GDPR – What’s it all about and how does it affect me?

One of the hot topics I get asked about at almost every customer meeting these days, is GDPR.

With the secretary of state, Karen Bradley MP, having confirmed in the last few weeks that the UK will be implementing the EU General Data Protection Regulation (GDPR), I thought now would be a good time to share some information on this highly complex piece of legislation, which is causing sleepless nights for so many business owners and directors.

By way of background, GDPR has been developed to reflect the changing use of data in the digital world in which we now live. With the digital economy being primarily built upon the collection and exchange of data, including large amounts of personal data, which is often sensitive, there is a need to protect citizens’ privacy rights. GDPR is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Whilst these aspirations are to be lauded, there is much concern amongst the business community as to the reality of understanding and implementing the legislation within their business. Whilst the implementation date of 25th May 2018 may still seem a long way off, the reality of the situation is that the changes this legislation requires many businesses to make are so far reaching that 18 months will be barely enough time.

The GDPR represents the most fundamental change in data protection legislation in the past 20 years, and is the first attempt to create meaningful and enforceable data protection laws for Europe’s 500,000,000+ citizens. The implications are far reaching and are set to majorly impact businesses of all sizes. The impact is businesswide, affecting not just IT, but every part of the business from sales and marketing to HR.

The new legislation also gives the regulator real "teeth" in terms of enforcement. For example if you do not comply with some of the fundamental provisions in the legislation, such as obtaining necessary consent, you can be fined up to 4% of your total worldwide annual turnover or €20 million, whichever is greater. While penalties of up to €10 million or 2% of your total worldwide annual turnover apply for not putting in place adequate security or for not reporting breaches when they occur.

To put this in context, the PCI Security Standards Council warned that had GDPR been in place last year, fines as high as £122 billion could have been levied against UK organisations based on the number of cyber security incidents in 2015. While this month’s high profile data breach at Tesco Bank could alone have racked up fines of almost £2 billion had it happened under GDPR.

And it is by no means just big businesses that are affected. In fact of the £122 billion of theoretical fines, £52 billion would have related to SME's.

The new legislation also requires that businesses must notify most data breaches to the Data Protection Authority without undue delay and, where feasible, within 72 hours. A reasoned justification must be provided if this timeframe is not met.

Consumers affected by a breach will also need to be notified without an undue delay in some cases, since this could leave them with an increased exposure to identity theft, financial fraud etc. This in turn leaves companies highly exposed to brand damage and potential customer payouts.

The level of fines and the potential reputational damage of forced disclosure has made the EU GDPR a board level issue rather than an IT issue.

It is a highly complex area, where the legislation is deliberately non-prescriptive (i.e. not prescribing a specific technology or security protocol) as the law makers have realised that to achieve its end goal the legislation needs to be broad brush enough to cover the multitude of ways that different businesses use data and the constantly evolving risks to data, such as cyber crime.

Whilst this makes the legislation more powerful, it also makes the implementation more complex, especially for small and medium sized businesses who do not necessarily have the in-house expertise to be able to unravel the legislation and apply it in the context of their own data and IT systems.

In fact, many of the small and medium sized businesses who we are working with, are just starting out on the journey to firstly identify what personal data they hold (which can be as simple as an individual's name or email address), and where this data is held.

From there, we are working with them to start putting in place the processes, procedures and technology needed to be GDPR compliant. Whilst it is not a short or particularly easy process, such safeguards are certainly a business necessity to survive and thrive in the digital era, and indeed a necessity for any business owner in the face of the potentially crippling fines and reputational damage that a data breach will cause under GDPR.

If you need any advice with assessing your readiness for GDPR, or with implementing or updating your policies, plans and technologies to be fully data protection compliant, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

HIPAA Compliance - What your Pharmaceutical Business needs to know about Ransomware.

In my last blog, I discussed cyber security, in relation to GxP. This week I wanted to focus on one particular security threat that is very prevalent at the moment, and is growing at an alarming rate: namely "ransomware".

This particular type of cyber crime impacts heavily on both GxP and HIPAA compliance and as such it is vital that the Board of pharmaceuticals companies understand what the threat is, how at risk they are, how to mitigate the risk of being attacked, and what their plan would be to handle the situation were they to be the unfortunate victim of such an attack.

Ransomware is a form of malicious software (malware), which effectively hijacks your data by encrypting it and demanding payment of a ransom in return for the security key needed to decrypt it.

Email attachments and links in emails are the most common ways for Ransomware to enter an organisation, but it can also enter via business applications, websites, USB sticks or social media.

According to research by Osterman Research Inc carried out in June 2016, 54% of organisations in the United Kingdom had experienced ransomware attacks during the previous 12 months.

The sector most attacked was healthcare, which comes as no surprise as being so dependent on access to their critical information makes them prime targets for ransomware producing cyber criminals, particularly in settings like hospitals, where potential loss of life will justify the payment of a high ransom.

The same research shows that many ransomware infections are widespread. Only a tiny proportion of UK based organisations reported that ransomware infections spread to fewer than 1% of endpoints, but about one half reported more widespread infections. More seriously, one in 10 UK based organisations reported that their most serious ransomware infection had reached every endpoint on their network.

The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It also requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach of the HIPAA Privacy Rule has occurred because the ePHI encrypted by the ransomware was acquired (i.e. Unauthorised individuals have taken possession or control of the information), and that is a disclosure not permitted under the HIPAA Privacy Rule.

Recent guidance from the HHS Office for Civil Rights has made it clear that a ransomware attack usually results in a breach of healthcare information under the HIPAA Breach Notification Rule. Unless the covered entity or business associate can demonstrate that there is a "… low probability that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, the entity must then comply with the applicable Breach Notification provisions, including notification to affected individuals without unreasonable delay, to HHS, and, in certain cases, to the media.

Naturally, this is a highly undesirable position for any pharmaceuticals company to find itself in, so what should the Board be doing in relation to the threats that ransomware presents to their HIPAA (and indeed GxP) compliance?

Well, at the moment myself and my company are engaged with our pharmaceutical clients to carry out the following types of work:-

• Reviewing pharmaceuticals current systems to identify risks and vulnerabilities to their electronic protected health information (ePHI).

• Working closely with the Board to come up with a risk mitigation plan to address any vulnerabilities identified, and then implementing the plan.

• Implementing a suite of technical measures, involving hardware, software, cloud technologies and security policies, to protect ePHI information from cyber threats including ransomware.

• Training and educating users (bearing in mind new threats are emerging daily and security vendors are constantly playing catch up, the staff will actually be the last line of defence against an attack and need to be educated accordingly).

• Devising, implementing and testing contingency plans including disaster recovery plans, frequent data backups, security incident responses and emergency operating procedures.

Over coming blogs, I will be exploring in more depth some of the key issues around IT compliance in relation to both HIPAA and GxP.  If in the meantime you need any assistance with assessing your risks around ransomware in relation to HIPAA or GxP, or with implementing or updating your policies, plans and technologies in light of new cyber security threats, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk.