gdpr compliance challenges for interoperable health...
TRANSCRIPT
![Page 1: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/1.jpg)
GDPR Compliance Challenges for Interoperable Health Information Exchanges (HIEs) and Trustworthy Research Environments (TREs)
Dr Ed Conley1 and Matthias Pocs2
1 SHiELD Horizon 2020 and Connected Health Cities Projects, AIMES, Liverpool Innovation Park, L7 9NJ, United Kingdom.
2 SHiELD Horizon 2020 Project, Stelar Security Technology Law Research 21035 Hamburg, Germany
18th International HL7 Interoperability ConferencePortsmouthJuly 12th 2018
![Page 2: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/2.jpg)
North West Coast CHC Footprint North of England CHC Footprint
Connected Health Cities (CHC)Learning Health through Trustworthy Research Environments
2
![Page 3: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/3.jpg)
OpenNCPCore
Technology Providers Use Case Providers
Shared Infrastructure - Enabling Exchange
Embedded cybersecurity,Privacy, Data
Protection Extensions
DEPLOY SecureDevOps
OpenNCP uses the HL7 International Patient Summary model to exchange information
3
![Page 4: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/4.jpg)
National Contact Point (NCP) RelayUses HL7 IPS to exchange information internally
Mapping between epSOS and C-CDA CCD is completed and will not be updated.
UKPS
ESPS
ITPS
4
![Page 5: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/5.jpg)
Packaging operational systems at run-timeAnalysis à Design à Deploy à Run
LEGALPRIVACY
SecDevOps
Driven by GDPR Principles Privacy-by-Design” and “Data Protection by Default”
5
![Page 6: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/6.jpg)
OpenNCP CoreExtensionsby SHiELD
àGDPR principlesof “Privacy-by-Design”and “Data Protectionby Default” embeddingthreat mitigation & dynamic policy tools
6
OpenNCP Core
![Page 7: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/7.jpg)
Comprehensive Security Threats Modelling / Mitigation in Use Cases• Asset inventoryComprehensive records kept of assets and applications.
• Configuration managementVulnerability modelling, logging access
• Counteraction measuresThreat-associated rules that trigger threat counteraction mechanisms
• Documentation of policies/procedures
• Cross-border regulatory managementMaintaining compatibility
• Novel security technologies Data hiding/masking and sensitive data analysis; anonymisation/pseudonymisation
• Security training for developers
• Software module dependency tracking modular computational workflow (e.g. data minimizing)
• Streamlining processesMinimising errors through other legal obligations
• Test typesStatic, dynamic, interactive and runtime - data application of security tests
• Traceability of lessons learnedTracking past software
• Vulnerability points analysisAccess control-related, protection for device-related, consent-related
7
![Page 8: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/8.jpg)
HL7, ISO and NIST privilege management and access control
(PMAC) principles require explicit, ontology-based formal
(machine-processable) policies
In the 21st Century, we need flexible, automated
and intelligent solutions for interoperability.
The Shift to Automated Interoperability
For security, privacy and trust, static pre-definition will be
replaced by run-time computed bindings of policies (contextual
rules for processes) continuously calculating risks / trust scores…
8
![Page 9: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/9.jpg)
What damage is GDPR trying to prevent?Controllers must assess the “likelihood and severity of the risk” of any personal data processing operation
relating to any use that “from personal data processing could lead to physical, material or non-material damage”.
DAMAGE EXAMPLES DAMAGE EXAMPLES
9
![Page 10: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/10.jpg)
SHiELD System Vulnerability/Security Modelling
10
![Page 11: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/11.jpg)
Domain Knowledge Interoperability “Interoperability is not just about exchanging data”
Use case and requirements methodology needs to evolve to provide the right knowledge to run processes in human contexts…
This is not a data formats challenge, its about learning how people who use the system think…
Understanding the real stakeholder concerns first through domain knowledge ontologies à each use case can be combined with those created in the past and future
11
![Page 12: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/12.jpg)
Consistent Matching of Information Governance Requirements to Data Processing
(a) Typical LHSuse case
(b) IG ZoningSymbols
12
![Page 13: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/13.jpg)
(b) IG ZoningSymbols
(c) Infrastructureassembledand deployedat run-time
13
![Page 14: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/14.jpg)
Researcher view of a Trustworthy Research Environment (TRE)
14
![Page 15: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/15.jpg)
Shared responsibilities and roles under the GDPRThe data processing agreement and other expectations
15
![Page 16: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/16.jpg)
When the data processor needs to invoke a separate data processing service to fulfil the use case and IG requirements
16
![Page 17: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/17.jpg)
The GDPR seeks to uphold data subject rights
A Key Reminder: Privacy is a Right
17
![Page 18: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/18.jpg)
The Journey Begins
18
![Page 19: GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2](https://reader033.vdocuments.net/reader033/viewer/2022052103/603dd7d7ffe14d1ab55ba111/html5/thumbnails/19.jpg)
GDPR Compliance Challenges for Interoperable Health Information Exchanges (HIEs) and Trustworthy Research Environments (TREs)
Dr Ed Conley1 and Matthias Pocs2
1 SHiELD Horizon 2020 and Connected Health Cities Projects, AIMES, Liverpool Innovation Park, L7 9NJ, United Kingdom.
2 SHiELD Horizon 2020 Project, Stelar Security Technology Law Research 21035 Hamburg, Germany
18th International HL7 Interoperability ConferencePortsmouthJuly 12th 2018