analysis. By updating information through intuitive interfaces, corporations can keep records accurate and easily erase identifying information that is no longer necessary.
ZONTAL provides all of this functionality under a powerful digital hub, equipping pharmaceutical companies to meet strict regulatory standards. Read more about how our solution addresses the different facets of regulatory compliance, and contact us for learning more about keeping data safe.