ABSTRACT: Digital health applications and assistance are disrupting the healthcare sector, however such applications are collecting an increasing quantity of health data to profile patients and provide targeted care and assistance. Health data is considered sensitive by EU data protection laws such as GDPR, which defines special security and data processing rules, and huge fines for non-compliance. For companies building health applications, such data protection laws represent a challenge due to the risks, costs, and complexity in ensuring compliance. This talk will provide an overview of these laws, how health application developers are coping with the compliance and how they typically process health data, together with some scandals and fines issued by EU data protection authorities to digital health companies.
BIO: Jovan Stevovic, PhD, is the co-founder and CEO of Chino.io, a platform that makes health applications GDPR and HIPAA compliant “out of the box”. Jovan has over a decade of experience in the health IT industry. He completed his PhD at the University of Trento in 2014. His research explored technologies and protocols to allow health data to be shared in a legally-compliant and secure manner. This work directly led to setting up Chino.io. Currently Chino.io helps companies in most EU states and the US to innovate in digital health.
EU data protection laws and impacts on healthcare applications and health data
1. EU Data Protection Laws and
Health Data and Apps
Jovan Stevovic
jovan@chino.io
2. PhD in Privacy and HealthTech
&
R&D at GPI Spa
Background
2010-2014 2015 to now2010
CEO and Co-founderMSc in HealthTech
MSc Computer Science PhD Computer Science
MSc Computer Science PhD Computer ScienceJovan
3. Why is Chino.io unique
Founded in 2014 by experts in health IT and compliance
Customers in 15 EU states, US, Australia
Offices in Trento and Berlin
The only ISO 13485 certified DBaaS
3 PhDs , 8 MSc, 1 LL.M, 1 patent and 10+ publications
4. Customers and partners
50+ companies in the EU and US are secure and compliant with Chino.io
PARTNERS
30+ SW DEV AGENCIES, LAWYERS, CONSULTANTS,
DIGITAL HEALTH ACCELERATORS, SW PROVIDERS
1ST PLACE IN 2014
ON CYBERSECURITY
SME INSTRUMENT
PHASE 1 AND 2
BENEFICIARY
AWARDS
14. When GDPR applies?
15
‘Any information relating to an
identified or identifiable
natural person (data subject)’
Art. 4(1) GDPR
15. Identifier
16
e.g. Name, an identification number, location data,
an online identifier or to one or more factors
specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that
natural person.
16. Health data
18
‘Personal data related to the physical or mental health of a
natural person, including the provision of health care
services, which reveal information about his or her health
status’
Art. 4(15) GDPR
Check out our eBooks on our website
17. All sensitive data
19 Check out our eBooks on our website
Managing sensitive data
implies criminal
responsibility
19. Aggregate + aggregate + aggregate = identification?
21
With the development of new IT
techniques data which could have not been
able to identify a person now suddenly can,
if aggregated with other data
22. Regulatory Compliance in Healthcare is complex
COSTS TIMERISKS
MDR National Laws
ISO 27001
ISO 13485HIPAA
ePrivacy Reg.
CCPA
23. Why is GDPR compliance so complex
CLOUD PROVIDER
+
YOUR SYS ADMIN
YOUR TECH TEAM
+
SECURITY EXPERTISE
Risk Impact Assessment
Terms & Conditions
DPA and BAA
Privacy Policy
Immutable audit logs
Auth & Access Control
Consent tracking
Data Encryption
TECHNICALPHYSICAL LEGAL
Encrypted Backups
Firewalls
VM Security
Facility protection
and many moreand many moreand many more
YOUR LEGAL TEAM
+
CONSULTANTS
24. CLOUD PROVIDER
Chino.io closes the compliance gap and ensures the
implementation of all technical and administrative
requirements based on your business needs
Risk Impact Assessment
Terms & Conditions
DPA and BAA
Privacy Policy
Immutable audit logs
Auth & Access Control
Consent tracking
Data Encryption
TECHNICALPHYSICAL LEGAL
Encrypted Backups
Firewalls
VM Security
Facility protection
and many moreand many moreand many more
Chino.io: a complete solution to compliance
25. How Chino.io works
• data encryption (at record level)
• pseudonymization
• consent management
• user identity and authentication
• access control policies
• legally valid immutable audit logs
• data portability
• right to be forgotten
• backups
• security updates
• security documentation
• and many more…
YOUR APPLICATION
BACKENDFRONTEND
Your Service
ALGORITHMS
OTHER DATA
USER
MANAGEMENT
HEALTH
DATA ENCRYPTION
OTHER GDPR & HIPAA
COMPLIANCE
Chino.io
ANALYTICS
26. Value of using Chino.io
Our secure-by-design and ISO 9001,13485 and 27001 certified platform allows customers to streamline
the processes and reduce documentation efforts required for:
• Obtaining CE Marking under MDR
• Certifying applications and companies under ISO normative
• Achieve the requirements for DVG (Germany), NHS (UK) and other country-specific requirements
CUT COSTS SAVE TIMEELIMINATE RISKS
Shorten time to
market by 6-9 months
Save 100K+ Euro
per year per project
STAY COMPLIANT
We keep you compliant and
streamline compliance across
your organisation.
for sensitive data
management
GDPR
HIPAA
27. EU Data Protection Laws and
Health Data and Apps
Jovan Stevovic
jovan@chino.io