GDPR (General Data Protection Regulation) of European Union poses new challenges for protecting and maintaining patient privacy. The US HIPAA ACT and various national regulations already enforced patient privacy. However, the GDPR is groundbreaking.
The GDPR has taken into consideration the technological advances in cloud data storage. The personal data can be processed and stored in servers located in different continents. And these servers may not be managed and owned by the health care organization itself. Galaxy also offers the possibility of cloud operations and therefore must comply with all rules for patient privacy.
Patient Privacy by Design
Implementing and upgrading patient privacy is a technical challenge. One can not just patch a system to correct or improve the patient privacy. One has to review and upgrade the design properly to avoid any holes and backdoors in the system. The vision of cloud operations in the future and the knowledge of HIPPA and local regulations influenced the Galaxy design already in 2004. Galaxy has taken patient privacy into account by design.
Galaxy is a PSG and PG diagnostic system and in many cases only a small component of a large hospital system. The saying goes, a chain is as strong as its weakest link. Therefore, Galaxy can not have a weak implementation of patient privacy. Strong patient privacy is also critical for small dedicate clinics who can not afford expensive software and consultants.
Design features of security in Galaxy
- The physiological recordings, the analysis and sleep scoring results are not identified by personal information of the patient like name, surname.
- The patient personal data is kept in a Galaxy database separate from the signals and analysis data.
- The Galaxy database with personal data can also be physically separated from the signals and analysis data.
- It is possible to store the Galaxy database in a local protected system whereas recordings can be stored in external servers that are many times less expensive and headache free.
- Each user of Galaxy has her own user name and password with function specific rights.
- Single sign-on is not supported. Thus the user has to login separately with his own username and password instead of automatic login linked to the Windows password.
- The database is encrypted by Galaxy. Only Galaxy can decrypt the database.
- The login details are also stored in encrypted form.
- The decrypted data are not stored anywhere on the local PC or on server. It is only visible via Galaxy.
- The PDF reports are also encrypted. The user has to export the report to make it readable by a third-party who is not using Galaxy.
Are there weak links in the security chain of Galaxy ?
There are no known weak links in Galaxy, however the following aspects are important
- Galaxy does not enforce strong and unique passwords. Every system follows its own rule for a strong password. This is cumbersome for the user. Therefore, Galaxy gives the responsibility to the user to choose a strong username and password.
- Galaxy does not verify the strength of the security of the cloud location connected to Galaxy.
- Galaxy gives freedom to the user to save a decrypted report at any location and send it to anyone. It is the user's responsibility to verify that a recipient has the proper rights to see the report.