[:tr]Sağlık Sektöründe Uzaktan Çalışma ve KVKK[:en]Kişilerin Ad ve Soyadı ile Arama Motorlari Üzerinden Yapılan Aramalarda Çıkan Sonuçların indeksten Çıkarılmasına Yönelik Talepler Hakkında Kamuoyu Duyurusu[:]

09 Sep, 2020

Blog, GRC News

Remote Working in the Health Sector and KVKK

Due to the recent epidemic, remote work has been carried out in the health sector, as in all sectors. However, as it is known, the protection of personal data and sensitive personal data is very important due to regulations and laws. Data now has meanings far beyond its dictionary meaning. Almost all new technologies use artificial intelligence and machine learning and are developed based on data. That's why data breaches mean much more than penalties.

The remote working setup necessitates meetings and meetings to be held virtually. Any system vulnerability that may occur in the platforms used for this purpose causes third parties to access the data transferred in the negotiations. For this reason, it is very critical to determine which risks the platforms used in the health sector carry in terms of KVKK and which measures should be taken. We examined how these platforms should be regulated in terms of KVKK as follows.

Issues to be considered as a priority in terms of KVKK;

Consultant-client conversations must be transmitted in an encrypted manner.
Within the scope of the KVKK and the Right to be Forgotten in the GDPR, the account of the person concerned must be deactivated after a certain period of time and all personal data kept must be destroyed.
Within the scope of Clarification of Relevant Person in KVKK and GDPR; The person concerned should be informed with clarification texts about how the system used works, how the data is received, kept and to which parties, and in case of processing special quality personal data (health data, biometric data, etc.), express consent should be obtained from the person concerned.
The transfer of personal data used and stored to third parties should be restricted as much as possible. In the case of a transfer, a data processing agreement must be made by the parties and how the transferred personal data is kept should be monitored and controlled by the data controller.
It is preferable that the servers of the platform to be used are located in the country. Considering that the board has not yet announced safe countries, any data to be kept abroad will have the potential to cause problems in the future.
The fact that the interviewing parties do not have the feature of recording the conversation will make it easier to monitor and control the data used.
Whether there is a security vulnerability in the system should be determined manually with penetration tests at certain periods (at least every 6 months, since it is health data).
An intrusion detection prevention system that regularly scans the system should be used. The fact that this system works with artificial intelligence is critical in terms of detecting zero-day attacks.
At the same time, it is the Data Controller's responsibility to ensure the security of the systems where personal data is kept. Therefore, all vulnerabilities that exist in the platform and have a high potential to occur in the future should be closed by the data controller with appropriate solutions.
KVKK technical measures to be taken for the platform should be determined by risk scoring.

Another critical issue here is the agreements to be made between the creators of the platform and the parties that will use the platform. In these contracts, the platform's owners should clearly state in the contracts which security solutions the party that will use the platform should use to strengthen the system.

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation