Recovering from a data-privacy incident and implementation of an end-to-end encryption

As the data-privacy incident came to the attention, senior executives rushed to understand and control it. They felt in the dark about technological measures and the level of encryption expected from data-privacy authorities to properly protect sensitive patient data.

We were asked to help analyze and prioritize risks, improve the cybersecurity of the adverse event reporting channel and protect sensitive patient data to meet the authorities’ expectations.

The challenge was to manage the uncertainty about the expectations of acting data-privacy authorities in times of change, the impact of the General Data Protection Regulation (GDPR) and the building of data-encryption capabilities.

Within 10 days we have developed a reliable incident response program:

  • Diagnosed current data-protection capabilities and gaps of the current adverse event reporting process

  • Aligned stakeholders and business-unit heads around the action plan and communication strategy with data-privacy officials

  • Worked with compliance and IT teams to put the new program into action, delivered a new end-to-end encrypted channel for patients to safely report adverse events