EU urged to 'set the rules' on health data security

The EU needs to bolster “inadequate” patient data security with eHealth legal frameworks, or risk playing catch up to the likes of Google and Facebook.

The use of information and communication technologies (ICT) as part of healthcare strategies is viewed as a way to offer affordable health treatments.   

With ageing populations in the EU, the reliance on government healthcare is becoming strained, and the use of technology by patients is viewed as one way of relieving the pressure on health services.

The European Commission has been told, however, that in order to fully realise the potential of new technologies, more needs to be done to ensure that data handed over by patients is secure.

A report led by Estonian president Toomas Hendrik Ilves demands that a legal framework is created to implement safeguards and manage massive amounts of health related data.

Ilves says that the use of ICT data in the healthcare sector is lagging 10 years behind other areas, and it is the use currently available technologies which are needed to stave off an impending healthcare crisis in the EU.

But in order to create a working system it is vital that patients are confident that the use of health apps are handled appropriately.   This could mean the use of smartphones as telehealth devices to remotely provide doctors with information, for example.

Collected data could be used to integrate patient data with official medical data. However, question marks remain over the security of such data, and without patient’s willingness to hand over information such a system would have less impact.

“eHealth applications must prove worthy of users’ trust,” the report claims. “Only then will users make their data available for feedback on preventive care or for benchmarking and monitoring performance of health systems.”

Current legal frameworks, according to the report, are not capable of dealing with the “explosion of data” that will need to be handled securely.

If this is not done soon then commercial companies will already have set up their own versions.   Google and Facebook are “making their own rules” and the EC has been warned that popular tools by these master data-gatherers could trump government versions.

Chris McIntosh, CEO of ViaSat UK, which keeps a close eye on data policies and data breaches, told TechEye that the new report shows following best practices will be essential for any data policy’s success in truly transforming the healthcare ICT landscape.

“Considering its size and scope the NHS has more opportunities for data losses than other organisations; yet that data is often of the most sensitive nature imaginable,” McIntosh said. “Given this, the NHS should be acting as an example of how to secure personal information. At the same time our own investigations showed the NHS is the worst offender in the UK both for losing hardware and for incorrectly disposing of data.”

“Possibly partly because the ICO is not being very strict on offenders, organisations are not enforcing their own policies and people are not being trained enough,” McIntosh continued. “All data must be encrypted in case of loss. Workers must be fully aware of what procedures need to be followed.”

“Organisations must know exactly where their data is at all times. If equipment is to be discarded, it is essential to check first to see exactly what its contents are.

“Essentially, the opportunity for human error should be reduced as much as possible. As long as it can follow relatively simple rules, the NHS can lead by example to other health services in Europe and worldwide,” he said.

Despite Google discontinuing its Google Health service last year, there are concerns that commercial companies could still capitalise on a boom in health data.

“There is a brief window – probably the next 5 years – within which EU policymakers have the opportunity to set the rules,” the report concludes.