LOGO da conferência ou evento HS.Register An audit-trail tool to respond to the General Data Protection Regulation (GDPR) Duarte GONÇALVES-FERREIRA, Mariana LEITE, Cátia SANTOS-PEREIRA, Manuel E. CORREIA, Luis ANTUNES and Ricardo CRUZ-CORREIA
• Strengthen and unify data protection for all individuals within the EU • Give control back to citizens and residents over their personal data • Address the transfer of personal data outside the EU • Simplify the regulatory environment for international business GDPR intends to
• Increased breadth and scope: personal data will be defined as anything that could be used to identify a ‘data subject’, including computer IP addresses. Plus, the regulation now applies to all companies that process personal data of EU citizens, wherever those companies are based. • Increased penalties: these will now be up to €20 million or 4% of annual global turnover (whichever is greater) for serious infringements. • Increased control: data subjects will have the right to be ‘forgotten’ with their data erased; the right to access data held on them; and the right to request data to be passed to a third party. Main changes to regulation
• Increased transparency: data subjects must know what data will be held and how it will be processed. Plus, companies must specifically name any other businesses the data will be shared with. • Increased rigor around consent: individuals are now required to gain active opt-ins that are explicit (instead of implied) and unambiguous. • Increased security: companies will also need to be able to demonstrate how they are keeping data safe and must report any data breach within 72 hours. Main changes to regulation(cont.)
• Healthcare sector is a maze of complex data usage • Large number of users (easily there are more than 1000 health professionals in each hospital) • Tens of applications / databases from different providers per institution (mean> 25 per institution, > 60 in larger hospitals) • Patient information considered valuable for various external institutions Healthcare’s Ecosystem Heterogeneity Inside hospitals
HS.Register - High level architecture • Data should not be updatable and be analysable • It should be highly scalable and performant, other systems should not be affected • Registered events should be non-refutable and non-removable • Data should be auditable and traceable.
• You have a new partnership with an external lab that allows your lab exam requests to be sent directly to the lab and scheduled. • Every time you need an exam from this lab you must trade information about the exam and the patient in order to schedule it. • After an upgrade there was a bug on the communication application and your application now shares private demographic information about your patient’s family. How can you identify this changes? Auditing data communications with outside institutions (Use Case)
• You hired a external team to support the Institution’s IT service in a migration to a new virtualization platform. • They need access to your production databases to do the job you are paying them for. • Someone was selling private data to an insurance company and there was no trace of the actions on the database. • What can you do? Unauthorized access to data (Use Case)
For the GDPR, more importantly than the information itself, it is the knowledge of who, when and with what purpose the information is accessed and where it is stored and used. With the correct level of integration, the HS.Register could help comply with GDPR requirements, put the IT team back in control, identify problems sooner, identify the source of the problem and improve the overall quality of every Hospital Information System (HIS) and ultimately improve patient care. Conclusion
The authors would like to thank the Project NanoSTIMA (NORTE-01-0145-FEDER-000016). It is financed by the North Portugal Regional Operational Programme (NORTE 2020), under the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF). Acknowledgments