October saw a worrying new form of crime targeting digital health. We are only now starting to see the implications. Here, I explain how you can help protect your users.
October was definitely a black month for digital health. It was revealed that Finnish psychotherapy provider, Vastaamo had been the subject of a data breach. Not only that, the breach resulted in the attempted blackmail of thousands of patients. But how did this happen, and how can you avoid the same happening to your digital health project?
What happened in Finland?
The Vastaamo case was arguably one of the most significant health data breaches we have seen. Vastaamo operates a large number of psychotherapy clinics across Finland. In late October, Finnish police started receiving reports of a worrying new form of cybercrime. Psychotherapy patients were being asked for ransoms of 200€ in order to keep the details of their therapy sessions private.
It soon became clear that this breach had affected tens of thousands of patients, all being treated at Vastaamo’s clinics. An internal investigation showed that the actual data breach had occurred some two years ago. However, the data had recently been circulated online, allowing the ransom demands to be made.
Why is this so significant for digital health?
Breaches like this cause real damage to our industry. Obviously, they harm the reputation of the companies involved. But the whole digital health industry also suffers from the loss of public confidence. The Vastaamo case seems to indicate a new threat model—using sensitive health data to extort money. This sort of scandal also impacts investor confidence and makes it harder to raise funding. Reportedly, the scandal is already having a severe negative impact on other companies in the vibrant Finnish digital health economy.
What are the lessons you need to learn?
GDPR requires you to constantly reevaluate the risks in processing and storing data. After this case, I’d recommend every single digital health company gets a new data protection impact assessment (DPIA) done by an independent 3rd party. You need to consider how this new threat model will impact your application. Additionally, you should check the following:
- Secure your systems properly. Any personal data should be kept secure of course. But health data is viewed as particularly sensitive within the EU and US. As a result, you need to take particular care with it. This means using techniques like record level encryption, pseudonymisation and partitioning. These mean a data breach is less likely to reveal details of all your users. You should document this in a data protection impact assessment (DPIA).
- Log everything. Sometimes, things do go wrong. Maybe an employee gets careless and sets the wrong permissions on sensitive data. Or a sophisticated hacker manages to use social engineering to get access to your backend. What is vital here is to know the exact extent of the damage, and to be able to show what happened. This requires you to log all operations relating to personal data or system access.
- Ensure you have robust policies. Seemingly, Vastaamo knew about the breach 2 years ago, but concealed it. This led to their CEO being dismissed after the scandal broke. If they had admitted what happened two years ago, maybe things may have turned out differently. Under GDPR, you are legally obliged to report breaches within 72 hours and must have a proper policy in place to handle the fallout. Just contrast the Vastaamo case with Babylon's data breach earlier this year.
Obviously, you still need to take all necessary organisational and technical measures to ensure your system is private by design and default.
How can Chino.io help?
I founded Chino.io 6 years ago with the specific aim to improve data security and privacy for digital health companies. Over the past few years, we have developed tried and tested solutions to help digital health companies.
Legal Advice. Our lawyers can help you with everything you need to become compliant. This includes privacy policies, breach notification policies and even analysing the legal implications of entering new markets.
Tech Consulting. We employ skilled system architects with expertise in creating compliant backends for digital health companies. We can help you ensure your system is compliant and meets the “private by design and default” test.
Compliance technology. Use our modular technology to solve some of the hard problems, like legally-valid audit trails, sensitive data storage and secure user management.
Book a call with my team to see how we can help your app stay secure and compliant.