Data protection and data security are becoming increasingly important in the course of digitalisation. Nathanael Dänzer, Data Governance Manager at Swisscom Health, explains the difference between data protection and data security and why Swisscom Health hacks its own systems.
Text: Swisscom, Image: Swisscom, October 26, 2021
Everybody is talking about data protection and data security. But what’s the difference between them?
Nathanael Dänzer: The two terms are not entirely distinct; they are intertwined. But roughly speaking, data security relates to infrastructure. Are our entrances secure so that only authorised people have access to our offices and other premises? Are our data centres in a secure environment? Are our IT systems protected by a firewall? It involves protecting data from unauthorised access and loss. Data protection is about how data is handled. In other words, the conditions under which personal data may be collected, processed and used.
Does the human factor play a big role in data protection?
Yes. Everyone who has to deal with sensitive or secret data has to know how it may be handled.
It feels like we’re hearing more and more about successful hacker attacks. Take Comparis, for example. There have been cases in the healthcare sector as well, such as Pallas Kliniken recently. How well are our products protected against such attacks?
We cannot stop attacks on our products, but we can prevent hackers from succeeding. Our products are very secure. We put a lot of effort into ensuring that this is the case. The Comparis situation involved a ransomware attack. Such attacks usually exploit security loopholes in systems or result from careless employees opening harmful e-mail attachments, for example.
What specifically are we doing about this?
From a data protection point of view, Swisscom regularly trains its employees on this topic. We treat the data entrusted to us with the utmost care and in accordance with statutory requirements. “Privacy by design” is another important aspect.
What exactly does “privacy by design” mean?
It means that data protection principles are already adequately considered during product development and that numerous organisational and technical measures are taken to ensure data protection and data security.
«We cannot stop attacks on our products, but we can prevent hackers from succeeding. Our products are very secure. We put a lot of effort into ensuring that this is the case.»
Nathanael Dänzer, Data Protection Officer
And what are we doing from a data security perspective?
For example, Swisscom’s data is encrypted so that third parties cannot view it. In addition, together with numerous specialists, we monitor the global IT security situation as well as the IT risks for the healthcare sector. Security tests are an additional and efficient means of protecting against cyber attacks and verifying safety measures.
What kind of security tests are these?
These regular security tests are intentional attacks on our own infrastructure before cybercriminals strike. These attacks are not just carried out by our own security experts – we also work together with several external specialists in order to expand the available know-how and thus the variety of attack forms for such penetration tests.
Are security breaches such a regular occurrence for Swisscom Health?
Not a regular occurrence, but of course they have happened.
What do you do when you discover such a security breach?
We improve our products, take additional safety measures and thus eliminate these security issues. But Swisscom Health alone cannot guarantee data protection and data security. Although we do bear a great deal of responsibility as provider, the users of our software – our customers – also have to do their share of the work. Our contracts with our customers therefore contain clear obligations for both parties with regard to data protection and data security.
What do our customers have to do?
For example, they need to keep their operating system up to date and use strong passwords as well as multi-factor authentication.
The revised Swiss Data Protection Act will come into force in the second half of 2022. What will this change for us and our customers in the area of data protection?
Since our customers work with particularly sensitive data, and therefore we do too, we have always given the highest priority to data protection. As a result, we already fulfil many of the requirements of the revised Swiss Data Protection Act at this point in time. As already mentioned above, “privacy by design” is one such aspect. Until the revised Swiss Data Protection Act comes into force, we will still regulate commissioned data processing with our customers and support them in providing data subjects with data concerning them in a commonly used electronic format. We will comply with all requirements until the law comes into force and will also contact our customers in this regard.