Summary
Switzerland’s new Federal Act on Data Protection (FADP), effective September 2023, aligns with the GDPR but introduces unique requirements like appointing local data protection representatives. The EU-U.S. Data Privacy Framework faces potential legal challenges reminiscent of its predecessors, raising questions about its durability. In cybersecurity, healthcare remains a prime target for malware and vulnerabilities, with reports highlighting risks in medical devices and the MOVEit software breach affecting millions. Meanwhile, initiatives like the U.S. Digital Health Security project and proposed U.S. PET Research Act aim to strengthen healthcare data security and promote privacy-enhancing technologies, reflecting the growing urgency for robust protections in health and AI sectors.
Regulations
Switzerland's Revised Data Protection Act
The Swiss Federal Act on Data Protection (FADP) has been in effect since September 1, 2023. This legislation closely mirrors the European Union's General Data Protection Regulation (GDPR). Among its provisions, companies not based in Switzerland are, in certain situations, required to designate a data protection representative within the country. The act also establishes fresh guidelines for reporting data breaches. However, there are still notable differences between the FADP and the GDPR.
Will the EU - U.S. Data Privacy Framework Endure ?
The predecessors of the Data Privacy Framework (DPF), the Safe Harbor framework and the Privacy shield, were legally challenged by Max Schrems, a privacy activist before the Court of Justice of the European Union (CJEU). The CJEU faulted these two frameworks for failing to ensure safeguards against exceeding surveillance in a democratic society. The DPF might meet a similar end, especially if Max Schrems decides to challenge it again. However, this time, it might not stand up to scrutiny.
HIPAA's True Reach On Health Data
The reach of HIPAA is not all-encompassing. It doesn't cover data that individuals produce and disseminate on their own, such as consumer-generated data. Its jurisdiction is primarily over entities like hospitals and medical practices. Third-party associates, including subcontractors, health plans, insurance firms, and individual physician providers, also fall under its purview. For optimal data protection, it's advised that patients utilize platforms like the hospital's data portal and avoid distributing their information beyond secure infrastructures.
Germany's Upcoming Legislation On Health Data Usage
The German Data Protection Conference (DSK), an independent body made up of German Data Protection Authorities, has released their view on a draft bill concerning the usage of health data. It seems the draft neglects certain data protection standards, including the rights of the data subjects, the principle of storage limitation (by omitting stipulations for a maximum storage duration), and the lack of proper measures and protections for the benefit of data subjects. In response to these issues, the DSK has suggested several amendments to the bill.
PETs - Privacy Enhancing Technologies
Introducing The Innovative PET Act: A New Paradigm ?
In the U.S., lawmakers from both parties have presented a bill focused on Privacy Enhancing Technology (PET). Named the PET Research Act, its purpose revolves around fostering the growth of PETs. This legislation champions a partnership between the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) to advance the creation, implementation, and widespread use of PETs. Additionally, the act seeks to enhance inter-agency collaboration to encourage ethical data practices. A significant component of the bill emphasizes establishing standardization for PETs, targeting the creation of consistent practices and technical standards across both private and public sectors.
Artificial Intelligence
AI's Ability To Decode Pseudonymized Data: Exploring The Dangers
AI might challenge data privacy. By merging multiple data sets, AI can potentially decode pseudonymized data, a phenomenon known as the mosaic effect. This allows AI to detect patterns and pinpoint individual identities. Anonymizing the data could reduce reidentification risks. Additionally, instead of relying on consent or contracts, it's advised to use legitimate interest as the foundation for data collection.
Is AI-Generated Data Truly Authentic ?
Synthetic data, also known as AI-generated data, is derived from patient datasets using AI. While this method ensures patient privacy, it hasn't been widely adopted. A frequent concern is the potential inaccuracy of the synthetic data, as it may not always capture all variables of actual patients. As the data's accuracy improves, the threat of data breaches also increases. Numerous businesses are on the lookout for a method that assures both precision and confidentiality.
Cybersecurity
Malware: The Biggest Health Care Cyber Threat
BlackBerry's recent Global Threat Intelligence Report indicates that the finance and healthcare sectors are most targeted by cyber threats. Within healthcare, the primary danger comes from malwares or infostealers. Attackers aim for valuable health information or ransoms from disrupting crucial healthcare operations. The report suggests healthcare will likely continue being a primary target, with potential shifts towards advanced phishing efforts or the application of generative AI.
MOVEit's Vulnerability: What's At Stake?
Many US entities, including healthcare organizations, relied on MOVEit, a file-transfer software. Even three months post the vulnerability's discovery, several organizations are still gauging the breach's ramifications. Breach notifications are continually emerging. For instance, the Colorado Department of Health Care Policy & Financing (HCPF) estimated a whopping 4 million individuals were affected. Meanwhile, the debt collection firm Radius Global Solutions disclosed an impact on 600,000 individuals. The total affected might be even higher.
Security Weaknesses In Medical Devices
The Health Information Sharing and Analysis Center (Health-ISAC), in collaboration with Finite State and Securin, unveiled a joint report detailing the Cybersecurity landscape for Medical Devices and Healthcare Systems. Notably, the 2023 edition witnessed a 59% spike in vulnerabilities compared to the 2022 report, identifying 993 vulnerabilities across 966 medical devices. Alarmingly, 160 of these vulnerabilities are now weaponized. Breaking it down, software applications accounted for 64% of these weak points, hardware 27%, and operating systems trailed at 9%.
Launching The Digital Health Security Initiative
The U.S. Department of Health and Human Services established an agency dedicated to exploring cybersecurity solutions to bolster healthcare protection. This body introduced the Digital Health Security project, aiming to gather suggestions from researchers and technologists regarding cybersecurity instruments tailored for healthcare institutions, hospitals, clinics, and medical devices. The campaign welcomes contributions from everyone, encompassing academics, nonprofit investigators, and industry experts.
Data Privacy Enforcement
Google's Interaction With Healthcare Provider Websites
Numerous complaints were lodged against Google for gathering sensitive and health-related data from healthcare providers' websites. Web users recently sought a legal order to prevent Google from collecting data from such sites, presenting a statement from an ex-Google worker who reportedly discovered Google's code on pages with confidential information. In response, Google requested the judge dismiss the order, claiming it's just a basic analytic tool managed by the website operators.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #23
Regulators in Europe and the UK advance AI governance, data protection, and cybersecurity, while healthtech innovations like Owkin and Apple reshape digital healthcare.
Newsletter #22
In this edition, we cover major regulatory shifts and AI advancements shaping healthcare and data security. The U.S. tightens HIPAA security rules, the EU rolls out the European Health Data Space (EHDS) for cross-border health data exchange, and new U.S. regulations restrict sensitive health data transfers to certain countries. Meanwhile, AI is revolutionizing healthcare, with Truveta’s 10M-volunteer Genome Project, Owkin’s AI-powered drug development, and AI-driven medical scribes making waves—though accuracy concerns remain. On the data privacy front, GDPR fines have soared to €5.88B, with Ireland leading at €3.5B, and the UK ICO reports 36K data complaints and £1.27M in fines, highlighting ongoing challenges in digital security.
Newsletter #21
Our latest newsletter highlights critical updates in data privacy and healthtech from 2024, including GDPR data sharing guidelines, AI advancements like Cleerly’s imaging solutions, and ongoing challenges in data security and environmental sustainability. As we look toward 2025, we’re excited to continue driving innovation and helping navigate the evolving landscape of regulations, AI, and healthcare data management.
