with Guidance here:
https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF
ICO: Regulatory sandbox report Novartis Pharmaceuticals UK Ltd
“The latest Sandbox report is from medicines company Novartis, which uses innovative science and digital technologies to help transform patient care and improve their experiences and outcomes.
When Novartis entered the Sandbox in July 2019 the original vision was for a voice-enabled web portal allowing patients to fill in health questionnaires from home – retaining a high standard of care but reducing unnecessary face to face appointments.
The ‘Digital Solution’ was designed to allow clinicians to draw upon the data provided online by patients, examine any changes to their patient’s condition and allow prioritisation of patients who need to be seen more urgently in clinic. Engaging with patients from their perspective remotely, allows for better clinical decision-making and less footfall in clinics.” [..]
Report
https://ico.org.uk/media/for-organisations/documents/2619244/novartis-sandbox-report.pdf
Denmark: GDPR fine catalog
ENISA: Pseudonymisation Advanced Techniques and Use Cases
Advanced encryption schemes
Ring signatures and group pseudonyms; chaining mode; pseudonyms based on multiple identifiers or attributes; pseudonyms with prooof of ownership; secure multiparty computation; secret sharing schemes
Pseudonymization use cases in healthcare
patient record comparison use case; medical research institution use-case; distributed storage use-case;
Advanced pseudonymisation scenario: the data custodianship
Notion of data custodianship; Personal Information Management System (PIMS) as data custodian; Data custodian as a part of the hospital; Data custodian as an independent organisation; Interconnected data custodian network
Pseudonymisation use cases in cybersecurity
Entities and roles; File Reputation; URL Reputation; Security Operations Centers; Consumer customer support; Protection gap and real-time protection
France: CNIl cookie sweep and upcomig enforcement
References for Hospital Systems in the Cloud (Germany)
Rahmenbedingungen Cloud-basierter Krankenhausinformationssysteme
https://kh-digitalisierung.de/files/downloads/Haas_Schneider_Cloud-KIS-Gutachten.pdf
Informationen zur Zulässigkeit der Datenverarbeitung außerhalb Deutschlands im Zusammenhang mit dem Prüfverfahren des BfArM gemäß § 139e FünftesBuch Sozialgesetzbuch (SGB V)
https://www.bfarm.de/SharedDocs/Downloads/DE/Medizinprodukte/Datenverarbeitung_au%C3%9Ferhalb_Deutschlands_FAQ.pdf?__blob=publicationFile&v=3
References:
- ENISA Cloud Computing Certification
https://resilience.enisa.europa.eu/cloud-computing-certification - BSI C5 Catalog –
https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Criteria_Catalogue/Compliance_Criteria_Catalogue_node.html - BSI B3S –
https://www.bsi.bund.de/DE/Themen/KRITIS-und-regulierte-Unternehmen/Kritische-Infrastrukturen/Allgemeine-Infos-zu-KRITIS/Stand-der-Technik-umsetzen/Uebersicht-der-B3S/uebersicht-der-b3s_node.html - BSI Grundschutz
https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html - DSK OH KIS –
https://www.datenschutzzentrum.de/artikel/1107-OH-KIS-Orientierungshilfe-Krankenhausinformationssysteme.html - DIGAV
- Bundesamt für Sicherheit in der Informationstechnik (Hg.) (2020): Kriterienkatalog Cloud Computing C5:2020.
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/CloudComputing/Anforderungskatalog/2020/C5_2020.pdf?__blob=publicationFile&v=2 - Bundesministerium für Wirtschaft und Energie (BMWi) (Hg.) (2018): Orientierungshilfe zum Gesundheitsdatenschutz. November 2018.
https://www.bmwi.de/Redaktion/DE/Publikationen/Wirtschaft/orientierungshilfe-gesundheitsdatenschutz.pdf?__blob=publicationFile&v=19 - Datenschutzkonferenz (2014): Anforderungen an den Schutz der Datenübermittlungen zwischen medizinischen Leistungserbringern und klinischen Krebsregistern.
https://www.bfdi.bund.de/SharedDocs/Publikationen/Entschliessungssammlung/DSBundLaender/AnlageDSKKrebsregisterNovember2014.pdf?__blob=publication-File&v=3 - Deutsche Krankenhaus Gesellschaft (2019): Branchenspezifischer Sicherheitsstandard für die Gesundheitsversorgung im Krankenhaus.
https://www.dkgev.de/fileadmin/default/Mediapool/2_Themen/2.1_Digitalisierung_Daten/2.1.4._IT-Sicherheit_und_technischer_Datenschutz/2.1.4.1._IT-Sicherheit_im_Krankenhaus/B3S_KH_v1.1_8a_geprueft.pdf
IAPP article: How does GDPR apply to clinical trial sponsors outside EEA? Views of EEA DPAs
The authors actually reached out to the DPAs and polled them for the following questions. (written below as they were sent to the DPAs):
- Does the GDPR apply to a clinical trial sponsor based outside of the EEA if it is conducting clinical studies in the EEA?
- Answers were mostly YES or “Factual Analysis”
- Is patient data processed under a clinical trial considered “personal data” even if it is pseudonymized?
- Received Answers were YES
- If a clinical trial is being conducted in your jurisdiction, would the sponsor and the principal investigator be considered joint controllers of the personal data of the trial participants (data subjects)?
- Various views
-
Alternatively:
- Is the sponsor the data controller while the principal investigator acts as a processor on behalf of the sponsor?
- Is the principal investigator an independent data controller together with the sponsor?
NIST Releases Supplemental Materials for SP 800-53 and SP 800-53B: Control Catalog and Control Baselines in Spreadsheet Format
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- Control Catalog Spreadsheet
The entire security and privacy control catalog in spreadsheet format
https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/final/documents/sp800-53r5-control-catalog.xlsx - Control Baselines Spreadsheet
The control baselines of SP 800-53B in spreadsheet format
https://csrc.nist.gov/CSRC/media/Publications/sp/800-53b/final/documents/sp800-53b-control-baselines.xlsx