Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems

Background: The General Regulation on Data Protection (GDPR) modernizes and harmonizes personal data protection laws across the European Union, affecting all economic sectors including the healthcare industry. The new regulation introduces two specific duties: the Record of Processing Activities (ROPA) and, for each high-risk processing, the Data Protection Impact Assessment (DPIA). Currently, there are no specific DPIA methodologies for the healthcare environment, but only broad methodologies applicable in all economic sectors. Objectives: This work aims to propose a methodology to perform DPIA for healthcare information systems, considering the specific constraints and criticisms posed by the heterogenous and highly sensitive nature of data and software use in hospitals. Methods: We first performed a GDPR analysis and an examination of other sources regarding DPIA.This analysis led to the identification of issues related to GDPR application in the healthcare environment. We then developed a workflow for DPIA execution, and implemented a software to apply it in a real environment. The methodology was applied on 11 softwares and devices already in use in the Trieste area, Italy. Results: The most important issue identified in the analysis is the definition of "processing activity", which was overcome by focusing the methodology on the information system processing the data instead of the processing activity per se. We therefore designed a workflow for the risk assessment of an information system establishing that the DPIA shall be performed after the purchase, usually a bid with strict IT security requirements of the information system, but before its deployment in the real environment. The validation of the developed software to implement the workflow on the 11 softwares showed the ability of the proposed workflow to perform the DPIA, and to uncover some important issues in the examined systems. Conclusions: The proposed methodology can be applied to perform DPIA in the healthcare environment by supporting risk evaluation and management, focusing on each software component added to the healthcare information system