Recently, healthcare was propelled to jump on the digital ship, resulting in a spike of online consultations. Now, a large part of the population, patients and healthcare professionals alike, has already broken through their first online consultation. With the urgency of the pandemic pushing healthcare to mobilise, ‘let’s just do it’ made perfect sense. It is now time to look at ‘how we do it’ and one aspect of that in particular: ‘How do we do digital healthcare while protecting the privacy and rights of our users?’.
Ludvig Borgvall, Legal Counsel at Visiba Care, joined Visiba Care in 2019 and has since been focusing on safeguarding compliance of the organisation and the product as well as the overall process definition and documentation around information security and privacy. In this article, he provides deeper insight into some of the measures Visiba Care is taking to mitigate risks and ensure that both the product and the organisation are as secure and prepared as possible.
Information security and compliance include both proactive and reactive work. Since the beginning, Visiba Care set out to create a digital platform specifically for healthcare. Ipso facto, we have placed a strong focus on information security from the start. This year, we are taking the next steps to certify compliance of all the established processes and to invest in future improvement by cementing the existing ones and outlining new ones.
To most people, information security evokes thoughts of technological shielding – and that is surely one part of it. The other part, that is equally important but perhaps not as instantly associated, is organisational measures.
In terms of technological measures, developing a platform purely for digital healthcare comes with advantages but also risks. Since conception, we are aware that healthcare professionals process sensitive data with a great impact on people’s integrity. So, whenever we develop our service and new features, we do it with the principles of ‘privacy by design’ and ‘privacy by default’ top of mind, to ensure that we consider data protection and privacy issues upfront in everything we do. This also includes me working closely with our product team to provide legal advice and assist in making risk assessments throughout the development process, from product idea to release. Some examples of features derived from this approach are explained below.
- Access control: Healthcare providers in Visiba Care can easily create their own access controls (i.e. which user should be able to see what type of data) to ensure that the information is only accessible to users with a ‘need-to-know’ the information. For example, the access controls can be configured so that the clinical data is accessible only by users with healthcare professional access and not by users with exclusively administrator access. The platform is developed with silo architecture that affords this vital data segregation. In addition, the platform automatically records logs about the healthcare professional’s access to information in the platform, to allow the healthcare providers to follow up on and investigate any unauthorised access to data in the service, if necessary.
- Two-factor authentication: Two-factor authentication is one of the most secure (and user-friendly) ways to access a service. That is why two-factor authentication, in many countries, is a legal requirement for services including sensitive data such as health data. When using a conventional video platform, while the healthcare organisation may be rigorous about their healthcare professionals’ login methods, the option of requesting two-factor authentication for the patient or guests who log in to a consultation is, unfortunately, not always available. Naturally, poor login authentication carries a higher risk of allowing an unauthorised third-party to access sensitive data about someone else. To ensure the privacy of all our users, Visiba Care has built-in two-factor authentication by default, which gives an extra layer of security, for all users and for every type of communication channel (messaging, video, drop-in), using the most secure tools available in each country.
- Storage limitation: Under the GDPR and other data protection laws, the principles of storage limitation states that you must not keep personal data for longer than you need it. When you no longer need the data, or when you no longer need to identify the individual, you should either erase the data or render it anonymous. Since the process of periodically reviewing and deleting data can sometimes be burdensome, Visiba Care includes a feature which automatically deletes or render certain types of data anonymous in line with predefined retention periods set by the healthcare provider. We are currently developing this feature to allow even more granular retention schedules.
- Data subject rights: The patients or clients of our customers have a number of rights under the GDPR and other data protection laws. For example, they may have the right to access (export data) their personal data and the right to be forgotten (delete data). To assist our customers in dealing with data subject requests, we have designed the platform to allow easy export and/or deletion of personal data about an individual user.
- Integrations: To have a complete digital transformation, it is essential that different systems can communicate with each other. For secure integration, both the technical and organisational requirements are necessary. While Visiba Care has the architecture to support integrations, we ensure that a) the correct/requested data is sent to the receiving system, and that b) this data is encrypted, so that even in transit, it remains private. From an organisational point of view, we always ensure that the integration request is coming from the corresponding authority in each healthcare organisation and of course, that access to this data is allowed in the first place.
Technical security measures are only one component in ensuring the security of personal data and other information. Organisational measures and information security management – both internal and external – are equally important. It is important to remember that an organisation is comprised of its people and its processes but to maintain a high level of information security, prevention, and swift reaction, processes need to supersede its people, to ensure that, even when individuals are taken out of the equation, the knowledge and how to avoid and act on each potential incident remains within the organisation.
At Visiba Care, we are lucky enough to have a high level of professional maturity among our employees. However, we also acknowledge that information security is an ongoing and never-ending project, and that there is always room for improvement. So, this year we are focusing on implementing the ISO 27001, which is a globally recognised standard for managing information security risks, published by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC). Like other ISO standards, the ISO 27001 standard provides a set of standardised requirements, in this case, for Information Security Management Systems (ISMS). The standard adopts a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving our ISMS, addressing both our people and technology. Its best-practice approach will help us protect our information and the information of our customer in an even more systematic and cost-effective way.
So, in the next few months, we will review our existing information security processes and implement new and updated processes, to ensure that the personal data that we process, as well as our ideas and internal trade secrets, get the long-term protection it deserves. The added flavour to this challenge is to cement our information security foundations in this rapid growth pace that we are experiencing, yet while we still count a more limited number of employees, which gives us an advantage of monitoring our education and easily following up on our processes. Following the implementation, we also aim to obtain an independently accredited certification for ISO 27001, to prove to our customers that our ISMS is aligned with information security best practice.
To keep everyone’s feet on the ground, it is important to circle back to the starting statement: Information security is both about being proactive and reactive – and sometimes being proactive about how to be reactive. The unfortunate truth is that incidents of different extents are bound to happen – and do happen – in every company. Typically, it is a red flag when an organisation does not have any incidents at all, because that indicates that the organisation probably lacks the processes to detect them. What we are irrevocably called and readily willing to do is to a) have processes in place to ensure that errors and incidents don’t happen in the first place – but also to b) establish a system, a team, and processes to ensure that the organisation can recognise and manage the potential incident in an efficient and timely manner.
We have an exciting and rewarding journey ahead of us – especially knowing that a lot of the groundwork has been a core of how we work already. However, the most rewarding aspect is that this is – as mentioned above – an ongoing and never-ending project: We will keep on reviewing and developing our processes over time because, as an organisation, we change and grow and with that, so will our processes and routines. Our focus remains fixed on providing our customers with the best conditions to help them succeed, to empower them, and make such an important endeavour like digital transformation as swift and painless as it can be.