Home Can GDPR Really Prevent Data Breaches? Lessons from Facebook’s Crisis and the Rise of Stricter EU Regulations

Can GDPR Really Prevent Data Breaches? Lessons from Facebook’s Crisis and the Rise of Stricter EU Regulations

Mar 30, 2018 08:00 CST Updated 08:00

“Good and excellent are separated by a small margin, and that margin is called safety.” Of course, this is by no means referring to some high-end smartphone made of imported Dutch calfskin.


Recently, Facebook, the world's largest social networking site, has encountered its biggest crisis since its inception due to a severe data breach incident.

 

It is reported that Facebook previously opened its API interface to allow external third-party companies to offer psychological tests or mini-games on the Facebook platform. However, this led to a scandal in which Cambridge Analytica, a UK-based data analytics firm, misappropriated the personal data of up to 50 million users without their consent.

 

This company was precisely the data analytics firm hired by Donald Trump’s 2016 presidential campaign to conduct analytical predictions and was alleged to have used such capabilities for social media manipulation aimed at influencing voter behavior in the election.

 

Following the incident, Facebook’s stock price fell 11.4% over the two trading days of last week’s market opening, wiping out $60 billion in market capitalization within just two days. Rumors even circulated that Facebook could face a staggering $2 trillion fine as a result of the incident—equivalent to four times its current market value.

 

In the wake of this explosive incident, VCBeat has once again turned its attention to data security protection in the healthcare industry.

 

U.S. HIPAA


More than 20 years ago, U.S. healthcare institutions paid a heavy price for many years due to patient information breaches. Against this backdrop, HIPAA was enacted.

 

HIPAA is the acronym for the Health Insurance Portability and Accountability Act, signed into law by former U.S. President Clinton. This Act is the most far-reaching legislation since the Employee Retirement Income Security Act of 1974 (“ERISA”).

 

HIPAA regulates various sectors of the healthcare industry, including transaction standards, identification of healthcare providers, identification of healthcare professionals, medical information security, medical privacy, health plan identification, first injury/illness reporting, and patient identification.

 

Since 2003, more than 171,000 complaints regarding privacy rules have been recorded in the United States, resulting in millions of dollars in cumulative fines. In 2013, Advocate Health System was forced to pay $5.5 million following three consecutive data breaches. Even renowned institutions such as NewYork-Presbyterian Hospital and Columbia University had to pay $4.8 million due to data breach incidents. Currently, this list continues to grow...

 

The Top Five Healthcare Data Breaches in the United States in 2018


Regarding the HIPAA legislation, Susan McAndrew, Director of Health Information Privacy at the U.S. Department of Health and Human Services, once stated, “Since the implementation of HIPAA, there seem to be more problems than before. Some healthcare providers have learned to exploit loopholes in the law; some genuinely do not know how to limit its scope of application, while others with ulterior motives often use this law as a pretext to achieve their own ends.”

 

Clearly, the HIPAA Act has not truly served to prevent data security breaches in healthcare. Even in 2018, the United States saw numerous serious incidents of medical data security breaches.

 

Coplin Health Systems Notebook Data Breach Incident


On January 13, 2018, Coplin Health Systems, based in West Virginia, issued an urgent notice to 43,000 patients regarding a potential serious data breach resulting from the theft of a company laptop by an employee.

 

Technicians discovered the theft on November 2. Although the organization had equipped the laptops with security tools and password protection, it failed to encrypt the data stored on the hard drives.

 

The data on the laptop includes patient names, Social Security numbers, financial information, home addresses, dates of birth, and medical data.


Note: In the United States, a Social Security number (SSN) is a nine-digit number issued to citizens, permanent residents, and temporary (working) residents, as recorded on the Social Security card pursuant to Section 205(c)(2) of the Social Security Act. This number is issued by the federal Social Security Administration to individuals. The primary purpose of the Social Security number is to track individuals’ tax records, but in recent years it has become the de facto national identification number.

 

Greenfield Hit by Ransomware Attack


On January 15, 2018, Hancock Health in Greenfield, Indiana, suffered a ransomware attack, prompting technicians to shut down the entire network.

 

Shortly after a ransomware notification appeared on hospital computer screens, the hackers brazenly declared that they would hold a certain number of systems “hostage” for an extended period until technicians paid the Bitcoin ransom.

 

In response, the health system’s IT team immediately shut down all networks, including those in physicians’ offices and health centers, to isolate the virus. Relevant technical personnel stated that the hackers were attempting to disrupt hospital operations by using “digital padlocks” to restrict staff access to certain system functionalities.

 

A staff member stated that this attack was highly sophisticated and was not caused by employees opening infected emails.


