Data privacy and security in healthcare: Implications of GDPR

In blog

It can not be denied that the most important issue is human life today, and as a result, health sector is one of the biggest economies in the world. However, recent improvements in healthcare technology also brings more security and privacy related issues in storing patient data.


The way that protecting the data is important when it comes to storing and analyzing patient data. Keeping all these personal information safe is obviously crucial, as more countries have come up with several regulations to keep personal data safe and intact.

According to the Bitglass Healthcare Breach Report, more than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. The total number of breached records may be down year on year, but the total number of incidents has increased. 2016 has been the worst year for healthcare industry breaches since the beginning of records.

Instead of observing the improvement in these years, currently observed situation shows an increase in the data leakage.

As health companies struggle to comply with these new regulations, we increasingly witness that companies are concerned about how these new regulations complicate or even restrict the use of new technologies.

For healthcare companies seeking to take advantage of web, mobile, and IoT technologies which will inevitably collect some personal information, this goes beyond making certain that they themselves are taking the necessary precautions to protect individual privacy. They must also make certain that any vendors and technologies they employ are likewise in full compliance.

There are some fundamental requirements on the processing of personal data. While this document cannot cover them all, companies should increasingly be aware of that, data:

  • is not kept for a longer period than necessary
  • is gathered only for specific, explicitly stated and legitimate purposes
  • is processed correctly and, if it is necessary, kept up-to-date
  • is rectified, blocked or erased, if it is incorrect or incomplete for the intended purpose

This situation is not different in the global aspect. Every year, data leakage regarding personal information in various companies are observed, and there is no sign that this will come to an end.

As an example to those rules that govern personal data, General Data Protection Regulation (GDPR) is a regulation which involves EU citizens to avoid leakage of personal information starting by May, 2018.

The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based.

Although data concerning health was protected as a special category of data under the previous EU data protection legislation, the GDPR also defines “data concerning health” for the first time. “Data concerning health” includes personal data related to the physical or mental health of a person, including the provision of healthcare services, which reveals information about his or her health status.

The GDPR has two important purposes. Firstly, the EU wants to give people more control over how their personal data is used. Secondly, the EU wants to give businesses a more simple, clearer legal environment in which to operate, making data protection law identical throughout the single market.

Why GDPR is important to you?

The GDPR covers all companies that deal with the data of EU citizens, but especially it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies.

The GDPR is crucial in many ways, however here are the 3 most important topics for you.

  • Penalties for violations: Serious violations can result in fines of up to €20M or 4% of the offending company’s global annual revenue, whichever is higher.
  • The “personal data” definition has expanded: Personal data means any information relating to an identified or identifiable person. IP addresses, application user IDs, Global Positioning System (GPS) data, cookies, media access control (MAC) addresses, unique mobile device identifiers (UDID), and International Mobile Equipment IDs (IMEI) are some examples.
  • “Technical and organisational measures” require adequate general information security controls: The GDPR uses the phrase “technical and organisational measures” 21 times. In essence, the GDPR is asking controllers to employ information security frameworks, which enable professionals to create consistent, repeatable processes and implement controls that are generally accepted by the information security community.

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Why Planet of the App is the best choice for healthcare apps?

We have worked with several healthcare companies to date and we have an extensive knowledge in this domain, collaborating with several parties and conforming their standards and regulatory laws. This has enabled us to make Countly the platform of choice when it comes to data privacy and security. Below you can read some of the unique features of Countly and how it helps secure sensitive information.

  • Countly can be installed on-premise (i.e. either in your own data center or with a trusted hosting partner), allowing for a greater depth and breadth of security and control. Self-hosting means that no third party (not even Countly) ever has access to your data unless you permit it.
  • Data collected from devices are sent over a secure channel, and cannot be tampered — this eliminates intruders and potential man-in-the-middle attacks.
  • Right to be forgotten rule: If a EU citizen asks for his data to be removed, it can be done in Countly so his data is completely wiped. Countly also has a “blocking rule” plugin which blocks data reaching Countly database using several criteria like username, email, IP address, deviceID etc.
  • If a vendor decides not to be tracked, then Countly has a function for this. If it is called, then we do not track that user at all. GDPR also tells that individuals have a right to ‘block’ or suppress processing of personal data.
  • When data is stored, we use data-at-rest encryption, further enhancing the security of personal data. It’s not possible for a rogue employee to reach this data.
  • There are more than 30 different system logs collected, and this helps system administrator know what is happening inside the server. In case of an emergency, logs can be viewed, allowing organization insight into what has happened and the cause of issue.
  • We have several methods to keep logins secure — Countly may require strong passwords, only permit logins via HTTPS, and ban users when there is a brute force attack.
  • Countly dashboard users can only view what is provided to them. Administrator has the ability to disable a menu item or a view (e.g User Profiles) to be viewable by another user. This way, only necessary and required data is shown.
  • Countly basically doesn’t store any IP address, and rather converts IP to user’s city, discarding IP. For customers where this is an issue, Countly has the ability to completely remove city and country information.
  • Data portability: Our database schema is completely open, allowing any vendor to transfer data from Countly to another service easily.

Apart from the security precautions above, both the Countly server and Countly SDKs are open source — we are open to investigation and examination of our source code — and most crucially, our customers can modify these SDKs according to their needs and requirements. This transparency and flexibility is welcome by developers and helps build an added level of trust, especially when it comes to using a software they haven’t experienced before.


Healthcare-related businesses should take steps now to ensure that they are able to comply with the new requirements of the GDPR. This should help such organizations to build and maintain the trust and confidence of their customers, business partners, patients and other individuals whose personal data they collect and process and avoid breaches of relevant data protection rules.

Recent Posts