On 24 March 2022, the European Union Agency for Cybersecurity (‘ENISA’) published a report on deploying pseudonymisation techniques in the health sector. Building on previous ENISA guidance in this area, the report explores, through the illustration of simple use cases, how such techniques can improve the protection of health data.
The digitisation of medical data is occurring at pace through the increased adoption of technologies such as electronic healthcare record systems and the use of health applications and wearable devices. This digitisation gives rise to an abundance of new sources of health data and, as a result, to the increased exchange of individuals’ health data among various stakeholders. Such information sharing presents additional risk to this data, with a reliance on the security controls of multiple parties to protect the data from threats such as cyberattacks. With healthcare being the most targeted sector for cyber-attacks in 2021, the imperative for processors of health data to employ a data protection by design approach to processing activities has never been more essential.
This article examines the application of pseudonymisation techniques, as illustrated in the ENISA report, as a measure to enhance the protection of health related data in the various scenarios that it may be shared.
Methods to protect health data
The ENISA report refers, in particular, to pseudonymisation as a method to protect data. Pseudonymisation is explicitly cited in the General Data Protection Regulation (GDPR) as a useful technique to promote data protection by design and to secure the processing of personal data. Recital 28 of the regulation states ‘the application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations’.
What is pseudonymisation?
The GDPR defines pseudonymisation in Article 4 (5) as:
“the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
How does pseudonymisation work?
Pseudonymisation aims to protect personal data by disrupting the link between individuals and their data within a dataset. This can be achieved, for example, by replacing one or more personal data identifiers (e.g., names) with non-personal data identifiers (e.g., case numbers) and appropriately protecting the link between the “pseudonyms” and the original identifiers. When applied correctly, it can minimise the risk of linking a specific individual’s personal data across different data processing domains. In addition, should a personal data breach occur, pseudonymisation increases the level of difficulty encountered by any third party other than the data controller to correlate the breached data to specific individuals without the use of additional information. Examples of pseudonymisation techniques are progressive counter, randomised numbers, and encryption. The report outlines these techniques and provides further details on how such pseudonyms can be generated.
Further compliance considerations
Pseudonymisation techniques and related policies can be used by data controllers and processors either jointly (using the same criteria), or separately. Data controllers may ask their processors to pseudonymise personal data, including directing how to do so, particularly where pseudonymised data is to be shared between the parties. Such instructions should include at least the following elements:
- The target personal data (e.g., a set of identifiers);
- The pseudonymisation technique to be used;
- The parameters applicable to the technique (e.g., counter rationale, randomness management, employed algorithms, key lengths); and
- The policy to be used (the approach and extent to which the techniques are applied).
In addition, the instructions should take into account results of previous assessments of risk or impact to individuals.
While a prescriptive solution setting out when and how to apply pseudonymisation does not exist, the report illustrates several use cases where medical data can be pseudonymised, including scenarios involving the exchanging of patient health data, usage in clinical trials and patient-sourced monitoring of health data (smart wearable devices). Depending on the context of the processing, including parameters such as risk, applicable regulations, required speed, simplicity, predictability and budget, the appropriate technique and related parameters may vary. Indeed, different solutions might provide similarly satisfactory results given specific scenarios, depending on the requirements of utility, protection and scalability.
Healthcare organisations continue to pursue their digital transformation strategies and the threat landscape to patient data increases in-line with the number of parties involved in managing patient information. Therefore, data controllers should consider how to systematically apply a data protection by design approach to their processing operations, including the application of techniques such as pseudonymisation to protect patient data. No protection is absolute, and as such, organisations should ensure that they have a robust incident response plan in place to manage scenarios where risks to patient data materialise.
Trilateral’s Data Governance and Cyber-Risk Team has extensive experience in supporting organisations to implement appropriate security measures regarding personal data, including pseudonymisation, as well as in raising internal awareness of the importance of data protection. We offer a range of data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. Please feel free to contact our advisors for more information, who would be more than happy to help.