In January, it was revealed that millions of address details, phone numbers and Citizen Service Numbers were stolen at the GGD and illegally trafficked by health department employees. Currently, a number of employees have been arrested. The incident makes us painfully clear (again) how important information security is in healthcare, where a lot of sensitive personal data is processed. In this blog, I outline the security rules healthcare providers must follow when exchanging patient data electronically.
Healthcare providers use the software of ICT suppliers when exchanging patient data electronically. Although ICT suppliers generally process patient data on behalf of the healthcare provider and can therefore be regarded as 'processors', ICT suppliers also bear responsibilities for patient data security and effective incident management in the event of data breaches. You can also read more about this in this blog series.
The security requirements for electronic patient records are laid down in the General Data Protection Regulation ("AVG"), the Supplementary Provisions for Processing Personal Data in Healthcare Act ("Wabvpz") and the Electronic Data Processing by Healthcare Providers Decree ("Decree").
Healthcare providers are required to keep a medical record of the patient's treatment. That record does not have to be kept electronically. However, healthcare providers are required to provide an electronic version of a paper record if requested by the patient.
The law distinguishes between different types of electronic patient records. If a healthcare provider makes a medical record or portions thereof electronically accessible to other healthcare providers, the law speaks of an electronic exchange system. Permission must be obtained for the exchange of data through an electronic exchange system. An example of such a system is the National Switch Point: a network through which healthcare providers can consult data about their patients in each other's systems.
If a healthcare provider uses an electronic system to process personal data in a file, but does not make it accessible to other healthcare providers (and is therefore not an electronic exchange system), it is a healthcare information system. The HagaZiekenhuis healthcare information system was in the news because employees had unnecessarily accessed the medical records of reality star Samantha de Jong, better known as "Barbie.
The General Data Protection Regulation (AVG) requires both the healthcare provider and the ICT supplier to assess the risks to the electronic patient record and take measures to mitigate those risks. Those measures must ensure an "appropriate level" of security. Assessing whether there is an "appropriate level of security" should take into account technical possibilities, costs, risks and the nature of the personal data to be protected. Because health data is highly sensitive, the protection of this type of personal data is subject to very high security requirements.
As indicated, this AVG obligation rests not only on the healthcare provider as data controller, but also on the ICT supplier as processor. Moreover, the AVG requires the healthcare provider and the ICT supplier to make contractual agreements about this.
The AVG contains general requirements. These rules apply to all processing of personal data and provide a general framework. In certain areas, the AVG gives the legislator leeway to adopt specific laws and regulations. In that case, the specific laws and regulations take precedence over the AVG (in the case of deviation) or the specific legislation further completes the standards of the AVG. This is also the case when securing patient data recorded in an electronic patient record: the specific healthcare legislation gives further substance to the measures to be taken in order to speak of "appropriate security."
The Supplementary Provisions for Processing Personal Data in Healthcare Act ('Wabvpz') provides that further rules may be set for the security and use of a healthcare information system or an electronic exchange system. These rules are detailed in the Electronic Data Processing by Healthcare Providers Decree ('Decree'). The Decree makes mandatory reference to NEN 7510, NEN 7512 and NEN 7513. The NEN are now accepted security standards within the practice of information security in healthcare.
Electronic exchange system requirements
System must meet NEN 7510 and NEN 7512. Under the Decree, the person responsible for an electronic exchange system is obliged to ensure that the system meets the technical and organizational requirements arising from NEN 7510 and 7512. It will not always be the case that the healthcare provider is the responsible party for an electronic exchange system. However, the Decree also provides that the healthcare provider must ensure safe and careful use of the electronic exchange system to which it is connected, in accordance with NEN 7510 and NEN 7512. Therefore, the healthcare provider will have to include in the agreement with the person responsible for the electronic exchange system that the system complies with NEN 7510 and 7512.
Audit obligation ICT supplier. Furthermore, the Decree requires the legal entity, other than the healthcare provider, that manages and maintains the electronic exchange system (the ICT supplier) to have the system audited by an independent third party to determine that the NEN standards are met. This must be recorded in the audit report.
System must be logged in accordance with NEN 7513. Those responsible for an electronic exchange system must also ensure that the logging complies with NEN 7513. According to the Besluit vaststelling vaststellingstermijn logging, log data must be kept for at least 5 years from the moment the log line is written.
Since the ICT supplier will act as processor on behalf of the healthcare provider, it must also demonstrably comply with NEN 7510 and NEN 7512 pursuant to Article 28 (1) AVG. In addition, the electronic patient record must be set up so that logging is applied in accordance with NEN 7513 and the care provider can meet the requirements of the Decree.
Care information system requirements
System must comply with NEN 7510 and NEN 7512. In accordance with NEN 7510 and 7512, the health care provider must ensure safe and careful use of the health care information system and the health care provider as responsible for a health care information system.
System must be logged according to NEN 7513. The healthcare provider must also ensure that the logging complies with NEN 7513 and keep the log data for at least 5 years. Pursuant to article 28 (1) AVG, the aforementioned obligations also rest on the ICT supplier in its role as processor.
Establish security policies and implement controls
The healthcare provider is also required to lay down the procedures and responsibilities surrounding the electronic exchange systems and internal healthcare information systems used in a policy. The healthcare provider and the person responsible for an electronic exchange system should regularly examine whether patient data are still adequately protected and should document the findings. Among other things, the ICT supplier can (and in cases may be required to under the processing agreement) provide support in the provision of information to the healthcare provider.
NEN standards
The NEN standards mentioned in the Decree provide frameworks for the necessary security methods for electronic health records.
NEN 7510 consists of two parts and focuses on healthcare institutions and other organizations involved in the provision of information in healthcare. Among other things, NEN 7510 provides instructions on the organizational and technical set-up of information security, for example, that access to the electronic file should be granted by means of two-factor authentication (ch. 9).
NEN 7512 deals with electronic communication between care providers and care institutions, with patients, with health insurers and other parties involved. NEN 7512 gives further detail to some of the guidelines of NEN 7510, for example on the security of data exchange.
NEN 7513 is also a further elaboration of NEN 7510 (where chapter 12 requires that log files be created and periodically checked) and deals with logging. Logging is a security method that makes it possible to find out who has had access to a patient record, according to which rules access was gained and which actions were performed on the patient record. NEN 7513 provides healthcare providers with guidance on logging and the use of logging to meet legal obligations and provides information system developers with a set of requirements that their information systems must meet. Patients also have the right to access this logging data.
Based on the AVG, the healthcare provider and provider are required to ensure that electronic health records are secured appropriately. These security requirements can be both technical and organizational. Depending on the type of system (internal health care information system or an electronic exchange system), the Wabvpz and the Decree specify the security requirements; NEN 7510, 7512 and 7513 must be met. If this qualification does not apply, connection to NEN 7510 must still be sought.
From the parliamentary letter from Minister de Jonge shows that to protect patient data, safeguards were in place including privacy training, signing a confidentiality agreement, requiring a VOG and logging searches with a spot check. But a number of things also went wrong - for example, many employees were given access to the data, the systems used included a print and/or export function, the checking of logging was not automated and the GGD GHOR Nederland organization did not yet comply with NEN 7510 (and more). For the complete overview, please refer to the Parliamentary Letter. Solutions are now being worked on, for example in the form of a core team identifying and implementing additional measures.
More articles by SOLV Lawyers
