Henri Ratnik published an article on data protection in medicine

March 11, 2024 News

Henri Ratnik published an article in the Estonian Medical journal Lege Artis about recent data protection infringements and fines in the medical sector in the EU.

In a nutshell – the biggest cases revolved around the “usual suspects”, aka data leaks and malware attacks.
 
One of the largest fines in the medical sector was 1,5 million EUR and this was imposed in France to a company that provides software services to medical laboratories. Namely, there was a data leak, as a result of which the personal data of nearly 500,000 people was leaked. Among the leaked data were people’s names and their health data – including information whether person has cancer, any virus, genetic diseases, pregnancy data, what drugs the person takes, etc. In other words – very sensitive data. During the investigation, the French Data Protection Authority identified several violations of the GDPR: for example, lack of data encryption, etc.
 
Another common issue is the use of malware where the baddies take medical data into hostage, and in exchange for releasing it they ask for money. In Ireland a fine of 460,000 EUR was imposed to a medical establishment for this – because it hadn’t put in place proper organizational and technological measures to avoid such attack.
 
So, what is the moral of all of this? Systems are often accessed through human errors, or sometimes through very sophisticated and planned attacks. It is a complete myth that only large companies are attacked. When the baddie sees a wallet lying on the street, the baddie picks it up and puts it in their pocket. It’s the same with cyber security – if it is possible to attack the system, then it is attacked. And the attack means that very sensitive medical data is under threat which in turn leads to the supervisory authority coming to sniff around, usually leading to a fine.

The article in full length is also available online behind a paywall: https://lnkd.in/d7i_Gva7