Ethical and responsible use: managing data security

Data management, security and cyber security, or the management and ethical use of the same are some of the issues which will keep us occupied in the coming years in trying to improve the management of healthcare services. To find out how we are doing in this respect, we bring you an interview with Dr Diana Navarro, Head of Research and Innovation at the General Hospital of Granollers. We discussed these issues with her and the challenges she is currently facing in terms of security in relation to the data generated by society and its use in healthcare.

• What are the current security strategies concerning the management of data in healthcare centres?

The current security strategy is based on solutions which people are already familiar with, ranging from installing antivirus software to the use of firewalls on all the organisation’s computers in order to avoid unauthorised access, and mail filters to prevent spam and malicious mail from getting through.

• But aren’t these measures obsolete? Where do you see innovation headed in this area?

These measures are by no means obsolete, on the contrary, they are absolutely necessary. But we need to keep in mind that cyber-criminals are always seeking new ways to exploit vulnerabilities. Therefore, we must work on applying innovative strategies aimed at prevention, rather than current methods which are often more reactive. And user awareness is even more important. If the user is well trained, this is the best tool for detecting and preventing an attack, because we’ve seen how increasingly attacks are designed to trick the user (ransomware).

• What is the current model which regulates ownership of all the data which is generated?

It must be remembered that data relating to health is considered sensitive personal data. If we’re referring to personal data and the free movement of such data, it must be processed in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 of the European Parliament of 27 April 2016 (known as the GDPR) and Organic Law 3/2018, of 5 December Protection of Personal Data.

As for specifically clinical information and documentation, the relevant regulations are Law 14/2007 of 3 July, concerning Biomedical Research, and those of Law 41/2002 of 14 November, regulating patient autonomy, and rights and obligations in matters of information and clinical documentation, in addition to those mentioned above.

In terms of intellectual property of the solutions generated, this is another matter entirely and the regulatory framework is Patent Law 24/2015, of 24 July.

• Do ethics play a part in the new models which are being developed?

Ethics or bioethics must be taken into account in new projects, developments and technologies, and the main ethical postulates and codes of good scientific practice and established behaviour must be followed. There can be no progress in the areas of biomedicine and biotechnology if ethical principles don’t play a key role in the behaviour of the research team and the development of technologies and products. In fact, recently, people are speaking about the concept of “Ethics by Design”, which is similar to “privacy by design”, in which ethics and privacy are the starting point, with the technology developed around them. This ensures that this dimension is incorporated into the very core of the new product/process.

• Is competitiveness compatible with ethics? What governance models are needed to make it possible?

Competitiveness is compatible with ethics and the new social paradigm, in fact, the “ethical” label can make it more even competitive.

An example of new governance models can be found within what is called Responsible Research and Innovation (RRI), which focuses more on anticipating and evaluating the potential implications for society and its expectations regarding research and innovation. Governance models are open, based on co-creation and place the user/patient and their needs at the centre. The new models of governance are ultimately based on the empowerment of society.

• To what extent are healthcare professionals and management prepared to face the next challenges in cybersecurity?

There is an increasing awareness of security. These are the types of projects and actions which allow us to consolidate these concepts and further improve the training of professionals, as they increase the number of connected users and the type of devices they use to connect. Security is essential so that our patients can continue to fully rely on us and therefore we can empower them.

• What preventative measures has your organisation adopted?

The preventative measures which we have today are the result of the long history of our service and therefore they have been developed over a considerable period. The world of security is constantly evolving, which means that we must constantly reinforce the measures which are already in place and assess whether new ones need to be adopted. It is on this last point that the European projects in which we are participating can help us to look ahead to our new cyber-security needs.

• Curex and SecureHospitals complement each other. What are the main results you expect?

The concession of projects of this level is a reflection of the General Hospital of Granollers’ commitment to the promotion of Research and Development. Turning them into a strategic tool for the institution not only for the prestige they represent, but also as a guarantee of the centre’s scientific excellence, given the high level of competition which exists in such European projects.

The work which takes place in these two projects will help us continue to promote digital transformation in our hospital and also help us progress in the digitalization of the Catalan healthcare system.

In particular, the technological development involved in the CUREX project will potentially be used in hospitals and health centres providing the necessary mechanisms to carry out data transactions in a secure manner.

Finally, with the SecureHospitals project, we seek to improve the sensitization of healthcare professionals to the risks but also to the existing protections available to improve cyber security in our hospitals.