McAfee Chief Scientist Raj Samani stated, “In terms of ransomware, the healthcare industry may have suffered the greatest losses. The explosive growth of ransomware also originated in the healthcare sector. Hackers will shift from traditional forms of ransomware to more cyber-disruption and service-interruption attacks.”

 

Cyberattack on Oklahoma State University Center for Health Sciences


On January 15, 2018, it was reported that an unauthorized user had breached the network of the Oklahoma State University Center for Health Sciences in November 2017, accessing a folder containing Medicaid billing information for 279,865 patients.

 

Following the incident, technicians promptly removed the affected Medicaid folders from the network.

 

OSUCHS launched an investigation and engaged an external security firm to determine whether these folders had been compromised. The folders contained patients’ names, Medicaid numbers, providers’ names, dates of service, and treatment information.

 

On January 5, OSUCHS began notifying patients via email and established a dedicated call center to address concerns from affected individuals. Due to the cyberattack, the health system also upgraded its security features.

 

Onco360 and CareMed Employee Email Account Data Breach


On January 19, 2018, a hacker breached Onco360 and CareMed, exposing the data of 53,173 patients.

 

The oncology pharmacy company and an external forensic team participated in the investigation of this incident, discovering that a hacker had accessed the email accounts of three employees.

 

These emails contain patient demographic information, clinical medical data, health insurance details, and Social Security numbers from two companies.

 

Following the incident, the company not only changed email passwords but also provided employees with training on how to identify suspicious emails. Additionally, Onco360 implemented extra security measures on its email platform.

 

St. Peter's Surgical and Endoscopy Center in New York Suffers Malware Attack


On March 12, 2018, a hacker group launched a malware attack on Saint Peter’s Surgery and Endoscopy Center in New York. This breach potentially exposed 134,512 electronic medical records, making it one of the most significant data breaches in the United States in 2018.

 

On January 8, hackers successfully gained access to the St. Petersburg server. On the same day, technical personnel identified the vulnerability and restricted the hackers’ access to the server. However, it remains undetermined whether patient data was viewed, accessed, or stolen.

 

The leaked data includes patients’ names, addresses, dates of birth, diagnostic information, insurance details, Social Security numbers, and more. Currently, these patients have been provided with one year of complimentary credit monitoring services.

 

Officials did not explain how the hackers installed malware on the servers. St. Petersburg University stated that it would implement stricter information security standards and enhance employee training. Additionally, management is considering more sophisticated anti-fraud and antivirus software.


GDPR, Which Is Stricter Than HIPAA


In the face of increasingly rampant cyberattacks and a continuous stream of data breach incidents, the European Union (EU) will begin imposing hefty fines on companies that fail to comply with the General Data Protection Regulation (GDPR) starting May 25, 2018. This regulation aims to safeguard the privacy and security of personal data for EU citizens. The new rules apply not only to organizations within the EU but also to any entity outside the EU that offers products or services to EU citizens.

 

Unlike HIPAA, which imposes an annual maximum penalty of only $1.5 million for violations, GDPR fines can reach up to $24 million or 4% of the violating entity’s annual global turnover, whichever is higher. In short, GDPR will have a significant impact on the business processes of a large proportion of enterprises worldwide.

 

While the United States has consistently adhered to HIPAA standards, the GDPR may be a game-changer for organizations seeking to engage users in the European Union. Healthcare institutions and enterprises must carefully manage data flows, cross-border data transfers, and privacy and security monitoring to ensure their services comply with regulatory requirements.

 

Many industry experts believe that the GDPR is perhaps more important than HIPAA, as it not only imposes stricter penalties but also has a broader scope of impact.

 

According to a recent survey by a leading information security company, the healthcare sector in the United States is the least prepared industry for GDPR compliance, with only 17% of healthcare organizations stating that they will adopt new systems to meet the new regulations.

 

Reg Harnish, CEO of GreyCastle Security, a well-known U.S. cybersecurity service provider, has spoken with dozens of healthcare providers across the United States. To his surprise, the vast majority of these institutions were unaware of the significance of the GDPR.

 

Fortunately, there is still time.

 

The Seven Core Elements of the GDPR


1. It is not without a trace

At the heart of the GDPR is data privacy protection, with many provisions targeting the rights of data owners to consent to and share their data. Although this is not common in the United States, many of the GDPR’s data privacy requirements are familiar within the European Union.

 

The vast majority of GDPR requirements are based on the UK’s Data Protection Act 1998. Therefore, for those unfamiliar with the GDPR, reviewing the earlier legislation can be highly beneficial.

 

2. Develop a Plan

As with most regulatory requirements, healthcare companies or institutions must develop relevant plans. Although the GDPR originates from the European Union, merely adhering to its stringent guidelines and providing a policy framework for the EU is far from sufficient.

