Cybersecurity and ethics: Basic considerations

Cybersecurity practices aim at the securing of data, computer systems, and networks by protecting the integrity, functionality, and reliability of human institutions/practices that rely upon them.1

When health data is exchanged between different hospitals or health centres (for instance when accessing patient records, scheduling appointments, participating in clinical research projects) data can be highly exposed to third parties. IT (Information Technologies) solutions (apps, software, wearables, medical devices) are being used to collect and process biometric, health and personal data, in hospitals and medical centres around the world. IoT (Internet of Things) allows for processing data from patient health devices that are connected to the internet and cloud services. AI (Artificial Intelligence), machine learning algorithms or blockchain-based solutions are being increasingly used, allowing for processing of large amounts (Big Data) of highly sensitive personal data among different centres and countries.

The healthcare sector deals with Personal and Health data, which lie in the special category of sensitive data (according to the General Data Protection Regulation, GDPR)2. Therefore, ethical and privacy considerations are necessarily at the centre of cybersecurity practices. Data protection is a fundamental right, thus organizations must ensure that privacy of individuals is secured and their data cannot be accessed/used/transferred without those individuals’ knowledge and consent, as well as making sure data is not misused for other purposes other than those anticipated. In addition, subjects need to provide explicit consent to allowing the processing of their personal data, including secondary use or reuse for future research projects.

As mentioned before, the ethical and privacy considerations around participant and patient data are significant. The Convention on Human Rights and Biomedicine (Oviedo Convention)3 is a framework for protecting the dignity and identity of all human beings and guarantee everyone, without discrimination, respect for their integrity and other rights and fundamental freedoms with regard to the application of biology and medicine. It sets out fundamental principles applicable to daily medical practice and is regarded as such at the European treaty on patient’s rights. In the field of ethics, there are four main ethical principles that always need to be respected:  autonomyjusticebeneficence, and non-maleficence. After these considerations, it is clear that the access to individual participant data and trial documents should be as open as possible and as closed as necessary, to protect participant privacy and reduce the risk of data misuse.4 Individual participant data sharing should be based on broad consent by trial participants (or if applicable by their legal representatives) to the sharing and secondary reuse of their data for scientific purposes, according to applicable laws, regulations, and policies.

In any case, besides the legal framework and ethical principles mentioned, data should also abide by the FAIR principles (Findable-Accessible-Interoperable-Reusable).5 There are evident difficulties in working under the Open Data mandates (Open Data, Open Science) to ensure that data is accessible and reusable and at the same time, comply with national and EU legislations to ensure personal data protection and privacy, as well as following the main ethical guidelines.  Increasingly, technical solutions that ensure anonymisation, encryption, privacy protection, and data de-identification are being used to this aim, as well as to increase trust in data sharing from society.4

Finally, a balance between privacy considerations and data processing must be found, so as both individuals are protected, and community and society at large can benefit from the new types and amounts of data for Public Health, advance of research and in general for the greater good.


Diana Navarro-Llobet

Fundacion Privada Hospital Asil de Granollers, Spain


  2. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  4. RDA Guidelines.