CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados
6.3 Cybersecurity in the Healthcare Sector In matters of health services, the Decree No 6/2022 of the Ministry of Health established the “Regulation on actions related to health care carried out remotely”, which is applicable to both public and private health providers. Thus, health providers who provide their services remotely must: • guarantee the secure transmission of data and clinical information necessary for the granting of the benefit, using reliable mecha - nisms and reusable formats that integrate rules for the protection of personal data, the reservation of the clinical record, biomedical ethics, and the rights and duties of patients; • ensure the traceability and registration of actions carried out with the support of ICTs; • have specific procedures for ensuring confi - dentiality, according to the action or benefit granted; • have privacy risk management plans, which allow the provider to minimise the risks associated with security breaches, especially if it is feared that this has resulted in some improper access or disclosure, alteration or modification of personal data relating to patients; • keep a record of information security inci - dents; and • report cyber-incidents to the Information Security Committee (CSI) of the Ministry of Health.
context of a consumer relationship must present adequate standards of precision, reliability and technical effectiveness to obtain well-founded results and to avoid causing harm to consumers of a material or immaterial nature. Thus, suppliers must act responsibly and with due diligence, which implies the need for a prior and continuous assessment of the risks that may arise for consumers from the use of AI systems. In the context of the protection of personal data, SERNAC interprets that in accordance with the regulations on protection of personal data, the data controller responsible for the processing must undertake this processing with “due dili - gence” (Article 11, Law No 19,628), assuming responsibility for the damages caused. Specifically, SERNAC interprets this duty as translating into the need to apply appropriate technical and organisational security measures, which guarantee the confidentiality, integrity and availability of the personal data in question, considering especially the risks involved in the processing activities and the nature of the data stored (including, among other elements, their level of sensitivity).
90
CHAMBERS.COM
Powered by FlippingBook