Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems
Background: The General Regulation on Data Protection (GDPR) modernizes and harmonizes personal data protection laws across the European Union, affecting all economic sectors including the healthcare industry. The new regulation introduces two specific duties: the Record of Processing Activities (RO...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Elsevier
2020-01-01
|
| Series: | Informatics in Medicine Unlocked |
| Subjects: | |
| Online Access: | http://www.sciencedirect.com/science/article/pii/S2352914820301477 |
| id |
doaj-b1a035bca27e437ebc7c6d1d3a329533 |
|---|---|
| record_format |
Article |
| spelling |
doaj-b1a035bca27e437ebc7c6d1d3a3295332020-11-25T03:25:21ZengElsevierInformatics in Medicine Unlocked2352-91482020-01-0119100361Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systemsMarco Todde0Marco Beltrame1Sara Marceglia2Cinzia Spagno3Dipartimento di Ingegneria e Architettura, Università degli Studi di Trieste, Trieste, ItalyAzienda Sanitaria Universitaria Giuliano Isontina - ASUGI, Trieste, ItalyDipartimento di Ingegneria e Architettura, Università degli Studi di Trieste, Trieste, Italy; Corresponding author. Dipartimento di Ingegneria e Architettura, Università degli Studi di Trieste, Via Valerio 10, 34127, Trieste, Italy.Azienda Sanitaria Universitaria Giuliano Isontina - ASUGI, Trieste, ItalyBackground: The General Regulation on Data Protection (GDPR) modernizes and harmonizes personal data protection laws across the European Union, affecting all economic sectors including the healthcare industry. The new regulation introduces two specific duties: the Record of Processing Activities (ROPA) and, for each high-risk processing, the Data Protection Impact Assessment (DPIA). Currently, there are no specific DPIA methodologies for the healthcare environment, but only broad methodologies applicable in all economic sectors. Objectives: This work aims to propose a methodology to perform DPIA for healthcare information systems, considering the specific constraints and criticisms posed by the heterogenous and highly sensitive nature of data and software use in hospitals. Methods: We first performed a GDPR analysis and an examination of other sources regarding DPIA.This analysis led to the identification of issues related to GDPR application in the healthcare environment. We then developed a workflow for DPIA execution, and implemented a software to apply it in a real environment. The methodology was applied on 11 softwares and devices already in use in the Trieste area, Italy. Results: The most important issue identified in the analysis is the definition of “processing activity”, which was overcome by focusing the methodology on the information system processing the data instead of the processing activity per se. We therefore designed a workflow for the risk assessment of an information system establishing that the DPIA shall be performed after the purchase, usually a bid with strict IT security requirements of the information system, but before its deployment in the real environment. The validation of the developed software to implement the workflow on the 11 softwares showed the ability of the proposed workflow to perform the DPIA, and to uncover some important issues in the examined systems. Conclusions: The proposed methodology can be applied to perform DPIA in the healthcare environment by supporting risk evaluation and management, focusing on each software component added to the healthcare information system.http://www.sciencedirect.com/science/article/pii/S2352914820301477General regulation on data protectionHospital information systemData protection impact assessment |
| collection |
DOAJ |
| language |
English |
| format |
Article |
| sources |
DOAJ |
| author |
Marco Todde Marco Beltrame Sara Marceglia Cinzia Spagno |
| spellingShingle |
Marco Todde Marco Beltrame Sara Marceglia Cinzia Spagno Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems Informatics in Medicine Unlocked General regulation on data protection Hospital information system Data protection impact assessment |
| author_facet |
Marco Todde Marco Beltrame Sara Marceglia Cinzia Spagno |
| author_sort |
Marco Todde |
| title |
Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems |
| title_short |
Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems |
| title_full |
Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems |
| title_fullStr |
Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems |
| title_full_unstemmed |
Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems |
| title_sort |
methodology and workflow to perform the data protection impact assessment in healthcare information systems |
| publisher |
Elsevier |
| series |
Informatics in Medicine Unlocked |
| issn |
2352-9148 |
| publishDate |
2020-01-01 |
| description |
Background: The General Regulation on Data Protection (GDPR) modernizes and harmonizes personal data protection laws across the European Union, affecting all economic sectors including the healthcare industry. The new regulation introduces two specific duties: the Record of Processing Activities (ROPA) and, for each high-risk processing, the Data Protection Impact Assessment (DPIA). Currently, there are no specific DPIA methodologies for the healthcare environment, but only broad methodologies applicable in all economic sectors. Objectives: This work aims to propose a methodology to perform DPIA for healthcare information systems, considering the specific constraints and criticisms posed by the heterogenous and highly sensitive nature of data and software use in hospitals. Methods: We first performed a GDPR analysis and an examination of other sources regarding DPIA.This analysis led to the identification of issues related to GDPR application in the healthcare environment. We then developed a workflow for DPIA execution, and implemented a software to apply it in a real environment. The methodology was applied on 11 softwares and devices already in use in the Trieste area, Italy. Results: The most important issue identified in the analysis is the definition of “processing activity”, which was overcome by focusing the methodology on the information system processing the data instead of the processing activity per se. We therefore designed a workflow for the risk assessment of an information system establishing that the DPIA shall be performed after the purchase, usually a bid with strict IT security requirements of the information system, but before its deployment in the real environment. The validation of the developed software to implement the workflow on the 11 softwares showed the ability of the proposed workflow to perform the DPIA, and to uncover some important issues in the examined systems. Conclusions: The proposed methodology can be applied to perform DPIA in the healthcare environment by supporting risk evaluation and management, focusing on each software component added to the healthcare information system. |
| topic |
General regulation on data protection Hospital information system Data protection impact assessment |
| url |
http://www.sciencedirect.com/science/article/pii/S2352914820301477 |
| work_keys_str_mv |
AT marcotodde methodologyandworkflowtoperformthedataprotectionimpactassessmentinhealthcareinformationsystems AT marcobeltrame methodologyandworkflowtoperformthedataprotectionimpactassessmentinhealthcareinformationsystems AT saramarceglia methodologyandworkflowtoperformthedataprotectionimpactassessmentinhealthcareinformationsystems AT cinziaspagno methodologyandworkflowtoperformthedataprotectionimpactassessmentinhealthcareinformationsystems |
| _version_ |
1724597355866488832 |