 

Healthcare institutions must also demonstrate through evidence of effectiveness that the GDPR has been implemented. Furthermore, plans must show that the organization is progressing toward compliance as detailed in the GDPR. Due to the ambiguity of the GDPR, it is not yet fully clear what specific documents or evidence are required; however, the European Union will provide additional details for institutional reference before the end of the initial compliance period.

 

3. Categorical Data

Healthcare enterprises or institutions will be forced to classify their data.

 

Unlike HIPAA, which has already established a definition for electronic protected health information (ePHI), the GDPR remains somewhat ambiguous on this point. However, it is anticipated that the scope of personal data protection will be extensive, encompassing photographs, IP addresses, social media posts, browser cookies, personal preferences, biometric data, and more.

 

4. Data Protection Officer (DPO)

The vast majority of entities affected by the GDPR are required to appoint a Data Protection Officer. The individual appointed to this role differs from a HIPAA Security Officer, as any individual can serve in the capacity of a HIPAA Security Officer.

 

The DPO is more of a role than a full-time position. The GDPR stipulates that the DPO must be an individual with “expert knowledge of data protection law and practices.” This requirement in itself is not problematic, as many lawyers meet this criterion under the Regulation. However, the DPO is also expected to possess security expertise, which significantly raises the threshold for qualification.

 

5. Report Violations Involving Personal Data

The GDPR defines personal data breaches to include the loss, destruction, alteration, and unauthorized access of personal data, which must be reported within 72 hours of identification.

 

6. Provide subjects with “right of access”

The GDPR will require institutions to provide detailed information, upon request, regarding what data is collected and how it is processed.

 

However, the GDPR also requires organizations to provide the right to erasure, or the right to be forgotten. This means that if a data subject requests the deletion of their data, all such data must be deleted, and the organization must also prove that the data no longer exists. The challenge lies in the difficulty for organizations to prove the non-existence of something.

 

7. Implement “Design Protection”

Cybersecurity is often an afterthought, typically implemented only after networks and processes have already been established. This is not the case with the GDPR. The regulation mandates that organizations implement “reasonable” data protection measures to safeguard user security and privacy.

 

The Cybersecurity Law of China


In terms of data security protection, China is certainly not lagging behind.

 

On June 1, 2017, the highly anticipated Cybersecurity Law of the People's Republic of China officially came into effect. As China’s first foundational law to comprehensively regulate cybersecurity management in cyberspace, the Cybersecurity Law marks the establishment of a legal framework for cybersecurity in the country, holding profound and significant implications for safeguarding China’s cybersecurity and maintaining overall national security.

 

For the healthcare industry, the implementation of the Cybersecurity Law of the People's Republic of China will usher hospital informatization into a new stage of development.


As domestic healthcare institutions become increasingly active in participating in standards and assessments such as JCI accreditation, HIMSS, the Electronic Medical Record (EMR) Grading Evaluation, the Standardization and Maturity Assessment of Hospital Information Interconnectivity, and Smart Hospital Evaluations, data security has emerged as a core concern for the industry. The implementation of new technologies, including cloud computing, big data, and artificial intelligence, has also introduced new challenges to the security management of medical data.

 

As managers of medical big data, healthcare institutions shall fulfill their data protection obligations in accordance with the Cybersecurity Law of the People's Republic of China and the current classified protection system for cybersecurity, and shall not disclose patients' medical data information.

 

With regard to the rules governing internet-based diagnosis and treatment activities, healthcare professionals and medical institutions are explicitly required to establish trusted digital medical identities, implement electronic real-name authentication, and deploy data access control information systems. Furthermore, the application of electronic signatures shall be actively promoted to ensure service traceability and the secure operation of diagnostic and treatment data.

 

At the recently concluded 2018 CHINC Conference, the newly issued “Administrative Specifications for the Application of Electronic Medical Records (Trial)” also proposed solutions to address two major risks associated with existing digital signatures:

 

1. Specificity of Signature Content. At present, no standards have been issued for the content of electronic medical record signatures. As a result, Certificate Authorities (CAs) do not verify whether the content being signed contains any issues during the signing process, which creates the risk of patient identity substitution.

 

2. Integrity of Signature Content. Due to the high frequency of hospital signatures, the Certificate Authority (CA) cannot detect whether each submitted content contains adverse information during signature verification.

 

Both of the aforementioned risks can be mitigated through the use of signatures combined with timestamps. This approach ensures that the identity of the operator and the time of each operation are queryable and traceable.


While an absolutely secure network may never exist, there is no doubt that the security of medical data sharing is gradually maturing with the emergence of new technologies and the implementation of new regulations. Globally, efforts to accelerate this process are underway.