When it comes to patient data security, the first point to stand out is the protection of the ICD triad: confidentiality, integrity, and availability. These three fundamentals gained even greater importance with the General Data Protection Law (LGPD), which comes into force in August 2020.
See in this article what these three pillars consist of, how they apply in the health field, what changes with the data protection law, and how medical clinics can guarantee the safety of patient information in telemedicine services, and which factors must be aware when hiring this service.
Pillars of the patient data security
The fundamentals of information security are independent of the format in which they will be made available (in written form, in images, or video, for example). They are related to ensuring the security of information. Understand each of the following pillars:
Confidentiality: It consists of ensuring that only authorized persons have access to information.
Integrity: It is the guarantee that the information is in the true format and can only be changed by authorized persons.
Availability: It is to allow this resource or data to be available when it is needed.
Patient data security in telemedicine
The process of issuing remote reports, that is, telemedicine, is carried out through the transmission of exam data directly from the equipment to a medical center. After the specialist doctor approves the exam, the center automatically returns the report to the clinic that requested it. For this whole process to occur successfully it must be done through a reliable and safe environment.
It is important to note that the LGPD considers that the responsibility for personal data belongs to the entire chain. This means that in case there is any kind of failure to protect the information or misuse the data, both the company responsible for the information technology (IT) service contracted and the contractor will respond for the occurrence. When hiring a telemedicine service, the clinic or hospital must make sure that it guarantees and complies with all the above-mentioned fundamentals.
How to ensure the protection of patient data but what guarantees the protection of information and that these fundamentals are respected? There are some technical issues that systems should have to ensure the safety of patient data:
End-to-end encryption – Encrypting means encrypting or scrambling a message to the point where it is unintelligible at the source, and decrypting it at the destination, where only those who have the correct decryption rule, that is, only someone authorized, can do it. To ensure the safety of patient data, it is necessary to do this in all stages of the process: from obtaining the exam on the equipment to the doctor, on returning the report (when it is done via telemedicine), storing this exam, and then accessing to that information by the clinic and by the patient. To guarantee data confidentiality, it is necessary to have an encryption system at all points.
File transfer validation system – Once a system uploads an examination of a clinic, it needs some kind of checksum or hash validation to guarantee the integrity of the data to the doctor, that is, that the file has not suffered changes or was corrupted during the process.
Secure storage system – It is important to check if the server has a secure storage system for these exams to ensure that this data is available when needed. It is worth remembering that, according to resolution 1.821 / 07 of the Federal Council of Medicine (CFM), all image examinations and reports are the responsibility of the health institution for 20 years, that is, it is important to hire a good partner to have access to these data even after so long.
Individualized access – It is also important that all users and passwords updated in the system have a high level of security to prevent any user from being misused. In addition, it is important that each user has their profile with the appropriate releases according to the needs of their role.
Traceability – All data exchanges between doctors and the clinic and telemedicine service must be stored with the respective users and dates, for future audits.
Important factors to consider when hiring a telemedicine company
When hiring a telemedicine service, it is important to check if the company offers:
A secure password – check the complexity of the password for this telemedicine service, which must contain letters, numbers, special characters, and whether there is a password change policy after a certain period, such as every six months, for example.
User registration – find out if the clinic manager has the autonomy to create and block users.
Encrypted access – check if the application uses HTTPS, that is, the browser has a padlock informing that the connection is secure.
Messaging applications – It is important to note that this telemedicine service does not use free messaging applications or e-mail to send the reports. It is worth remembering that once a third free party service is involved, the confidentiality of this data is lost. This is because you lose control of who is going to manipulate this data and where it goes.
Data storage – It is also necessary to check which cloud telemedicine is using to store all this data. Is this environment already compatible with some other data protection rule, such as the HIPPA (Health Insurance Portability and Accountability Act), or GDPR (General Data Protection Regulation)? If so, this is a positive point as it shows that this environment is already in line with the rules of law.
As mentioned in this article, patient data security is no longer just an ethical issue. It became an obligation by the law, under penalty of fines that can reach exorbitant values.
The responsibility for this information is no longer exclusive to IT companies. Therefore, health clinics, hospitals, and other institutions in the area need to become familiar with this process and carefully search for companies that comply with all the imposed requirements.