June 2017

What happens to personal health data?

Patient data in the healthcare sector

We would like to take this opportunity to give you a brief explanation about data storage in the healthcare sector and the associated challenges.

What happens with sensitive and other personal information?
Doctors, hospitals and other health organisations collect data about their patients. Doctors have patient records, which contain medical, sensitive information, and which they share with the hospital or other authorities, if deemed necessary or appropriate. All those data are recorded and stored somewhere. The rule here is: sensitive data – which doesn’t just include medical data but also religious or financial data, for example – may be stored outside the healthcare institution, but they must remain in Europe. To avoid potential problems in these uncertain ‘exit times’, the safest option is to store data in Belgium.

It is advisable to store the backups of the data in Belgium as well. LCL has three data centers in Belgium which, in accordance with the regulations, are located at least 25 kilometres apart. This means that, in the event of a disaster, backup data remain unaffected.

Will the new privacy regulations which come into force in May 2018 change anything?
The new privacy regulations (General Data Protection Regulation, GDPR) will come into force in May 2018. The GDPR outlines how you should handle personal data. If you do not comply with the regulations, you could be faced with huge fines! Healthcare facilities are obliged to store data for a certain amount of time. For example, patients have the right to access, review and adjust their data. In some cases, a person may also have the right to be ‘forgotten’. As such, the right information needs to be – and remain – available. It’s extremely important to update backups whenever main information is updated, so you can rest assured that the backup information is up to date in the event of a crash.

LCL ensures that your data is stored securely by using high-security buildings, the latest fire-extinguishing systems and power backup systems. Every month we test the backup installation by turning off the power. It’s also possible to take out cyber risks insurance.

Connectivity and secure connection
Processes and procedures in the healthcare sector are becoming increasingly computerised and automated. The sector is evolving towards a completely electronic patient record. Good connectivity is essential for providing data access to the various parties who need patient information, such as general practitioners and pharmacists. Connections provided by professional data centers are, by definition, excellent. That’s not always the case for internal, non-professional data centers or server rooms. The connection to the data is often more important than the connection to the hospital itself. If there are few connection possibilities on site at a healthcare institution, it’s also an option to store all the data at a different location (e.g., at a data center), and provide access to that information via a secure connection. This can be done via a VPN (virtual private network), a secure connection that allows you to consult or send data fast and in real time. Doctors or nursing institutions can also exchange data with other health institutions or the government via a VPN. Data that are sent via an insufficiently secure internet connection, on the other hand, can be intercepted and abused.

If hospitals, nursing homes, retirement homes or other healthcare institutions merge, the easiest way to provide all parties with access to the information is to centralise the data. This simplifies security processes and makes it easier to stay ‘GDPR compliant’. It’s also much easier to manage a single system and software. Centralising data is a great opportunity to bring everything under one roof in a data center.

Strict requirements
If, for instance, a hospital has a server room in its cellars, that poses a safety risk for the rest of the building. After all, patients are less mobile, which makes the evacuation process more difficult. The fire brigade may decide to carry out expensive modifications to the building, or even to close the hospital due to the risk of a fire breaking out in the server room. A hospital has to comply with stricter requirements than an ordinary company.

Hospitals may also fall victim to a false sense of security. Some healthcare institutions store their data in the public cloud. They then encrypt them and think that they’re safe. But that is not enough. Any form of encryption can be cracked. Only the private cloud is secure. For comparison: 79% of listed companies are already using a private cloud, and that usually concerns non-personal information for which the GDPR regulation doesn’t actually apply.

What does the future hold for information in the healthcare sector?
The healthcare sector keeps evolving, as is evident from the development of health apps and other technological innovations. These changes may have implications for data storage. Robots are already packing medication for individual patients, which means that it is hugely important that external suppliers and pharmacists have constant, secure and mutually agreed upon access to the most up-to-date patient data. Backups too should always be up to date. There are also a number of devices, such as pacemakers and insulin pumps, which can be controlled remotely, i.e., they connect to the data center of the company that controls them. A secure connection and secure data storage are absolutely essential for maintaining access to the data and preventing tools or implants from being hacked.

Thanks to Luc Seyssens, telecom and connectivity specialist and member of the board of directors of various health authorities.

LCL, your partner in data center outsourcing