Learn to protect your data. Health data owners assure patients through contractual agreements that the data drawn from samples that patients provide will be protected and unavailable only to a few specialised experts. Having spent millions on accumulating that data, it would be professionally negligent as well as ethically unacceptable if data owners process patient information insecurely. EU law reflects this view by applying harsh penalties to those that don’t respect health data protection rules. High fines coupled with the prospect of very damaging media attention could irreversibly affect public confidence in companies who promise to protect patient information, but fail to do so. To avoid such penalties, it is essential to understand the threats surrounding information assets, such as health data. eTRIKS Angus McAllister understands those threats.

Essential steps to protecting your data

  1. Know what Information Assets you need to protect.
  2. Know what the risks are to your assets.
  3. Develop cross stakeholder engagement to gain full understanding of the threats.
  4. Assess probability and impact of the threats materialising.
  5. Identify the appropriate counter-measures to prevent threats from being realised.

What are the implications of insecure data?

The two most important aspects of health information security that should be considered when assessing threats: data confidentiality and data integrity (although data availability is also important). Understanding the value and sensitivity of your data is a step towards mitigation of any potential threat. Relating threat to the potential fallout in the event of a breach should provide sufficient drive for any data owner to ensure the security of their health data.

Data Confidentiality – If patient privacy is lost, the consequences could include loss of patient trust in the idea of researchers using data responsibly. Wider news of a breach of privacy would compromise the researcher and associated organisation considerably. Health data are intended for responsible research, and patients are understandably worried about data privacy, data exploitation and data loss.

Data Integrity – Researchers use data to yield new insights into disease. To do this, they need to be certain that the data they have are exactly what they think it is. Researchers need to be certain that their conclusions are true to the original data generated. This ensures research validity and respect in the research community. The corporate world is very interested in this, as integrity is vital to success. This is a pillar of confidence all data stakeholders should hold, including those involved in IMI projects.

How is patient confidence gained?

The confidence issue relates to compliance with both data-related regulations and eTRIKS’ actual commitments in this regard. Patients are encouraged by data owners’ adherence to good compliance with corporate policy, national law and international regulation concerning data protection. There is a pitfall, however: the greater the stringency of compliance, the less a researcher can do with the data. In other words, highly protected data affects utility of data. It is essential to balance compliance with data regulations with the views and concerns of the patient. This can be helped by being well informed on new advances in data regulations and in the methods being used to threaten data security.

How secure is patients’ data globally?

In some cases it is possible to cross link health data stored in eCRF (electronic clinical report form or electronic health records) format with data stored in common multimedia sites, using common identifiers such as name, location and gender. By doing this it doesn’t take long to generate fairly complete profiles of individuals that could be used illegally, causing any number of patient’s significant harm. Both those with authorized and unauthorized access to heath data can achieve this.

As well as the technical IT techniques of using firewalls, data provenance, passwords, intrusion prevention, regular security updates, etc., bioinformatician strategies to protect data confidentiality include pseudonymisation (de-identified data with separately stored and protected re-identification key) and complete anonymisation of data (all identifiers removed, with no re-identification key available). Each of these bioinformatition measures has advantages and disadvantages. Pseudonymised data can through special keys be re-associated to the patient. This reduces data protection (very slightly), but is particularly useful if the data can be used in some way to benefit the patient directly (e.g. if findings from a study suggest a change to a current patient’s prognosis or treatment plan). Once the data has been completely anonymized, it is extremely difficult to relate the data to its source, increasing the level patient protection but preventing the patient from directly benefitting from the data.

These strategies have particular implications when considering the potential re-use of the data. Data that is completely anonymised can be reused with the appropriate authority, as data confidentiality and patient privacy is at very low risk. However, the reuse of pseudonymised data needs to be considered very carefully, as quite often patient consent forms do not stipulate the reuse of data. This means that prospective new users of health data do not necessarily have direct permission to analyse data already used for the purpose originally specified in the consent. In 2016, a newly adopted EU regulation (the General Data Protection Regulation) will see new users having to obtain patient permission, unless there is a specific exclusion to the regulation permitted. Exclusion to the regulation will need to be applied for.

Generally speaking patient data are very secure. Authorisation to initiate a clinical trial is exceptionally difficult to obtain. Without it, access to patients for the purposes of research is close to impossible. Clinical protocols for trials have to include the measures taken to protect health data. If a satisfactory security threshold is not met, then there is no support from key regulatory bodies to authorize a clinical trial. Once a clinical trial is permitted, legal measures to ensure health data security are in place to protect the patient. The United States legal system is very tough on health data misuse, because of the link between quality compliance and integrity. There is a fine of $50,000 per record if compromised in the US. In Europe, this varies by country, although penalties can be very harsh. For example, in the UK the maximum fine for lost or compromised data is £500,000. Understandably, the UK’s National Health Service is geared towards reducing risk to data. This is a point of constant focus.

In the UK the Information Commissioner is responsible for enforcing compliance with the Data Protection Act. Most countries have an equivalent of that body (referring to Clinical data/medical data), guided by directives from the EU with respect to data protection. Regulations are regularly adjusted each year. Staying abreast of data protection legislation is a significant challenge. To help with this, official publication issues have been regularly released to explain the changes. To simplify this, a new pan-European General Data Protection Regulation will be coming into force in 2018, which will provide greater clarity and consistency on data protection across the EU.

Stakeholders are very welcome to use eTRIKS’ health data compliance guidelines

Although company policy and legal regulations are in place, in Europe there is a surprising amount of latitude for security compliance, because the EU does not currently mandate any such technical standards. Those who seek to be compliant have a challenge: they have to make certain assumptions about the level of compliance they should aim for.

There is the minimal approach, to achieve solely the essential compliance standards. The opposite extreme is to try and secure all data comprehensively. In practice, a happy medium is sought. We advocate the Threat Modeling approach, a consultative activity among all IMI project stakeholders using eTRIKS to achieve a consensus with the projects as to which are the most important aspect of compliance to be pursued. This begins with identifying which Information Assets should be protected (scope), moves through a risk assessment, and culminates in adopting appropriate mitigation strategies against those risks. From there we highlight the areas of focus and gain consensus regarding what needs to be implemented to secure owners’ data. This is a good exercise to increase confidence in the client projects. It can also be used to support project stakeholders when subject to an audit for data protection. eTRIKS-supported projects are very welcome to use the eTRIKS compliance guidelines.

What has eTRIKS done to date to enhance information security compliance?

Client projects need expertise in information security and threat modelling to capture security priorities and processes that all project stakeholders can agree to. eTRIKS offers that expertise.

We foster cross-stakeholder engagement to gain broad understanding of threats to health data. All agreed requirements from sources relevant to industry’s best practice are placed on the eTRIKS platform. Stakeholder compliance processes are built into how eTRIKS operates, and we periodically review the threat landscape, and continually engage with the stakeholders to ensure alignment with important aspects of information security, and the countermeasures necessary to ensure the confidentiality and integrity of the data thateTRIKS processes.

To date we have experienced no negative impact on client project data. We have brought clarity to our supported projects by understanding the underlying needs for processing their data. Client projects must understand that there is a trade-off between data security and accessibility; the goal for eTRIKS threat modeling is to optimize these two points of contention, so that we can enable the researchers to meet their commitment whilst protecting the patient and patient’s data.