Data, data, data…In a tech driven world the collection and application of data has become core to most organisations – so too has its protection. Paul Heath, regional director of UK and Ireland Public Sector at McAfee, discusses the impact of new General Data Protection Regulations (GDPR) and why this might be a very good thing for data management in practices
For practice managers and GP partners the challenges around IT and technology can feel never-ending. Not helped by the tight budgets, GP practices must consider the increase in demand and user expectations of online services, new connected medical devices, legacy IT equipment and a number of different compliance challenges from the new General Data Protection Regulations (GDPR), ISO270, the Information governance toolkit and Cyber Essentials Plus.
In practices, where the greatest priority is to consult and treat as many patients as possible, it’s not surprising that IT best practice – whether that’s downloading updates or avoiding shadow IT – can easily drop down the priority list for doctors. The practice manager, of course, will often assume these responsibilities.
However, WannaCry – the ransomware responsible for the May 2017 worldwide cyberattack – has had a dramatic impact on consciousness of practice managers, doctors and nurses alike, after 40 NHS Trusts’ services were impacted. With some practices unable to offer anything but emergency services for days, the connection between cybersecurity and patient wellbeing has truly been established.
Just another hoop to jump through?
The introduction of the GDPR further compounds the importance of good cyber in GP practices. The new regulations require organisations to implement minimum standards for the management and protection of data throughout the full data lifecycle from collection and processing to storage, usage and, finally, destruction. While not dictating specific controls that should be adopted, it will introduce significant penalties for unlawful data processes and data breaches (and not reporting these) post-May 2018.
The impact that this will have on health trusts and GP practices cannot be underestimated. For example, if a similar attack to WannaCry were to occur post-May 2018, the affected GP practices would find themselves in breach of the new regulations as the attack impacted the confidentiality, availability and integrity of patient data.
With the potential financial costs of cyberattacks now so high, understanding how to protect against WannaCry and similar threats in the future is shifting in priority on many practices extensive ‘to do’ lists. But while the incentive is there, and although there is no shortage of analysis and advice from vendors, many practice managers and GP partners are still asking, ‘Where do I start?’
Help where you didn’t think to look
When it comes to gaining a comprehensive understanding of how best to manage and secure data, another challenge that practice managers are facing may turn out to be the solution.
There’s no question that, to date, much of the discussion relating to GDPR has revolved around its maximum fines of €20m or four per cent of the company’s turnover for data protection and loss, as well as the general unpreparedness of both public and private organisations. As a result, it’s not surprising that many organisations are viewing it as another burden.
However, GDPR presents a significant opportunity for health practices to get a handle on their data management and security. By providing them with guidelines and motivation, practice managers and GP partners can start down the crucial journey of creating an inventory of their data assets, understanding how they’re currently managing and protecting them and assessing what other steps they can take to ensure appropriate security standards are maintained.
The greatest challenges of 2017
There’s no question that, between GDPR and WannaCry, the way that GP practices manage and protect their data has been turned on its head this year.
But while a significant challenge in and of itself, practice managers must look at how understanding one helps resolve the other. This could involve using WannaCry to understand the gravity of risk that GDPR poses to organisations that don’t meet the minimum standards required by the new regulations – or using GDPR as the incentive to bring in the solutions and processes around data management and security that will help prevent such a catastrophic impact on services, should another attack like WannaCry strike the NHS again.
By looking at both challenges concurrently, practice managers can help improve data protection practices and assure greater security against potential disruption from future cyberattacks.