Recently, healthcare was propelled to jump on the digital ship, resulting in a spike of online consultations. Now, a large part of the population, patients and healthcare professionals alike, has already broken through their first online consultation. With the urgency of the pandemic pushing healthcare to mobilise, ‘let’s just do it’ made perfect sense. It is now time to look at ‘how we do it’ and one aspect of that in particular: ‘How do we do digital healthcare while protecting the privacy and rights of our users?’.
Ludvig Borgvall, Legal Counsel at Visiba Care, joined Visiba Care in 2019 and has since been focusing on safeguarding compliance of the organisation and the product as well as the overall process definition and documentation around information security and privacy. In this article, he provides deeper insight into some of the measures Visiba Care is taking to mitigate risks and ensure that both the product and the organisation are as secure and prepared as possible.
Information security and compliance include both proactive and reactive work. Since the beginning, Visiba Care set out to create a digital platform specifically for healthcare. Ipso facto, we have placed a strong focus on information security from the start. This year, we are taking the next steps to certify compliance of all the established processes and to invest in future improvement by cementing the existing ones and outlining new ones.
To most people, information security evokes thoughts of technological shielding – and that is surely one part of it. The other part, that is equally important but perhaps not as instantly associated, is organisational measures.
In terms of technological measures, developing a platform purely for digital healthcare comes with advantages but also risks. Since conception, we are aware that healthcare professionals process sensitive data with a great impact on people’s integrity. So, whenever we develop our service and new features, we do it with the principles of ‘privacy by design’ and ‘privacy by default’ top of mind, to ensure that we consider data protection and privacy issues upfront in everything we do. This also includes me working closely with our product team to provide legal advice and assist in making risk assessments throughout the development process, from product idea to release. Some examples of features derived from this approach are explained below.
Technical security measures are only one component in ensuring the security of personal data and other information. Organisational measures and information security management – both internal and external – are equally important. It is important to remember that an organisation is comprised of its people and its processes but to maintain a high level of information security, prevention, and swift reaction, processes need to supersede its people, to ensure that, even when individuals are taken out of the equation, the knowledge and how to avoid and act on each potential incident remains within the organisation.
At Visiba Care, we are lucky enough to have a high level of professional maturity among our employees. However, we also acknowledge that information security is an ongoing and never-ending project, and that there is always room for improvement. So, this year we are focusing on implementing the ISO 27001, which is a globally recognised standard for managing information security risks, published by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC). Like other ISO standards, the ISO 27001 standard provides a set of standardised requirements, in this case, for Information Security Management Systems (ISMS). The standard adopts a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving our ISMS, addressing both our people and technology. Its best-practice approach will help us protect our information and the information of our customer in an even more systematic and cost-effective way.
So, in the next few months, we will review our existing information security processes and implement new and updated processes, to ensure that the personal data that we process, as well as our ideas and internal trade secrets, get the long-term protection it deserves. The added flavour to this challenge is to cement our information security foundations in this rapid growth pace that we are experiencing, yet while we still count a more limited number of employees, which gives us an advantage of monitoring our education and easily following up on our processes. Following the implementation, we also aim to obtain an independently accredited certification for ISO 27001, to prove to our customers that our ISMS is aligned with information security best practice.
To keep everyone’s feet on the ground, it is important to circle back to the starting statement: Information security is both about being proactive and reactive – and sometimes being proactive about how to be reactive. The unfortunate truth is that incidents of different extents are bound to happen – and do happen – in every company. Typically, it is a red flag when an organisation does not have any incidents at all, because that indicates that the organisation probably lacks the processes to detect them. What we are irrevocably called and readily willing to do is to a) have processes in place to ensure that errors and incidents don’t happen in the first place – but also to b) establish a system, a team, and processes to ensure that the organisation can recognise and manage the potential incident in an efficient and timely manner.
We have an exciting and rewarding journey ahead of us – especially knowing that a lot of the groundwork has been a core of how we work already. However, the most rewarding aspect is that this is – as mentioned above – an ongoing and never-ending project: We will keep on reviewing and developing our processes over time because, as an organisation, we change and grow and with that, so will our processes and routines. Our focus remains fixed on providing our customers with the best conditions to help them succeed, to empower them, and make such an important endeavour like digital transformation as swift and painless as it can be.