We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
The Swiss Federal Act on Data Protection (FADP) has been in effect since September 1, 2023. This legislation closely mirrors the European Union's General Data Protection Regulation (GDPR). Among its provisions, companies not based in Switzerland are, in certain situations, required to designate a data protection representative within the country. The act also establishes fresh guidelines for reporting data breaches. However, there are still notable differences between the FADP and the GDPR.
Will the EU - U.S. Data Privacy Framework Endure ?
The predecessors of the Data Privacy Framework (DPF), the Safe Harbor framework and the Privacy shield, were legally challenged by Max Schrems, a privacy activist before the Court of Justice of the European Union (CJEU). The CJEU faulted these two frameworks for failing to ensure safeguards against exceeding surveillance in a democratic society. The DPF might meet a similar end, especially if Max Schrems decides to challenge it again. However, this time, it might not stand up to scrutiny.
The reach of HIPAA is not all-encompassing. It doesn't cover data that individuals produce and disseminate on their own, such as consumer-generated data. Its jurisdiction is primarily over entities like hospitals and medical practices. Third-party associates, including subcontractors, health plans, insurance firms, and individual physician providers, also fall under its purview. For optimal data protection, it's advised that patients utilize platforms like the hospital's data portal and avoid distributing their information beyond secure infrastructures.
Germany's Upcoming Legislation On Health Data Usage
The German Data Protection Conference (DSK), an independent body made up of German Data Protection Authorities, has released their view on a draft bill concerning the usage of health data. It seems the draft neglects certain data protection standards, including the rights of the data subjects, the principle of storage limitation (by omitting stipulations for a maximum storage duration), and the lack of proper measures and protections for the benefit of data subjects. In response to these issues, the DSK has suggested several amendments to the bill.
Introducing The Innovative PET Act: A New Paradigm ?
In the U.S., lawmakers from both parties have presented a bill focused on Privacy Enhancing Technology (PET). Named the PET Research Act, its purpose revolves around fostering the growth of PETs. This legislation champions a partnership between the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) to advance the creation, implementation, and widespread use of PETs. Additionally, the act seeks to enhance inter-agency collaboration to encourage ethical data practices. A significant component of the bill emphasizes establishing standardization for PETs, targeting the creation of consistent practices and technical standards across both private and public sectors.
AI's Ability To Decode Pseudonymized Data: Exploring The Dangers
AI might challenge data privacy. By merging multiple data sets, AI can potentially decode pseudonymized data, a phenomenon known as the mosaic effect. This allows AI to detect patterns and pinpoint individual identities. Anonymizing the data could reduce reidentification risks. Additionally, instead of relying on consent or contracts, it's advised to use legitimate interest as the foundation for data collection.
Synthetic data, also known as AI-generated data, is derived from patient datasets using AI. While this method ensures patient privacy, it hasn't been widely adopted. A frequent concern is the potential inaccuracy of the synthetic data, as it may not always capture all variables of actual patients. As the data's accuracy improves, the threat of data breaches also increases. Numerous businesses are on the lookout for a method that assures both precision and confidentiality.
BlackBerry's recent Global Threat Intelligence Report indicates that the finance and healthcare sectors are most targeted by cyber threats. Within healthcare, the primary danger comes from malwares or infostealers. Attackers aim for valuable health information or ransoms from disrupting crucial healthcare operations. The report suggests healthcare will likely continue being a primary target, with potential shifts towards advanced phishing efforts or the application of generative AI.
Many US entities, including healthcare organizations, relied on MOVEit, a file-transfer software. Even three months post the vulnerability's discovery, several organizations are still gauging the breach's ramifications. Breach notifications are continually emerging. For instance, the Colorado Department of Health Care Policy & Financing (HCPF) estimated a whopping 4 million individuals were affected. Meanwhile, the debt collection firm Radius Global Solutions disclosed an impact on 600,000 individuals. The total affected might be even higher.
The Health Information Sharing and Analysis Center (Health-ISAC), in collaboration with Finite State and Securin, unveiled a joint report detailing the Cybersecurity landscape for Medical Devices and Healthcare Systems. Notably, the 2023 edition witnessed a 59% spike in vulnerabilities compared to the 2022 report, identifying 993 vulnerabilities across 966 medical devices. Alarmingly, 160 of these vulnerabilities are now weaponized. Breaking it down, software applications accounted for 64% of these weak points, hardware 27%, and operating systems trailed at 9%.
The U.S. Department of Health and Human Services established an agency dedicated to exploring cybersecurity solutions to bolster healthcare protection. This body introduced the Digital Health Security project, aiming to gather suggestions from researchers and technologists regarding cybersecurity instruments tailored for healthcare institutions, hospitals, clinics, and medical devices. The campaign welcomes contributions from everyone, encompassing academics, nonprofit investigators, and industry experts.
Google's Interaction With Healthcare Provider Websites
Numerous complaints were lodged against Google for gathering sensitive and health-related data from healthcare providers' websites. Web users recently sought a legal order to prevent Google from collecting data from such sites, presenting a statement from an ex-Google worker who reportedly discovered Google's code on pages with confidential information. In response, Google requested the judge dismiss the order, claiming it's just a basic analytic tool managed by the website operators.
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
🌎 This month, key updates include Brazil’s introduction of a new SCC-based framework for international data transfers. 📋 The EDPB shared its evaluation of the EU-US Data Privacy Framework. 🤖 Advancements in AI-driven health solutions, such as Sanofi’s Muse for clinical trial recruitment, were also highlighted. 🧬 Discussions focused on genomics privacy, neural data protection, and the transformative role of AI in healthcare and compliance landscapes.
In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.
Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.