Data Privacy, Cybersecurity: Team Responsibilities

You can watch the video of this presentation here.

Technology and digitalization continue transforming the health industry by allowing stakeholders and patients to take advantage of automate features. While this advancement helps the whole sector, data privacy, ethics and cybersecurity remain a concern due to the delicate information that the health industry manages, agreed industry experts.

“Data protection in the health industry is vital. Even when banks are vulnerated they have the chance to recover the money lost to their clients. With medical information, the patients’ reputation would never be recovered, which forces us to have strict protocols to access information and to manage it carefully. Technology opens tons of opportunities for patients but also tons of risks,” said Pablo Cubela, IT Director of BUPA Mexico.

Information must be protected at three different levels, according to Fernando Gamallo, Director of Information Technology at Laboratorios Sanfer. These are: regulations and a legal framework; companies managing data responsibly ; and at a personal level, having individuals protect their own information.

Health care data breaches are very common across the world. Ninety percent of healthcare organizations lose data due to breaches according to Becker’s Hospital Review. These breaches could be caused both unintentionally or by cybercrooks targeting this kind of companies to access millions’ individual records. The COVID-19 pandemic put the health industry in the spotlight of cybercrooks. According to the 2021 Identity Breach Report, the industry experienced a 51 percent increase in the total volume of attacks when compared with 2019.

Data governance is the pillar of data security, according to Victor Medina, Acting President at HL7 Mexico. Mexico’s public healthcare system lacks data governance as it provides irregular reports and information. Data governance is the capability within an organization to provide and protect high-quality data throughout its entire lifecycle, explained AT&T. “This includes data integrity, data security, availability, and consistency. Data governance includes people, processes and technology that help enable appropriate handling of the data across the organization.”

In June 2009, the 16th constitutional article of Mexico was reformed to recognize the right of every individual to the protection of their private information, access, rectification and cancelation of the data. This norm has two ramifications. First, the Federal Law on the Protection of Personal Data Held by Private Individuals regulates the companies’ use of the information. Second, the Federal Law on the Protection of Personal Data Held by Obliged Subjects regulates the government’s use of the information. The National Institute of Transparency, Access to Information and Personal Data Protection (INAI) is the vigilant body for these matters in Mexico. “To have a security plan, first you need to know where, how and who registers data. Then, how and where it is stored, how is it mined, who and when it will be used,” said Medina.

The health sector was the industry most targeted by cyberattacks in 2020, with 44 percent of all attacks. About 61 percent of them occur via identity fraud, according to Guillermo Bilbao, Director of Health Care of Minsait. This makes important that companies’ employees are trained in data protection matters.

“Cyberattacks are more common than you expect. We continuously receive alerts, because a big part of the job is the monitoring and preventing part. Phishing and awareness campaigns to employees keep everyone ready and keep risks as low as possible,” said Cubela.

Prevention and defense play a big role when protecting a company’s cybersecurity. But what happens if the attack is successful? Companies must have an emergency protocol for cyberattacks that defines how they should respond to these situations, according to José Arriaga Murcia, CIO at Tokio Marine Mexico. “Nobody is 100 percent safe even with the best awareness campaigns and prevention. Companies need an action framework, which guides those in charge and tells them what to do. It is important to have backups and be always ready for these situations to happen,” said Arriaga.

The Data Journey

The customer journey, usually defined as the sum of experiences that customers live when interacting with certain brand, has clear marketing purposes. However, Gamallo explains that companies need to create a “data journey” for cybersecurity. “Nowadays, we are constantly under attack. We should create the data journey and make people aware of the value of their information. Responsibility is not only on companies and governments; data protection starts with individuals,” said Gamallo. Key to an effective plan is considering that some data could be valuable for its owner but not for the company holding it and vice versa. Regarding the digital footprint, fewer is better when sharing information on the internet, said Gamallo.

Ethics when handling data are well defined, agreed experts. However, it is up to every company to follow or ignore those ethical norms. Data is very valuable and can be analyzed for academic purposes, clinical research or statistics. “The first step to an ethical use of data is to have the owner’s consent. Then, you just have to follow the law, regulations and bioethics norms. It is important to anonymize that information to ensure that there is no danger if it falls into the wrong hands,” said Medina.