International Data Protection Day
According to Victor Prata, coordinator of the Information Security and Data Protection Working Group of Digital Health Brazil (SDB), although there is no longer any doubt about the importance of establishing policies, the sector still faces difficulties regarding how to act to be compliant. The lack of single and clear guidelines is one of the negative points
International Data Protection Day, celebrated on January 28, highlights the crucial importance of data security and privacy in the global arena. Originating in the Council of Europe in 2006, the date coincides with the signing of Convention 108, the first international treaty dedicated to the protection of personal data.
In Brazil, this is a date that has been gaining increasing attention since the enactment of the General Data Protection Law (LGPD) in 2018, marking a renewed commitment to privacy amid the growing role of technology in our lives. In a context of rapid digital advancements, International Data Protection Day highlights the continued need for awareness, robust legislation and ethical practices to preserve the integrity of personal information in the digital age.
The growing awareness of the importance of protecting information is particularly evident in the healthcare context. In the healthcare sector, the need for careful handling of patient data is imperative. This is due to the urgency of preventing leaks, malicious access, theft or modification of the content of medical records, highlighting the importance of data security to preserve the integrity and confidentiality of medical information.
Despite all this, the security and privacy of personal data continue to be a barrier to the advancement of digital health in Brazil. For Victor Prata, coordinator of the Information Security and Data Protection Working Group of Digital Health Brazil (SDB), there is already a consensus among companies operating in the health sector about the importance of this issue in the current context. In other words, managers are already clear about all of this.
In the expert's opinion, the main point today, which ends up bringing small, medium and large companies together, is how to guarantee the protection of data privacy, especially in the digital environment. Although, sometimes, depending on the size or even the activity, there are some imminent threats and some slightly greater difficulties, everyone is susceptible to this same business risk.
“A hospital that only sees patients in its physical facilities receives fewer patients than a digital platform, which makes it much more vulnerable. Furthermore, in the case of a physical hospital, the only way to access the system is to go there in person, log in to the Wi-Fi network, for example, to connect to that environment and launch the attack. When we bring this to the digital environment, it becomes more sensitive. Anyone with a cell phone that accesses your network will be able to enter your environment. In other words, we have two premises that must be observed in telehealth: there are more entry points, and the impact is greater because there is a greater number of patients with data in the digital environment,” he emphasizes.
Another important aggravating factor is that there are a number of regulations that may be applied and numerous authorities involved in this regulatory process, going beyond the LGPD. These include the National Health Surveillance Agency (Anvisa), the National Supplementary Health Agency (ANS), the National Data Protection Agency (ANPD), the Federal Council of Medicine (CFM), other councils of other health professionals and the Ministry of Health itself. In digital health, these requirements are added to the regulations that regulate the internet and security infrastructure. In addition, since many companies have databases and cloud storage abroad, in order to comply with security standards, it is necessary to consider the regulations in force in these countries.
It is also worth emphasizing that, although there is a great deal of discussion at ANPD about regulation in the healthcare chain to designate the responsibility of potential actors when a leak occurs, there is still no provision on the regulatory agenda for establishing specific standards to be followed by the sector.
“The ‘how’ is a problem and a barrier, precisely because it is not consolidated anywhere, which is not the case in other more regulated sectors, such as finance and insurance, for example. They all say that they need to worry about information security and data privacy, but none of them say what needs to be done. There is no official path. This brings a lot of uncertainty about what needs to be done to avoid being fined, including”, reinforces the coordinator.
Prata also emphasizes that, in the absence of these guidelines, the sector itself, especially because it has in-depth knowledge of the specificities involved, must act as a regulator. Hence the importance of entities such as the SDB discussing this topic. In addition to a Working Group, which provides an environment for discussion among members and involves all stakeholders, and the Manual of Good Practices for Telehealth and Telemedicine to support companies in their challenges, a course will soon be launched that will also cover this subject.
In any case, several measures can be adopted to mitigate risks. “At SDB, we are working on ways to mitigate risks: training employees on privacy and data protection, information security, practical things like encouraging the use of corporate devices, and the implementation of a clean desk policy, conscious passwords, among others,” he explains.
According to him, a key pillar when it comes to data protection and privacy in healthcare is people, and even if there is control, without training it will only be useful for mitigating damage and applying punitive sanctions. This means that it is necessary to establish processes and raise awareness among the entire team, without exception, including senior management and areas that, at first glance, may not seem to have any direct relationship with this.
“Strengthening this pillar of data protection and information security education is essential for organizations to be able to not only protect privacy, but also mitigate leaks and other types of security incidents. Simply hiring the best security tools will not guarantee that you will be free from problems. If people break this flow, it is useless, and we must always think about protecting the patient at the end,” he concludes.
