The impact of the GDPR on the healthcare industry

GDPR or the General Data Protection Regulation is a set of regulations for strengthening and harmonising data protection laws across Europe. GDPR becomes effective 25 May 2018, and applies to organisations that conduct business in the EU, and in particular, business that involves the processing of personal information of EU citizens. To be clear, this also includes organisations that may not be physically based in the EU but nevertheless conduct business in the EU that includes the processing of sensitive personal information of EU citizens. Such personal information includes, but is not limited to, sensitive healthcare data of EU citizens, and GDPR applies to both healthcare data controllers and processors. The GDPR includes many strong requirements for both privacy and security of sensitive personal information. GDPR also includes severe penalties for non-compliance of up to 4% of worldwide annual turnover. Clearly, this is a major fine that any organisation doing business in the EU needs to avoid. Healthcare organisations doing business in the EU will be preparing for compliance with GDPR throughout 2017 and early 2018 as the 25 May 2018 deadline for compliance approaches.

Concurrently, breaches and ransomware have reached alarming levels, both in frequency or occurrence and business impact. In the Ponemon 2016 Cost of Data Breach Study: Global Analysis, the total average cost across industries of a data breach is now $4 million USD, up 29% since 2013. The per capita cost of a breach across 16 industries studied is highest in healthcare at $355 per patient record.

Compounding this in 2016 is the rapid ascent of ransomware, according to a recent Freedom of Information request, 28 NHS Trusts have undergone ransomware attacks in the last 12 months. Perhaps more alarmingly, Experian’s Data Breach Industry Forecast 2017 predicts that healthcare organisations will be the most targeted sector next year, with new, sophisticated attacks emerging

With GDPR looming, and the growing spectre of breaches and ransomware, 2017 and 2018 are sure to bring security and privacy even more into the spotlight in the EU region. Healthcare organisations across the EU are urgently working to mitigate the risks of breaches and ransomware, and ensure compliance with GDPR before the 2018 deadline. In security and privacy, ideas often surpass available budget and resources, and prioritisation of safeguards and targeting of limited budget and resources is key to ensure both compliance with GDPR by the 2018 deadline, and adequate mitigation of risks of breaches and ransomware.

How does your security compare with the rest of the healthcare industry, and GDPR requirements? Intel and industry partners are currently running a breach security benchmark program for health and life sciences organisations across the EU, and globally. This involves a one hour, complementary, confidential assessment of the HLS organisations breach security priorities and capabilities. The result of this engagement is a comprehensive report showing the HLS organisation how their breach security maturity, priorities, and capabilities compare with the rest of the HLS industry. It helps HLS organisations measure their maturity, see where they may be under or over prioritising different types of breaches, and see where they have gaps and may be lagging the HLS industry in terms of implementing key breach security capabilities. In addition, it shows the HLS organisation how in addressing a gap they may also help with achieving compliance with GDPR, ISO2700x and other regulations, standards and data protection laws.

You can find out more about this program and how to engage, and see an example of a sample breach security benchmark report that includes traceability to GDPR and ISO2700x at

This is not a legal summary of GDPR. For further detailed information on GDPR and compliance please see published regulations and consult with your legal advisor.