The International Information Cybersecurity Encounter, ENISE (in Spanish initials), organized by Spain’s National Cybersecurity Institute (Instituto Nacional de Ciberseguridad de España: INCIBE), is Spain’s benchmark cybersecurity event. At this year’s encounter Javier Zubieta, Marketing and Communication Manager of GMV’s Secure e-Solutions sector, gave a presentation on the sensitive nature of healthcare data and the strategies GMV is now using to ensure its privacy. He focused on the work the company is carrying out for the HARMONY project (Healthcare Alliance for Resourceful Medicine Offensive against Neoplasms in Hematology), Europe’s biggest public-private consortium studying neoplasms in hematology (53 partners from 11 countries). HARMONY forms part of the public-private “Big Data for Better Outcomes” (BD4BO) program of the European Innovative Medicines Initiative (IMI), jointly financed by the European Commission and the European Federation of Pharmaceutical Industries and Associations (EFPIA).

HARMONY combines top-quality clinical data with unique data to optimize and boost the accuracy of the treatment of hematologic malignancies. It involves a multidisciplinary partnership of stakeholders: patients, healthcare professionals, regulatory associations, HTAs, the pharmaceutical industry and academics. As Zubieta explained, as well as assessing sources to gauge the quality of its clinical data “it also integrates several sources of data offering a varied range of types and information, using a common data model”. The overarching aim is “to obtain responses and conclusions deriving from the joint analysis of diverse data sources; this would not be possible if working with a single source”. Furthermore, to guarantee data privacy “an anonymization-driven definition is made of GDPR-compliant data flows, with the support of ethical committees and legal experts, and cooperating with other projects under the BD4BO umbrella”.

Medical research, as the cybersecurity expert pointed out, “calls for real, truthful, top-quality data. This data is also considered to be especially sensitive, so the data subject’s privacy needs to be guaranteed at all times”. This means that respondent patients have to be anonymous and “this anonymization process must involve the Cavoukian Privacy-by-design or ISO 29100 principles”.

In the particular case of HARMONY, as Zubieta explained, several privacy-safeguarding activities will be carried out, including “a risk analysis focusing on data privacy: What data am I going to need? How am I going to process it? This needs to involve all project stakeholders across the board: medics, legal-, ethical- and technical-experts, and taking into account all legislation of Europe’s General Data Protection Regulation and Spain’s own data protection law (Ley Orgánica de Protección de Datos: LOPD) plus counterpart laws from the other participating countries”. Once risks have been identified “all due security controls then need to be implemented to reduce risk and ensure privacy, using all available tools: ISO 27002 standards...”

Several data-anonymization options were weighed up for data already uploaded to the platform and to be uploaded in the future from public institutions and cooperative national and European groups inputting their patient data, plus data originating from clinical trials conducted by the pharmaceutical industry. In light of all this evidence, de facto anonymization was eventually chosen, applying “necessary technical, organizational, contractual and security measures so that any attribution of individual data to the person in question would call for an unreasonable effort in terms of time cost and labor”. The end result is “isolation of the data subject’s information without transforming it, achieving irreversibility by means of cybersecurity controls”. This ensures “total shielding of the data (and its access) so that, while real, it is impossible to work back to the data subject”.

Who benefits from the HARMONY project? In the words of the hematologists leading the project, Jesús Hernández and Guillermo Sanz: “patients, hematologists, scientists, the pharmaceutical industry, regulatory agencies … we all benefit, because a European data platform of these diseases, which we expect to continue working beyond the five-year project term, will help to enhance the quality of treatment and ensure new drugs are approved on the basis of real data and become available to patients more quickly”.

Cybersecurity solutions to deal with autonomous-vehicle challenges

Alongside the encounter the first workshop on the Cybersecure Connected Vehicle was also held, with the participation of Carlos Sahuquillo, Automotive Cybersecurity Consultant of GMV’s Secure e-Solutions sector. The workshop dealt with various success stories and debated some of the burning issues involved in supporting the automotive and transport industries in current and future challenges of the digital transformation. Sahuquillo talked about the various cybersecurity attacks that GMV has brought to light in autonomous vehicles and identified features that could render vehicles vulnerable to unauthorized entry, such as the digital key or parking assist. To deal with these challenges GMV has developed Secure Smart Key ECU and the Intrusion Detection and Prevention System (IDPS). The former is a smart key design for connected cars based on biometric authentication while IDPS monitors network traffic to flag up any malicious activities or anomalous behavior.

Workshop participants came to the conclusion that cybersecurity measures are needed that cater for the whole vehicle lifecycle: design, manufacture, delivery, maintenance, etc. Any hacker, otherwise, could exploit the new connected vehicle vulnerabilities in any of its phases. As well as obtaining GDPR-compliant user consent to use this data and heading off any driver data theft, this calls for various types of security tests right from the start, to be able to interconnect with other vehicles, traffic and smart cities.