Constantin Herfurth Magdalena Anna Kotyrba August 14 2020 Cybersecurity in healthcare sector – Q&A on data breaches in relation to medical devices Eversheds Sutherland (International) LLP | Tech, Data, Telecoms & Media - European Union Constantin Herfurth, Magdalena Anna Kotyrba Tech, Data, Telecoms & Media IntroductionWhat is a data breach?What is a breach of confidentiality?What is a breach of integrity?What is a breach of availability?How are companies affected by data breaches?What are companies' obligations under the GDPR?When must companies notify supervisory authorities?When must companies communicate breaches to data subjects?When must companies document breaches?What are the consequences of non-compliance?IntroductionThe use of connected medical devices (eg, device systems in hospitals monitoring patients' vital functions, software and related systems providing telemedical services and the eHealth and mHealth services and applications available on the market) has changed the way the healthcare sector works. Connected healthcare provides for various benefits for different players, whether patients, hospitals or research companies:integrating digital health applications into treatment and care;supporting patient compliance;connecting service providers to the healthcare infrastructure;strengthening the use of telemedicine;simplifying administrative processes through digitalisation;promoting digital innovations; andenabling better usability of health data for research purposes.However, these benefits based on the advance of connected healthcare come with an increased flow of personal data, whether in hospitals or between different market players in the healthcare industry. This again has led to an increased risk of cybersecurity incidents and personal data breaches.Thus, it did not come as a surprise that the Allianz Risk Barometer 2020 ranked cybersecurity incidents as the most important business risk globally for the first time ever. Cybersecurity is becoming more and more relevant in the healthcare sector and healthcare companies are becoming aware of this threat. Cybersecurity in the healthcare sector can affect various aspects such as network security, device security, messaging security, web security, data security and identity and access management.What is a data breach?Article 4(12) of the EU General Data Protection Regulation (GDPR) defines a 'data breach' as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".Accordingly, a personal data breach can be a breach of confidentiality, integrity or availability.What is a breach of confidentiality?A breach of confidentiality is a security incident in the form of an unauthorised or accidental disclosure of, or access to, personal data.An example may be a health app for measuring diabetes being manipulated in a way that records are sent to servers in the United States without the data subject's consent or authorisation.What is a breach of integrity?A breach of integrity is a security incident in the form of an unauthorised or accidental alteration of personal data. For example, if access codes and infusion pump manuals are made publicly available online by manufacturers and are not modified by hospitals, hackers could gain control of the infusion pumps and alter the injection rates for patients without the knowledge or authorisation of medical personnel, endangering the patients' lives.What is a breach of availability?A breach of availability is a security incident in which personal data is lost or destroyed.For example, an unknown computer virus shuts down a hospital's entire network, leaving no possibility of electronic communication and no access to electronic documents and information. As a result, patients have to be moved to other hospitals and new patients cannot be taken in.How are companies affected by data breaches?Cyberattacks and personal data breaches are on the rise and healthcare companies are usually one of the biggest targets for attackers. This is mainly for two reasons: patients´ personal data is highly valuable to attackers and medical devices are an easy entry point.What are companies' obligations under the GDPR?Where a personal data breach occurs, companies may have the following obligations:to notify the competent supervisory authority of the data breach;to communicate the data breach to the affected data subjects; andto document the data breach.When must companies notify supervisory authorities?Article 33(1) of the GDPR provides that, "in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority". This does not apply where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.The notification must include:a description of the nature of the personal data breach, including where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records concerned;the name and contact details of the data protection officer or other contact point where more information can be obtained;a description of the likely consequences of the personal data breach; anda description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.When must companies communicate breaches to data subjects?In certain cases, companies must notify the supervisory authority and communicate the breach to the affected individuals.Article 34(1) of the GDPR states that "when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay". The threshold for communicating a breach to individuals is therefore higher than that for notifying supervisory authorities.In such cases, the company should at least provide the following information to the individual:a description of the nature of the breach;the name and contact details of the data protection officer or other contact point;a description of the likely consequences of the breach; anda description of the measures taken or proposed to be taken by the controller to address the breach, including where appropriate, measures to mitigate its possible adverse effects.When must companies document breaches?In all cases, companies must keep documentation of data breaches (eg, by maintaining a data breach register).Article 33(5) of the GDPR explains that "the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken".What are the consequences of non-compliance?If companies fail to meet the above obligations, they risk receiving significant administrative fines and potential claims for compensation. According to Article 83 of the GDPR, the maximum fine for violating the GDPR is up to €20 million or 4% of the total worldwide turnover of the preceding financial year – whichever is greater. Further, affected individuals may claim compensation for damages suffered and companies may suffer reputational damage (eg, negative media coverage).For further information on this topic please contact Constantin Herfurth or Magdalena Kotyrba at Eversheds Sutherland (Germany) LLP by telephone (+49 89 54565 295) or email ([email protected] or [email protected]). The Eversheds Sutherland (Germany) LLP website can be accessed at www.eversheds-sutherland.com.