Data has become a core element of modern life. For individuals, businesses and governments the management, application and protection of this data is a critical concern. Extensive legislation is required to protect these core groups and their subgroups. Legislation which protects the privacy and security of data, safeguarding individuals from identity theft, companies from fraud and governments from asymmetrical warfare.

Cybercrime has been growing exponentially with the expansion of the digital lives of people and businesses. As more information is digitised and more transactions take place in the virtual realm the draw to criminals increases. Cyber crime does not only seek financial quarry, data is also a highly prized target.

There are two crucial pieces of legislation to protect business and their customers in the digital environment. They are primarily concerned with data privacy and data security and seek to empower companies to take control of these aspects themselves through codes of practice, frameworks for implementation and structure to their modernisation.

These legislations are called ISO27001 in the UK and EU and the Health Insurance Portability and Accountability Act (HIPAA) in the United States.

Why they are needed

The world has seen a number of increasingly audacious and damaging cyberattacks in recent years. Some have been financially motivated, some informationally and others goaled with disrupting a site or service to the point of unusability.

Medical data is extremely appealing to hackers. Healthcare records can be easily used to make false identities or, in countries with private healthcare systems, to fraudulently acquire medication or make false insurance claims. Medical data theft is often not immediately identified, as a credit card may be, thus giving criminals potentially years of exploitable information. In 2014, Reuters reported stolen Medicare credentials were discovered for sale on the dark web for twenty times the value of the same individuals credit card information.

IBM undertake a report each year on the vulnerability of various industries and the number of cyberattacks they have suffered. In 2017 healthcare took the top spot from financial services. American providers have already seen 100 million records stolen in just the first six months of 2017 with at least 45 million of these being stolen in a single attack. Meanwhile EU countries had as many as 2 billion records hacked or stolen during 2016 according to a Europol report.

Legislation in general

Both pieces of legislation, despite some deviations, aim to set out the best practices and methods for information and data security. Those deviations mostly centre upon the provision of medical insurance and the associated industries and businesses within the privatised American healthcare system. These factors are not relevant to the British National Health Service (NHS) for which funding is drawn directly from the income of every British national, akin to a tax, called National Insurance. The EU is a disparate patchwork of national health provision and privatised healthcare and partnerships between both.

The societal and commercial realities of the two regions are behind legislative differences. For example; privacy is considered a fundamental right in Europe, equivalent to a constitutional right in America, hence, it is not uncommon to see debates around privacy in Europe evoke similar levels of emotion to those around gun control do in the US.

ISO27001

Published by the Geneva based, Organisation for Standardisation (ISO) in 2005, the legislation drew on the previous model; British Standard 7799, which was created by Britain’s Department for Trade and Industry in 1995.

The digital revolution gathered pace throughout the 1990’s and the 2000’s bringing with it web 2.0, the internet became ubiquitous and an ever increasing number of people, businesses and information moved online it became apparent that companies needed a unified information security and management system (ISMS). This legislation is not prescriptive but instead gives guidelines and minimum standards by which companies should protect their customers and themselves.

The legislation was updated again in 2013 to keep pace with the rapidly advancing digital environment allowing for more flexibility in implementing tailored suites of ISMS apparatus and introducing objective audits to be undertaken annually backed by independent auditors.

ISO27001 requires that all organisations who deal with a customer’s personal data in any way must have a process in place to systematically examine their information security risks and take account of any threats to or vulnerabilities in their defences and what the potential fall-out of any failings could be.

To these ends they are required to design and implement a coherent and comprehensive suite of ISMS controls and to adopt an overarching management process to ensure that these controls continue to evolve to be prepared for future changes or challenges either in the company, market or legislation.

ISO is an independent organisation and its standards are often seen as an unbiased measurement of the broad ISMS climate across the EU and the wider world. The legislation is compliant with all other related laws such as the UK’s 1998 Data Protection Act and the coming General Data Protection Regulation (GDPR), which aims to harmonise all policies across Britain and the EU by 2018.

GDPR will also add teeth to the legislation by giving EU bureaucrats the powers to punish infractions with enormous fines of up to €20 million or 4% of a company's global annual turnover.

The legislation is considered a useful tool for businesses as it reduces their customer and supplier audit trail, thus curtailing third party scrutiny and compliance can reduce liability should any security incidents take place.

HIPAA

Coming into force in 1996 and bearing far stricter rules and regulations than ISO27001, the act focused on a goal of assuring individuals that their protected health information (PHI) was safe and secure across the various practitioners, institutions and businesses that make up America’s diverse but fiscally demanding marketplace.

HIPAA operates at a federal level meaning that all states and agencies must adhere to its rules before adhering to the their own, multifarious state legislations, creating what is known as a sectoral approach. The act is backed-up by The Office of Civil Rights (OCR) which is part of the US Department of Health & Human Services (HHS) and is empowered to issue fines of up to $1.5 million per infraction and, in extreme cases, pass custodial sentences of up to 10 years.

