Ensuring data privacy and security compliance for users of remote surgical assistance technology

For MedTech reps and healthcare professionals alike, when you’re using remote assistance technology to connect with the operating room (OR) there are usually two key questions: is it easy to use? And is our data secure?

With an ongoing risk of external cyberattacks, alongside internal threats such as human errors and accidental data breaches, data privacy and security compliance are increasingly part of the conversation at the C-suite level. As an example, in 2021 nearly 40% of organizations in the UK reported a cyberattack. 

In tightly regulated industries like healthcare, data privacy and security compliance have long been an important consideration, whether that’s the sharing of patient data between doctors’ surgeries and hospitals, or the security compliance within medical device companies.

When it comes to using remote surgical assistance technology, how can medical professionals and medical device companies stay secure and compliant?

 

Knowing the risks

Operating in a sector that is both heavily regulated, and handles a lot of sensitive data, getting data privacy right from the get-go is essential for two reasons: a data breach is expensive to put right, and it’s also hugely damaging to professional and institutional reputations and patient confidence.  

Without a proper understanding of the security in place ‘under the hood’, on a surface level, streaming live surgery over an internet connection carries obvious risk. The good news is that these risks are easily mitigated and, because we only work alongside leading surgeons, healthcare providers, and medical device companies, data privacy and security compliance are baked in as standard into Rods&Cones technology. 

As a company, our information security program sets out clear and easily-actionable company practices across administrative, technical, and operational controls. However, to ensure our offering goes above and beyond the industry standard, Rods&Cones has been committed to providing the best privacy and security details. Starting from being aware of the privacy and security implications that arise with remote access technology to dedicating and allocating the right resources where needed. This is why we appointed a data privacy expert and consultant, Oriol Llaurado, to help raise the bar and drive down the security risks even further. 

 

Data privacy and security expertise

“Firstly, we have legally binding contracts with customers stating how we will protect their data. Secondly, we apply the minimization principle stated in the GDPR. By design, our products and apps collect the minimum amount of data to provide our services.”

– Oriol Llaurado, Privacy Officer, Rods&Cones 

Oriol Llaurado specializes in the impact of technology on privacy. His background is in the corporate sector, where he mainly focuses on legal compliance around the collection of customers’ data. Since 2014, Oriol has focused on data privacy and data protection.

Both MedTech companies and hospitals have an ethical and legal responsibility to ensure patient data is handled securely and correctly. There are legally binding contracts protecting customer data and legislation such as General Data Protection Regulation (GDPR). But there’s also an ethical duty to patients and medical professionals. So bringing in equipment, which enables you to broadcast live surgery from the OR, is obviously a security concern, it’s important to know how security and data protection is upheld. 

With its application within healthcare, Rods&Cones is sometimes seen as a medical device company. So people are often surprised to learn that Rods&Cones has no access to medical data by design. All patient data is held by the hospital and is not something that Rods&Cones technology requires or needs to access. The same applies to the recorded footage, which is not stored by Rods&Cones. Internally, we follow the GDPR minimization principle, only connecting the minimum amount of customer data. 

Broadcasts from the OR have end-to-end encryption. This protects them from third-party access as they’re securely transferred from one device to another, such as the visOR headset to a remote surgeon’s computer. Our platform and stored personal data are hosted in the cloud via Microsoft Azure, which meets the highest security standards (ISO 27018), including 256-bit AES Encryption, Backups and Disaster 

Recovery, and Web Communications in 128-bit SSL Encryption.   

Through a combination of robust data security measures and commitment to continuous and ongoing training, Rods&Cones meets its regulatory responsibility. But because we know how important data privacy and security compliance are to our customers, we’ve gone above and beyond to work towards getting certified by the non-statutory security standard ISO27001. 

 

Peace of mind for users of remote assistance technology

The bottom line? For any new device or technology with application in the healthcare sector, robust data privacy and security compliance are an essential part of the offering. 

For medical professionals, patients, and medical device companies themselves, security features are not an optional extra or a ‘nice to have’ they are a business-critical component and a regulatory requirement that needs to be right from the outset.

 

Looking for more detailed information about the security credentials of remote assistance technology from Rods&Cones? Read our full security statement.

Talk to sales