The personal health data are the set of information useful to reveal the state of health of a person and consist of personal medical history, results of instrumental and laboratory tests, diagnostic images, medical reports and other sensitive information. The nature of this data is to be at the center of the activities of health facilities. Healthcare organizations, to achieve a continuous improvement, must give to citizens quality data, secure and easy to use. The above-mentioned objectives must also be pursued with limited resources, within a regulatory framework and in a technology scenario constantly changing.
Healthcare organizations are therefore called to standardize and simplify processes, identifying clear specific objectives achievable and monitorable over time. One of these is surely the identification and disposal of obsolete technologies and processes. These critical issues, in fact, not only hinder the standardization and simplification of processes, but add inevitably complexity, exceptions and redundancies in healthcare organizations, resulting in increased risks and costs.
The framework of economic constraints mentioned above tends to extend the software life cycle and the duration of electro-medical equipment that handle sensitive personal information.
In addition to the cases of technological obsolescence mentioned previously there are those of an organizational nature. A typical example is given by personal health data protection management, a topic repeatedly reviewed by the legislator. The ever changing regulatory environment makes difficult to manage the clinical data in an agile perspective and long-term. As a result, the individual professionals within healthcare organizations, often consider the data protection an obstacle to the timely delivery of clinical procedures. Most national health structures delegate to the CIO the responsibility to define and manage data protection policies. The CIO, however, is not capable of performing this task alone: its mission is to ensure the delivery of services in terms of automation, innovation and efficiency, and not define company policies on data protection. Entrusting to the Chief Information Officer (CIO) the management of healthcare data security is in blatant contradiction with the ISO27001 information security standards and the General Data Protection Regulation 2016/679 (Art. 38, paragraph 6) which expressly prohibit to delegate data protection responsibility to figures subject to potential conflicts of interest, according to the principle of the segregation of duties.
The grouping of tasks and responsibilities of different nature within a single person or organizational unit, in fact, could allow the same actor to make mistakes, frauds and violations on personal data, finding himself in a position to cover up his act and exposing the company under serious risk.