How the GDPR Affects the Medical Device Industry

Like many industries, the medical field is becoming more and more reliant on information and analytics to improve their services and find better ways to serve the public. But complying with data protection means more than just passwords and virtual locks, especially for an industry that intends to take care of the physical and mental well-being of humans. 

More than 20 years ago, the Health Insurance Portability and Accountability Act (HIPAA) was implemented, pushing medical providers and professionals to be more aware of the price of private medical information. In 2013 alone, data breaches incurred a total of $5.5 million in costs for the Advocate Health System, while the New York Presbyterian Hospital and Columbia University had to settle almost $5 million in charges due to a 2010 breach. It’s astounding to think how much sensitive information was compromised at their hands. Now, with countries and different fields becoming increasingly interconnected, medical companies aren’t the only ones accountable, which brings the General Data Protection Regulation (GDPR) into the picture.

It has been a year since the GDPR was put into motion by the European Union (EU), helping ensure the protection of EU citizens’ personal data. For the uninitiated, the GDPR sets a gold standard for data privacy. And although it was implemented by the EU, its scope reaches far beyond its geographical borders. If your organization processes any EU citizen’s data, then you are affected no matter where that data is mined or collected. In addition, more and more states in America have begun enacting similar laws protecting users' privacy, and it is only a matter of time before the GDPR standard is made law across the country.

Unlike the HIPAA, which has a maximum penalty of $1.5 million annually, GDPR fines can reach $24 million or 4% of the violator’s annual global revenue. That’s a sizeable dent and can have an immense impact on how you conduct your business. But more than just finances, the GDPR recognizes that data is and will always be its owner's prerogative. In other words, the regulation makes sure that personal information controllers and processors like those of us in the medical device industry cannot simply process patient data at will, as patient consent for processing is important. Moreover, it also puts emphasis on the task of data governance among companies, as sensitive personal information from patients must be protected at the highest of standards, and any breach must be responded to accordingly. Because of all this, medical devices must be designed in such a way that healthcare institutions and professionals are able to abide by the regulations. It also stands to affect clinical trials, Understanding & Implementing New EU Clinical Trial Regulation & GDPR

Therefore, medical companies must recalibrate or upgrade their data management framework to be aware of and manage supply chain attacks even before they hit. The system must be adapted in such a way that it allows all patients to exercise their GDPR rights — from being informed of the processing of their data, all the way to their right to be forgotten once the medical service has been completed. Companies and management departments must also regularly conduct risk assessments, which entails screening all partners and parties involved thoroughly, whether it means your suppliers, employees, or anyone with access to the database and medical devices.

With regard to data security, Maryville University’s industry outlook for cybersecurity professionals highlights how the industry is one of the most lucrative job markets right now, with professionals demanding an average salary of nearly $6,500 more than other IT workers. That gives you an idea about how much it costs to invest in top-tier security. But this is a small price to pay in exchange for the safety and privacy of individuals — not to mention the hefty fines that the GDPR and other current and future privacy regulations will enforce. Some general best practices that can help you jumpstart your security strategy is setting up firewalls, anti-virus and malware solutions, encryption technologies, and network segmentation.

On top of this, medical companies should ensure that they are assessing their GDPR data life cycle. Though compliance doesn’t automatically equate to good security, having a strong security foundation means you aren’t paralyzed or helpless in the event of a data breach.