Storing Health Data is Not as Easy as it Looks Like
Storing Health Data is Not as Easy as it Looks Like
Chino.io aims at simplifying this job for EU digital health businesses
Chino.io, a startup that is part of Vertical accelerator, wants to fix this problem and help companies to solve security and data protection compliance issues when storing health data.
The digitalization of Health services is changing the health system as we know it. Many applications exist today and offer many services directly from the web or smartphone, such as remote consultations, new diet programs, a better training and many many other health related goals. These applications span from medical devices (that then require a CE mark) to wellbeing applications (less controlled, but still regulated). All of those have a common ground: they collect, store and (sometime) share health data, thus privacy sensitive data on steroids for what concerns the regulations on how to collect and store them.
According to the definition given by EU General Data Protection Regulation (GDPR) and other bodies with advisory status, health data (in relation to mHealth) is:
- medical data providing information about the physical or mental health status of someone (the data subject), generated in a professional medical context;
- data that in general permit to induce someone’s health status or risk independently form accuracy, legitimacy or adequacy of this induction;
- raw data collected by apps or devices that can be used to induce, individually or aggregated with others, someone’s health status or health risk.
This definition covers a broad set of apps including those that are not strictly health related and that are usually called “lifestyle and wellbeing” apps, since it defines boundaries also for raw data. Although raw data are not always considered sensitive, they can be easily combined with other datasets and become sensitive data. In fact, in another Article 29 Working Party’s Opinion they state that the assessment must be done only on a case-by-case basis. However, lifestyle data generated in medical context that can lead to inferring other health information have to be considered health/sensitive data. For example, data about jogging activities may not be considered sensitive. Yet, jogging activities combined with heart rate, or analyzed and compared with data from other people, can reveal sensitive information about our health and fitness status. For example, an insurance company could deduce that we fall in a category of people having higher propensity to face s health issues, increasing our insurance or denying our request. In addition, apps supporting our jogging activities usually collect also geo-positioning data, making them by default sensitive.
Applications collecting personal and sensitive data must comply with regulations and protection laws. Achieving compliance means fulfilling different types of rules and obligations that we tried to group into three categories:
- Administrative requirements e.g. collecting consents, notifying Data Protection Authorities, writing Privacy Impact Assessment,
- Technological requirements e.g. implementing safeguards such as encryption or access control,
- Physical requirements e.g. ensuring physical safety and access to servers or documents.
For application developers identifying relevant laws, extracting rules and obligations, and implementing required solutions within their applications could be extremely challenging, expensive and risky in case of errors. We estimated that a full compliant system can take more than a year of work and requires skills that spans different professional figures just for setting up the system, then the system has to be maintained, adapted, updated and fixed. Its cost is of over six figures.
Not being compliant to avoid the burden and the costs is not an option. Avoiding the compliance puts at a serious risk the business of the company that has a non-compliant applications and the data of the users that are collected but not correctly stored.
As a consumer and user of app, you have to be careful on what you download and what these apps collect. In the market right now there are 165.000 applications that you can easily download and use. Yet, a study on 1211 apps shows that 85% of them are not compliant, for various factors. Another study shows that 66% do not even use a secure transmission channel. This means that your data are sent, not encrypted, over the internet and any person with a basic knowledge of IT can access them. This trend puts at a serious risk the sensitive data of people, but also the business of all the applications that are not compliant.
With the new GDPR the finesl be up to 4% of annual turnover of a company or 20M Euro. In Italy, last year 577 organizations have been fined for non compliance.
Chino (www.chino.io) helps companies in solving their security and compliance issues. The Chino Backend as a Service offers API to access a compliant storage where health data collected from EU citizens can be stored in a secure and EU compliant manner. Chino solves all the technical and physical requirements and helps companies in satisfying also the administrative ones.
If you have a company that collects, stores or shares data (test yourself here to check if you do) you should use Chino to have a compliant application that satisfies the requirements. Chino can save you man-months of work and a huge amount of money. The integration of Chino takes less than two weeks for both developed or new systems, and can be used with or without an existing backend. If you are a user of any health or wellbeing application, start asking the companies if your data are secure and how they comply with the regulations. Be sure that your data are safe and sound and that data are not misused or not safely stored.
If you want to follow up with us on these matters, contact Chino.io: firstname.lastname@example.org