In a highly regulated industry like healthcare, ensuring that applications and technologies are compliant and secure is a significant task.
Safeguarding personal and sensitive information while meeting the requirements of different jurisdictions is a demanding process and one that continues to grow in complexity. With health data commanding a premium among criminals, cyber security is a growing concern for all involved with healthcare information. Evolving regulatory landscapes are also necessitating that developers take a proactive approach towards building data environments that meet the required regulations on privacy, data handling, and governance.
Both in Europe, and in North America, the potential costs of regulatory infringement, or data loss, are substantial. Not to mention the massive impact that negative events can have on client/user trust and business reputation. It is therefore imperative that HealthTech solution providers educate themselves and seek the necessary expert guidance to ensure that they can successfully navigate potential risks.
Robust and compliant HealthTech data management strategies
Practical steps that HealthTech developers can take to ensure that they have a robust and compliant data management strategy was the topic at a recent panel discussion for members of our HealthTech Networking Club.
During the event, industry experts spoke about the different strategies businesses can take to embed privacy and security at the heart of their operations. Following the discussion, we asked our panel to review some of the key policies that HealthTech developers should be implementing:
We began by asking our panellists to share their top recommendations when it comes to data management and privacy issues for HealthTech companies?
“Get ready to show compliance to many stakeholders” commented Jovan Stevovic, CEO/Founder of compliance partner Chino.io. “This includes your customers, end users, investors, distributors, certification bodies, approval bodies.”
“Start by doing research on what laws apply to you. For EU companies this will most likely be GDPR, and for those in the US it is worth determining whether HIPAA applies. From there, reach out to experts to help with any doubts, as exploratory calls can really help to determine what strategies you should be taking. At the end of the day, you are building a data driven business, which means data management and risks are at the core of what you do.” continued Stevovic.
Larry Trotter, CEO of Inherent Security, added that the first step for any developer should be to “develop data flow maps and network diagrams of the IT infrastructure to get a clear understanding of how data traverses the network including external parties.”
“Using this information, organizations should develop an asset inventory list of systems and the data they store, process, or transmit which help identify all data types managed, reduces data duplication, prioritizes security, and informs the data contingency strategy.”
“By performing these two steps, a better understanding of the types of data managed is gained, providing insight into the security and regulatory requirements e.g. HIPAA, GDPR, etc. Once understood, ensure the correct documentation to govern operations is developed. Communicate and train the workforce on these privacy practices.” commented Trotter.
Alexander Roussanov, a lawyer specialising in healthcare technology reinforced the comments from the other panellist, suggesting that HealthTech companies need to implement data protection, privacy and security compliance and requirements from the very start, through a policy of ‘privacy by design’.
“Map and be aware of all personal data processing operations, including trans-national transfers conducted by your company and, very importantly, your vendors.” suggested Roussanov. “You then need to prioritise following GDPR developments and guidance by the competent authorities (e.g., EDPB, ICO, European Commission) as the compliance landscape changes very dynamically.”
When it comes to practically applying this advice, our panellists also had several practical suggestions that developers should always be considering.
“Developers should start by identifying someone who has the capabilities and knowledge to implement a compliance program. This increases the trust when speaking with clients and reduces the chances of resources implementing controls incorrectly.” advised Trotter.
“If we are talking from the development side of the business (technical hands-on), the developer should ensure that the proper access controls are in place for code repositories, develop a Software Development Life Cycle strategy (including testing against OWASP Principles), and practice Secure Code strategies.” He added.
Stevovic suggests taking a similar starting point, “Identify concrete requirements (technical, legal and organisational) that you will need to make your products compliant and saleable. I suggest that only then you make big choices like who is going to be your cloud provider. Once the cloud provider is chosen and you understand what you need to do on the technical side, you move on to define the architecture”
“Setup proper architecture. The most impactful aspect of the development of your software is the architecture i.e., the cloud, building blocks, tools, DB, API, Proxies, logging, and all components gluing the thing together so it can be compliant, and it can scale.” detailed Stevovic. “Establish whether you are processing lots of sensitive data. If so, you will need to find someone to act as your DPO [Data Protection Officer]. This is often one of the trickiest aspects for digital health startups, which is why we are launching our own DPOaaS product.”
In summarising the advice, Stevovic highlighted the steps a developer should take to begin embedding data security and policy at the heart of their HealthTech operations:
- Spend some time learning and talking to the experts out there. The first advice is typically free, and you can collect tons of information to get an idea of the landscape and the available offering.
- Choose the right partners that can offer you legal and tech support. You will need support from experts, but their expertise can vary a lot based on their background and type of businesses they are used to work with.
- Put budget aside because help will be required, and things become more complicated over time (not simpler)
- A practical note could be, avoid using US cloud providers [for European developers] in these uncertain times, enable 2FA whenever possible for everyone, enable the security features from your main software providers, avoid sharing personal data in general, talk to your employees about the ‘dos and don’ts’ of handling user data – there is a lot of low hanging fruit there.
Evolving Healthcare Technology Data Regulations
All our panellists agreed that data compliance and management regulations for HealthTech will continue to become more complex and as a result it is essential that developers grasp the opportunity to prepare for those changes, ahead of time.
“I definitely see the landscape getting stricter with the HIPAA standards. As of now they are outdated, as the technology landscape has changed especially with more adoption of cloud services. I wouldn’t be surprised if a ‘HIPAA certification’ surfaces in the future.” comments Trotter, referring to the state of regulation in the U.S.
Stevovic described a similar situation in Europe, “Regulations are becoming more, and more, complex. GDPR is still stabilizing with local implementations and clarifications on some rules. The ECJ defined US cloud providers as illegal in many cases like the DVG in Germany (following the Schrems II case); the ePrivacy Regulation is on the horizon [new laws relating to Cookie usage]; Health Data Space program; AI directive; and many regulations in the US and worldwide are popping up.”
“For B2B companies mostly, we also expect tougher but more standardized assessments by your customers: pharma companies, hospitals, insurances, and all potential customers are providing tougher and tougher assessments on providers like startups, asking for more details and due diligence. However, the assessments are becoming increasingly standardized and companies like ours are offering semi-automated support to pass them.” Stevovic continued.
This is where improved access to tools like the solutions and services offered by Chino.io and Inherent Security can save start-ups huge amounts of time and potential costs by streamlining these compliance issues through affordable integrated solutions and access to specialised expertise.
With thanks to our panel members
Jovan Stevovic CEO of Chino.io
Chino Srls is an Italian cybersecurity and cloud technology company that helps digital health companies and others become compliant with all regulations relating to processing sensitive data. They offer a unique combination of legal and technical expertise and a bespoke compliance toolkit (built on the Chino.io development platform). This allows them to offer companies a complete solution to all their compliance problems relating to legislation like GDPR, HIPAA and MDR.
Larry Trotter II, Founder of Inherent Security
Larry has transformed Inherent Security from a consultancy to a Cybersecurity company through partnerships and technology. Today the company leverages its healthcare and government expertise to accelerate compliance operation for businesses.
Alexander Roussanov, International Partner, Arnold & Porter
Alexander Roussanov focuses his practice on a broad range of issues related to the life-cycle of medicinal products and medical devices. His experience includes product classification, authorization and conduct of clinical trials for medicinal products and clinical investigations for medical devices, marketing authorisation for medicinal products and CE marking of medical devices, pharmacovigilance and device vigilance, marketing and promotion activities, privacy and data protection counselling, and interactions with health care professionals.