Deploying pseudonymization techniques to protect health data

A report of the European Union Agency for Cybersecurity (ENISA) explores how pseudonymization techniques can help increase the protection of health data.

pseudonymization health data

The healthcare sector has highly benefited from technological developments and the digitalization process. However, as those new technologies need to be integrated into IT infrastructures, which is already complex in nature, new challenges emerge in relation to data protection and cybersecurity. This is especially true since providing health services today implies an extended exchange of medical information and of health data among different healthcare service providers.

How medical data help deliver better health services

With a large volume of data, the healthcare sector has therefore the capacity to improve diagnosis and modelling of clinical outcomes, help assess early intervention strategies, etc. This new ecosystem improves the delivery and monitoring of health services at different levels including decision making and provides timely, appropriate and uninterrupted medical care.

How to ensure the safe processing of medical data

Nonetheless, the increasing processing of digitised medical data has also led to the associated risks of cyberattacks and of data breaches. To ensure adequate protection of patients’ medical data, technical solutions such as those offered by pseudonymization can be implemented.

The report published today builds on the previous works of ENISA and explores the different techniques of pseudonymization in the context of simple use cases.

What is pseudonymization?

Pseudonymization can significantly support personal data protection. It improves the protection of data. Pseudonymization consists in de-associating a data subject’s identity from the personal data being processed for that data subject. In practice, this is done by replacing one or more personal identifiers with what we call pseudonyms.

Different techniques can be used to this effect, which are based on the way pseudonyms are generated. Such techniques include counter, random number, hash function, hash-based message authentication code (HMAC) and encryption.

Although not essentially new, the process is explicitly referenced by GDPR as a technique to use to promote data protection by design and to secure the processing of personal data.

Don't miss