America’s healthcare system is dominated by private health insurance, be it personal or employer provided, though 27 million people, just over 10% of the working age population have no insurance. Whilst this number has fallen due to the 2010 Affordable Care Act (ACA), colloquially known as Obamacare, universal healthcare is still remote.

The largest sector of the American healthcare system are the Health Management Organisations (HMO). These large companies contain health insurers, medical institutions and healthcare practitioners. They are the biggest slice of the market and a key factor in the need for HIPAA in the first place as they are constantly transferring PHI data.

The highest risk sector is that of billing and payment as HMO’s often use 3rd party healthcare clearing-houses to pursue reimbursement which creates many threats around anonymisation and pseudonymisation of the PHI.

The Transatlantic Divide

Whilst the two pieces of legislation have the same goals, and generally similar implementation, there are a number of differences. These differences are rooted in the societal and commercial realities of the two regions though it is critical to remember that the two acts are not in competition, they complement each other and are fundamentally the same.

The biggest of these is the matter of consent. In Britain and Europe a company may only use your data for purposes expressly specified when the data is collected. However in the US your data becomes the property of the company in question with which they can do anything they like.

This attitude extends to terms and conditions too. In America you can still be faced by multiple pages of obfuscating legalese when agreeing to use a product or service yet in Britain or the EU that text must be short clear and easy to understand.

The most important aspect, and the one with the most stringent regulations under ISO27001, is that of data sovereignty. Within Europe all personal data must be retained in the country from which it was gathered. Meaning, for example, that Belgian WGS data must be kept not only in Europe but specifically in Belgium.

ISO is sometimes seen as lacking bite due to its inability to prosecute though that will change with the introduction of GDPR in 2018. HIPAA regulations also aren’t without their criticism as the length of time it takes to make changes to its prescriptive and exacting standards can lead to a lack of flexibility and an inability to react to unexpected threats.

The two pieces of legislation share the central goal of protecting both the service user and their data but also the service or company itself. Both systems require careful and in depth audits to maintain standards and, concerns about privacy or reimbursement aside, they are commensurate and effective legislations.

What Sapientia does to protect your data

Throughout Congenica, and their gold standard clinical genome analysis platform Sapientia, patient privacy and data security are paramount concerns. The company and the product both go above and beyond what is demanded by either piece of legislation.

All data is anonymised and pseudonymised making it impossible to attach them to any individual. Further to this, data is encrypted at all times, be it in transit or at rest. User account access controls are in place across the company to carefully restrict and log who sees and uses various parts of the system and everything is locked behind elaborate password systems.

Congenica boasts an excellent and highly informed quality assurance (QA) team led by a knowledgeable and experienced QA manager. Together with the in-house ISMS team, they ensure that the methods and systems are strong all year round by regularly and methodically reviewing, not just when audits are due.

There are exacting requirements in place too for the disposal or destruction of any hard-copies, machines or peripherals which may contain or had contained personal or private data to ensure nothing is leaked in this way.

Aside from this Congenica employs outside agents to undertake penetration testing or other ‘whitehat hacking’ which means engaging somebody to attack your system, searching for weakspots or faults and reporting back to the ISMS team. Adhering to the rules in place and having a good understanding of what may be on the horizon are key to future proofing.

Conclusion

The two acts exist to help the industry, to protect patients and to build the foundations for future legislation in a domain that is still very much in its infancy. At their cores they are essentially the same, different methods and routes to reaching the same destination.

Repercussions can be far reaching, having direct effects but also damaging your brand in the eyes of peers, potential partners or investors and consumers.

ISO is not a ‘point in time’ audit but an expression of ongoing commitment and improvement towards a greater and ever growing goals. Is overall audit of ISMS as a whole rather than an inspection of the technical goals underpinning the ISMS.

There are potential weaknesses in both legislations. In the case of 27001 it is the fact that an organisation is left to decide what level of security it needs. The level of risk which is acceptable to the organisations is a management decision and this brings into focus a reliance of management being fully aware of their risks and fully willing to budget for protecting against them.

HIPAA is more prescriptive but that defends against companies with too much risk appetite as the mandatory demands reduce the need for risk management and security expertise. Though as has been mentioned before, the slow rate of change in the act leaves it at risk of being compromised.

With the EU about to get the power to punish companies, with fines far higher than those for any other industry and far outstripping HIPAA’s punitive teeth, a more confrontational environment may be created which could hinder trade and innovation across all industries, not just healthcare.

Congenica does far more than either legislation requires. This is the result of a strong risk assessment and a culture of constant monitoring and improvement within a company. Congenica understands the precious nature of the data with which they have been entrusted with and treat it as such.