Advances in software and technology have opened up new opportunities for manufacturing facilities to improve their processes, training, operations, fulfillment and customer experience.
Unfortunately, the increased use and reliance on software and technology has left many companies vulnerable to cybercrimes such as hacking and breaches. These crimes can result in compromised data and theft of confidential, personal and protected health information.
To help us and our manufacturing customers minimize data risks, our developers have enhanced the latest release of InstantGMP™ PRO, our all-in-one manufacturing and quality system, to increase its cybersecurity and data protection capabilities.
In the following article, we’ll discuss how the latest enhancements to our software not only help us and our customers comply with federal and global privacy laws and regulations, but how they also increase cybersecurity for all electronically transferred and stored information.
New Enhancements for HIPAA Compliance
Established in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is federal law that safeguards the privacy of a patient’s protected health information (PHI) and prevents it from being shared or disclosed without the patient’s knowledge or consent.
Under HIPAA regulations, PHI is defined as any individually identifiable health information that is created and/or received by a healthcare provider, health plan, employer, or healthcare clearinghouse (a third-party mediator between healthcare providers and insured patients) that relates to:
- An individual’s previous, current or future physical/mental health or medical condition
- The provision of healthcare to an individual
- An individual’s payment history for the provision of healthcare
PHI includes information found in an individual’s health records such as lab results, appointments, invoices, and reports that can be used to determine the identity of the individual with reasonable accuracy and speed either directly or by reference to other publicly available information.
Examples of these patient identifiers found in PHI include (but are not limited to):
- Name, address and/or telephone number
- Email address
- Social Security Number
- Health plan account numbers
- URLs and/or IP addresses
- License/certification numbers
- Any unique identifying number, character or code
In order to minimize risk of compromised PHI, the HIPAA Security Rule requires manufacturers to:
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is created, received, maintained or transmitted
- Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.
- Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under the Privacy Rule
- Ensure compliance with security by its workforce
To help us protect our customers’ information and comply with HIPAA requirements, our team has built a series of policies and standard operating procedures (SOPs) to manage HIPAA security and define our software enhancements.
These new enhancements include the creation of a designated Privacy Officer who develops and implements the respective manufacturer’s privacy policies and procedures, receives and addresses all privacy-related complaints, determines how personal information is processed, and provides additional information as it relates to the Notice of Privacy Practices.
Our new enhancements are also designed to disclose/release only the minimum necessary information to allow users to complete a task. This is accomplished by limiting the provided PHI to only what is needed to accomplish the intended task, and/or by only allowing users with Protected Data Access permissions to view or download Protected Data files.
In addition to the Privacy Officer role and minimum necessary safeguards, our software enhancements include an SOP for breach assessments and notification. In the event of a breach:
- InstantGMP representatives will notify the Privacy Officer of the perceived breach;
- The Privacy Officer conducts a risk assessment, determines if the customer needs to be notified, and reports their conclusions to the President of InstantGMP;
- The customer is immediately notified by the Privacy Officer if their conclusion reveals that the breach will result in significant consequences.
By following these SOPs and policies we are able to enhance our software to manage the requirements of HIPAA guidelines and ensure compliance.
New Enhancements for EU GDPR
In addition to protecting patient information as per HIPAA requirements, our new software enhancements also protect personal data as defined by the EU General Data Protection Regulation (GDPR).
The GDPR was established to protect personal information (name, email address, home address, race, religion, etc) and define the processing of personal data.
According to GDPR guidelines, data processing is any operation performed on personal data, including:
In order to legally process this data, the GDPR states that one the following bases must apply:
- Consent of the data subject which the processor must be able to prove was obtained (Consent must be freely given, specific, informed, unambiguous, and revocable)
- Necessary for performance of a contract
- Necessary for legitimate interest of controller/processor
- Necessary to protect “vital interests” of data subject or other natural person(s) (i.e., risk to life or safety)
- Necessary for compliance with EU or Member State law (this does not include compliance with U.S. or Maryland law)
The consequences for failure to comply with GDPR regulations can be substantial for manufacturers. Fines are typically 4% of total worldwide annual turnover or € 20 million – whichever is higher.
In order to avoid any significant violations/penalties and ensure adherence to all key definitions related to the lawful bases for processing, InstantGMP has implemented a Data Protection Policy for full compliance:
- InstantGMP provides fields that their customer can use to collect personal data
- InstantGMP does not obtain or process personal data (e.g InstantGMP does not sell or share personal data with third parties)
New Enhancements for Increased GMP Cybersecurity
To further ensure that InstantGMP PRO software is in compliance with all HIPAA and GDPR requirements, we have updated our cybersecurity protocols and functionality by encrypting all data.
Information that travels from a browser to a cloud-based database is vulnerable to interception by cybercriminals. In order to prevent criminals from stealing data as it travels to and from our database, InstantGMP has Encryption In Transit protection. All data that is transferred across the internet to and from InstantGMP is encrypted. In the event that the information is stolen in transit, it will remain protected as only InstantGMP has access to the encryption key that unscrambles the data.
To safeguard all of the customer information that is stored in our database, InstantGMP has implemented Encryption At Rest protection. Similar to Encryption In Transit, this system encrypts every piece of information in our database. In the event that our database is hacked, the hackers will be unable to decipher any of the information. Only InstantGMP can translate the information to recognizable characters with the use of an encryption key.
InstantGMP is always looking for new and innovative ways to upgrade our all-in-one manufacturing and quality system. We do this to ensure that our customers always have a system that provides them with the most up-to-date features to improve their processes, increase their productivity, provide great access and transparency to their clients, and ensure GMP compliance.
With the latest release of InstantGMP PRO, all of these enhancements will be part of the foundation of the software to ensure that our system is more secure and complies with HIPAA and GDPR requirements to provide greater transparency and protection of our customers’ vital information.