A report from the European Union Agency for Cybersecurity (ENISA) explores how pseudonymization techniques can help increase the protection of health data.
The healthcare sector has benefited greatly from technological developments and the digitalization process. However, as these new technologies must be integrated into already complex IT infrastructures, new challenges emerge in terms of data protection and cybersecurity. This is all the more true as the provision of health services today involves an extensive exchange of medical information and health data between different health service providers.
How medical data helps deliver better health services
With a large volume of data, the healthcare sector therefore has the ability to improve diagnosis and modeling of clinical outcomes, to help evaluate early intervention strategies, and more. This new ecosystem improves the delivery and monitoring of health services at different levels, including decision-making and provides timely, appropriate and uninterrupted medical care.
How to guarantee the security of the processing of medical data
Nevertheless, the increasing processing of digitized medical data has also brought the associated risks of cyberattacks and data breaches. To ensure adequate protection of patients’ medical data, technical solutions such as those offered by pseudonymization can be implemented.
Today’s report builds on previous work by ENISA and explores different pseudonymization techniques in simple use cases.
What is pseudonymization?
Pseudonymisation can contribute significantly to the protection of personal data. It improves data protection. Pseudonymisation consists in dissociating the identity of a data subject from the personal data processed for this data subject. In practice, this is done by replacing one or more personal identifiers with what we call pseudonyms.
Different techniques can be used for this purpose, based on how nicknames are generated. These techniques include counter, random number, hash function, hash-based message authentication code (HMAC), and encryption.
Although not essentially new, the process is explicitly referenced by the GDPR as a technique to be used to promote data protection by design and to secure the processing of personal data.