_edited.png)
THE DPO & HEALTH DATA PROTECTION
Health data: very specific personal data
Health data are very special personal data as they are considered sensitive. As such, it is subject to a very specific reinforced protection in order to guarantee the respect of the privacy of the persons concerned. Heart rate, blood group, genetic data, etc. heart rate, blood type, genetic data, etc.: these data are subject to reinforced protection under the law, in order to guarantee the privacy of the individuals concerned
​
It is important to know that health data is the most coveted data by cyber criminals who sell it for a high price! Indeed, this personal data is among the most expensive on the market as it allows attacks such as identity theft, health insurance scams, fraudulent health reimbursements, etc.
Thus, the price of a stolen medical file can reach $350 on the darknet.
Hospitals, nursing homes, connected health solutions: what are the challenges?
Healthcare institutions or professionals developing connected health products and processing data are responsible for the security of this data. In case of failure to comply with these obligations, the consequences are numerous.
-
Legal consequences, as data controllers are obliged to do everything possible to ensure the security, confidentiality, integrity and availability of the personal data processed. When this security is not ensured, the data controller must be held accountable.
-
Financial consequences, because very regularly when these health establishments are attacked, the attackers demand a ransom in exchange for the non-disclosure of the stolen data.
-
Human consequences, as the privacy of your patients, customers and users is greatly impacted in the event of a healthcare data breach.
-
Reputational consequences as well, when the message gets out and the people concerned become aware of the risk and danger to which they are exposed.
​
Moreover, some health data, when they lose confidentiality, can lead to a very strong stigma from professional and/or personal circles, the impact on personal life is then very great (this is the case of certain diseases or infections).
​
Regulatory compliance with the GDPR and thus the protection of personal data are therefore all the more important for healthcare institutions or connected health solutions. Therefore, the official designation of a DPO with the CNIL is an imperative for these establishments and companies.
Health data processing for research purposes: a special case.
The field of health research is the last field for which it is necessary to obtain authorisation from the CNIL to carry out the processing of personal data.
Indeed, with the exception of so-called "internal" studies, all research projects in the field of health requiring the processing of health data must be subject to prior authorisation by the CNIL.
In order to facilitate these research projects, the CNIL has developed 6 reference methodologies applicable according to the type of study: when one of these reference methodologies is applicable, no prior authorisation from the CNIL is required.
Your compliance thanks to the support of a DPO experienced in health data protection
David Rozier, co-founder of CyberSecura and GDPR expert, has a solid experience as DPO of the CHU Grenoble-La Tronche, and of other hospitals and health institutions. David is responsible for the GDPR compliance business line at CyberSecura.
​
With the help of two legal assistants, we are already assisting health establishments (prevention and occupational health services, private companies or associations involved in the field of personal care and disability, etc.) in their GDPR compliance.
WHAT THEY SAY
Discover the testimonies of some of our clients (all in the health sector) regarding our outsourced DPO service on a time-sharing basis.
Frédérique Guede, Head of operational organisation at PST38
"I'm not sure if the offer that is made exists with other providers [...]. It is a complete handling that I have not found elsewhere [...]. Mr Rozier knows how to put us at ease, how to listen to us in order to understand our problems, the way we work, the specificity of our service, so as to respond to us in the best possible way, and so as to enable us to continue to work efficiently."
Jean-Christian Borel, Director of Research and Development at AGIR à Dom.
"We particularly appreciated CyberSecura's expertise, its ability to explain things in simple terms, its availability, but also its human approach. David Rozier understood our needs quite quickly, and the relationship was very simple from the start."
