Defending the privacy of your healthcare data

Setting privacy standards and raising awareness of data privacy and security will be key for the healthcare sector, which has been the victim of major data breaches in recent years

News of data breaches and leaks around the world have become so frequent that the public has become somewhat desensitised to it. Some 37 billion records were compromised in 2020, a 141% increase compared to 2019, reported data intelligence agency Risk Based Security. It also found that healthcare was the most victimised sector last year, accounting for 12.3% of reported breaches.

In the Philippines, the National Privacy Commission (NPC) was established to increase data privacy awareness across all sectors. It serves as a privacy watchdog, overseeing compliance of the country with international data protection standards.

Its role has been made even more important during the pandemic. Digital and ICT tools were widely used in the fight against COVID-19, but also exposed vulnerabilities in data protection governance.

Attorney Ace
Attorney Ace Reblora

“Governments capitalise on the benefits of ICT through the installation of technological health solutions like telemedicine and digital contact tracing. ICT indeed continues to prove itself as a great asset in the bid to control the spread of the disease,” said Attorney Ace Reblora, from the NPC’s Legal Division.

“This, however, does not come without a price. Telemedicine and digital contact tracing of course requires the processing of personal data. And with more data processed online, the people’s right to privacy and cybersecurity becomes more vulnerable than ever.”

To mitigate this risk, NPC works closely with the Department of Health (DOH) on guidelines concerning the use of such technological health solutions and the implementation of policies and protocols during the pandemic. It has regularly issued circulars and guidance over the past year on how entities should be managing and protecting personal data collected for COVID-19 related programmes. One example is a bulletin on the proper data collection practices for vaccination exercises, which reminded health facilities and local government units to obtain consent from users prior to processing personal data, as well as establishing appropriate security safeguards, among other measures. It is also closely involved in the implementation of the government’s contact tracing app StaySafe.PH, to ensure that privacy is considered at every stage.

The current data security environment

Attorney Reblora noted that over the past few years years, Philippine’s healthcare providers have paid more attention to data security, especially during the pandemic.

“Through the efforts of the National Privacy Commission and its partnerships with government and non-government institutions, data privacy awareness has increased dramatically over the years as evidenced by increased compliance rates across all sectors,” she said.

Philippines healthcare’s cybersecurity efforts were given a boost in 2018 when the NPC set up a Data Privacy Council, a multi-stakeholder consultative body composed of representatives from different sectors. This regulatory sector approach promotes data privacy accountability, closely engaging the key privacy professionals across 21 unique sectors to further advance the practice of personal information protection and compliance. The healthcare industry is segmented into Health and Hospitals, Health Maintenance Organisation, and Life Insurance sectors.

However, Attorney Reblora is keenly aware that there remains “a lot of room for progress and evolution”, with data privacy still a relatively new concept for many in the country. For example, the country is yet to see the issuance of a health privacy code that would set industry data privacy standards, she noted.

Collaborations locally and abroad

In terms of its ongoing work, NPC has tied up with organisations locally and internationally to boost its efforts in data privacy and protection for Filipinos.

Besides the close partnership with DOH, NPC has signed a Memorandum of Agreement with the country’s Cybercrime Investigation and Coordinating Center (CICC) to conduct staff training and development programmes.

Attorney Reblora pointed to a Memorandum of Understanding signed with Singapore’s Personal Data Protection Commission, facilitating cooperation for exchange of information and mutual assistance for investigations. Another was signed with UK’s Information Commissioner’s Office earlier this year for a partnership on privacy and data protection matters.

On the global level, the Philippines’ Privacy Commissioner is the current Chairperson of the Global Privacy Assembly (GPA) Working Group on COVID-19. The group was organised to influence global policy discussions on data privacy amid the COVID-19 pandemic.

Education and training will be another key aspect of cybersecurity. With the rapid growth of AI and connected devices in healthcare, more frequent and sophisticated cyberattacks can be expected in the future. The key to a strong defence would be high issue awareness amongst all stakeholders, said Attorney Reblora.

“It all starts with ensuring that personnel – top to bottom – are educated about basic data privacy principles and trained in how to deal with security incidents and data breach. As they say, an organisation is only as strong as its weakest member. Promoting a culture of data privacy within organisations are the best way that one could ever prepare for future situations.”

At the upcoming HMA 2021 conference, Attorney Reblora will be part of an expert panel discussing how hospitals can secure their cyberspace amidst the increasing use of AI technologies in the sector. This session will be held on 16 September (Thursday) at 8.45am (SGT). For more details and to register, visit the HMA 2021 event page here.