Victor Prata, coordinator of the information security and data protection working group at Saúde Digital Brasil, participated in the discussion promoted by Saúde Digital News during the 1st edition of the Telemedicina Evolution Forum
It is a fact that, even due to the influence of the General Data Protection Law (LGPD), Brazilian companies are increasingly organizing themselves and rethinking the ways in which they store their data. This perception of the value of protecting information is growing, especially in healthcare. After all, patient data needs to be handled carefully to avoid leaks, malicious access, theft or modification of the content of medical records.
Aiming to clarify the best ways to ensure the security and level of data protection required in patient care, the 1st edition of the Telemedicina Evolution Forum, which took place on September 12 and was broadcast on YouTube, featured an exclusive panel to discuss the topic. Best practices, tools, legislation and even the importance that people have in this process were all discussed. Panelists included Victor Prata, coordinator of the Information Security and Data Protection Working Group at Saúde Digital Brasil (SDB); Fabiano Carrijo, CIO of Conexa and co-founder of Psicologia Viva; and Italo Calvano, vice president of Claroty for Latin America.
The debate covered the numerous regulatory challenges that the sector faces. Currently, there are a number of standards that can be applied and numerous authorities involved in this process. These include the National Health Surveillance Agency (Anvisa), the National Supplementary Health Agency (ANS), the National Data Protection Agency (ANPD), the Federal Council of Medicine (CFM) and the Ministry of Health itself. When it comes to digital health, these requirements are compounded by standards that regulate the internet and security infrastructure. Furthermore, since many companies have banks and cloud storage abroad, in order to comply with security standards, it is necessary to consider the regulations in force in these countries.
According to Prata, it is only possible to develop and establish efficient security and data protection cultures if the areas involved “work hand in hand”. In other words, Chief Information Security Officer (CISO), the Chief Technology Officer (CTO) and the Data Protection Officer (DPO) must always be in collaboration, thinking about how to create a secure structure capable of protecting the information of customers, users, etc. Tools, control mechanisms, pentests, certifications and best security practices should always be included in this package.
In this sense, during the debate, the importance of the actions carried out by the Digital Health Brazil Working Group was highlighted, including the Manual of Good Practices for Telehealth and Telemedicine, to support companies in their challenges. “We are talking about an environment for discussion, involving all stakeholders stakeholders, independent of competition, and truly looking at best practices. Because at the end of the day, the concern is one: to guarantee the safety of the patient, of health professionals and to be able to make access to health care effective for everyone”, emphasizes Prata.
Victor added that a critical point under discussion in the group is the exchange of information between participants in the healthcare chain (hospitals, clinics and laboratories) and the vulnerabilities that this brings. There is a major discussion at ANPD about regulation in the healthcare chain to assign responsibility to potential actors when a leak occurs. However, although healthcare, like finance, is a priority sector, there is still no provision on the regulatory agenda for establishing specific standards to be followed by the sector. In this case, in the absence of this, the market itself acts as regulator.
“We are discussing the best security standards. Whether the regulatory body will agree or define them in the same way remains to be seen. We strongly believe in this responsive regulatory approach, in which the market organizes itself and approaches the regulator, presenting paths within what already works. This is crucial, for example, so that nothing is imposed that is too far from reality, which companies will certainly be able to comply with. Although the ANPD is not yet entering the digital health sphere, there are already initiatives, consultations and public hearings inviting society and the market to participate in the construction of tangible parameters in other sectors”, explains the coordinator.
It was also discussed that the use of technology, security policies and certifications are mandatory. However, in Prata's opinion, the weak link in the chain is people and, even if there is control, without training it will only be useful for mitigating damages and applying punitive sanctions. This leads to the need to establish processes and raise awareness among the entire team, without exceptions, including senior management and areas that, at first glance, seem to have no direct relationship with this.
Exactly for this reason, both the SDB Manual and all the frameworks security professionals around the world point to acculturation as essential, guiding the adoption of some practices and changes in daily habits, including the use of a conscious password. In other words, it is necessary to guide employees so that they do not use, for example, the same password as their social networks to access their medical records. devices Personal devices should also not be plugged into the healthcare institution's network. In addition, it is recommended to implement the clean desk strategy, which includes eliminating notes and the famous colored sticky notes with access reminders placed everywhere, which generate a high vulnerability for the entire company.
“Training is a strategic pillar to prevent leaks, whether intentional or not. Without it, nothing works. When you have a culture of security established at all levels of the organization, the problem is truly solved,” Prata concludes.
Para assistir o debate: https://www.youtube.com/watch?app=desktop&v=IBEql58N4-k&pp=ygUTI2FjZXNzb3JlbW90b25hcmVkZQ%3D%3D
