Protecting public sector data | How to comply with the GDPR, HIPAA, and NIS2

In the public sector, data isn't merely a collection of bytes; it represents patients, residents, students and more. Failure to properly manage data results in headline-worthy events, resulting in a loss of trust, reputational damage, and large fines.

So, when it comes to compliance, infosec leaders must account for every potential incident, identifying the most risky vectors and behaviors which could result in a data loss incident. Understandably, this goes beyond routine cybersecurity concerns. 

Recognizing this, regulatory bodies worldwide have enacted robust frameworks to ensure the sanctity of PII; the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and the forthcoming Network and Information Systems Security directive (NIS2) all increase the responsibilities of public sector entities to protect sensitive patient data.

GDPR, HIPAA, and NIS2: A unified call for vigilance

The purpose of data protection regulations (including the GDPR, HIPAA, and NIS2) is to support organizations in shaping effective data protection strategies: 

• GDPR mandates organizations operating in the EU to implement robust safeguards to ensure data confidentiality, integrity, and availability. 
• HIPAA enforces stringent privacy and security standards for protected health information (PHI) in the United States.
• NIS2 comes into force in all European countries in October 2024, and mandates medium to large entities in all sectors to establish technical and organizational measures to mitigate network security and information system risks. The regulation explicitly emphasizes the use of encryption and secure communication platforms to protect sensitive information, aligning with the principles advocated by GDPR and HIPAA.

Does sharing data by email meet compliance? 

In the majority of public sector organizations, email remains the primary method of communication. Typically, for organisations that keep up with compliance regulations, emails and files are transmitted via Transport Layer Security (TLS). However, while TLS encryption provides a layer of protection, it lacks comprehensive security features such as server and recipient authentication. 

Without things like robust server and recipient authentication, data transmitted via email remains vulnerable to interception and unauthorized access. Effectively, this means that while technically compliant, institutions are often falling short of their responsibilities to employ robust security to protect data. 

That isn’t to say that we should no longer use email. Email is universal, user-friendly, and accessible. Rather than implementing clunky alternatives to engage with residents and patients (such as complex portals, non-compliant file transfer solutions and direct messaging applications), email must instead be enhanced to meet compliance regulations, making it a safe option for transmitting sensitive data. 

5 ways in which Zivver supports compliance for the public sector

Through seamless integration with existing email platforms (M365, Outlook and Gmail), Zivver enables automated security measures to align with organizational policies and the evolving compliance landscape.

Zivver protects the confidentiality and integrity of data with robust zero access encryption, human error prevention tools, and MFA - integral aspects of the GDPR, NTA 7516, HIPAA, and NIS2 compliance. 

“In a world where paper and postage is quickly being replaced by digital engagement, we must be able to facilitate this whilst ensuring accessibility for all patients. Zivver provides a truly simple user-friendly experience and that is very important for us.” Royal Papworth NHS Trust

1. Reporting on data loss and near-misses: Data logging 

Zivver logs all data on emails sent securely, thereby providing a full account of email performance, including when emails were sent, received, forwarded, and the security levels applied. 

Users can also view who has opened an email, meaning that, in the instance that an email is recalled, employees can determine whether a data incident has occurred. Data protection professionals are empowered to take action quickly and provide a full account of due diligence.

2. Managing email access and recalling data

The leading cause of data incidents, according to the ICO, remains human error. Misdirected emails, misuse of Bcc, and failure to revoke sensitive data, however, are all errors which can be avoided with effective recall functionality. And yet, recall is largely limited in standard email clients. 

Through seamless integration with your familiar email environment, Zivver empowers employees to recall emails quickly and easily, without time limits. 

What’s more, senders can confirm whether an email has been opened by the recipient prior to recalling it. If the email is yet to be opened, the organization can guarantee a data leak has been avoided.

“We handle the most sensitive data prior to an individual becoming a tenant and this is done via email. Individuals will provide identification, personal information, and even healthcare data and they can do this securely with Zivver, without creating accounts.” Woonplus Schiedam 

3. Controlling recipient access to sensitive data with MFA

The NIS2 directive places great emphasis on the use of MFA to prevent unauthorized access to sensitive data.

With Zivver, employees can apply MFA controls to emails, requiring recipients to input time-based one-use codes or passwords to access their message, depending on the controls agreed between the sender and recipient. 

4. Effortless human error prevention

Recalling emails, applying encryption, acting on potential security hazards - we make behaving securely, easy. Zivver operates silently in the background on email clients, intervening only to alert users to the presence of sensitive data or potential errors in the body or attachments of emails. 

With one click, employees can apply advanced encryption and take action to prevent data leaks. 

Simply put, employees like Zivver because it makes doing the right thing effortless.

“Data protection and compliance are real concerns for us. If an email is sent to the wrong person, Zivver enables the sender to recall it, without limits. We also have visibility of whether the email was opened by the recipient. Even when we have evidence that a data incident has been avoided, we still report to the ICO and provide evidence of how the incident was controlled. Zivver provides this information with automated audit logs.” South Kesteven District Council

5. Enhancing TLS 

While TLS contributes to the protection of data during email transmission, it addresses only one part of the GDPR's comprehensive mandate, and includes some limitations which warrants additional layers of security.

Zivver employs zero-access encryption, a superior approach to end-to-end encryption that ensures email content is protected without relying on specific platforms or services. 

By leveraging public-private key encryption and securely performing operations on virtual servers, zero-access encryption addresses the shortcomings of end-to-end encryption and provides a robust framework for safeguarding sensitive information. 

Read more about how Zivver is empowering healthcare organizations such as West Suffolk NHS Foundation Trust and Royal Papworth Hospital NHS Foundation Trust to meet compliance. 

Speak to our security experts to see how Zivver can support your organization in meeting compliance requirements.