Last week, news emerged of the large-scale illegal trade in personal datat from two GGD corona systems. This incident makes it painfully clear (once again) how important good information security is. Especially in healtcare, where a lot of sensitive personal data are processed.
In this blog, we explain the security rules for electronic patient records, for both healthcare providers and ICT suppliers.
Healthcare providers use the software of ICT suppliers in the electronic exchange of patient data. Although ICT suppliers generally process the patient data on behalf of the healthcare provider – and can therefore be regarded as a ‘processor’ – ICT suppliers also bear responsibilities for the security of patient data and effective incident management in the event of data breaches.
Security requirements for electronic patient data
The security requirements for the electronic patient records are laid down in the General Data Protection Regulation (GDPR), the Additional Provisions for Processing Personal Data in Healthcare Act (Wabvpz) and the Electronic Data Processing by Healthcare Providers Decree (Decree).
1. Electronic patient record – legal distinction
Healthcare providers are obliged to keep a medical file on the treatment of the patient. These records do not have to be kept electronically. However, healthcare providers are obliged to provide an electronic version of a paper file if the patient so requests.
The law distinguishes between two different types of electronic patient records. If a healthcare provider sets up a medical file, or part thereof, in such a way that it can be consulted electronically by other healthcare providers, the law speaks of an electronic exchange system. For the exchange of data through an electronic exchange system, permission must be requested. An example of such a system is the ‘Nationaal Schaakpunt’. This is a network through which healthcare providers can consult data about their patients in each other’s systems.
If a healthcare provider uses an electronic system for the processing of personal data in a record, but does not make it available for consultation by other healthcare providers (and therefore is not an electronic exchange system), it is a healthcare information system.
A well-known example that recently made the news is the care system of the Haga Hospital. The cause was a data breach that concerned employees who had unnecessarily viewed the medical data of reality star Samantha de Jong, better known as ‘Barbie’. The Dutch Data Protection Authority launched an investigation, which resulted in the hospital being fined €460,000.
2. General security requirements from the GDPR
As far as electronic patient records are concerned, the GDPR requires an assessment of the risks and the taking of measures to limit those risks. This obligation rests not only on the healthcare provider as a controller, but also on the ICT supplier. Moreover, the GDPR requires the healthcare provider and the ICT supplier to make contractual agreements in this regard.
The measures to be taken shall provide for an ‘appropriate level’ of security. The assessment of this security level shall take into account the technical possibilities, costs, risks and nature of the personal data to be protected.
The GDPR contains mostly general requirements. These rules form a general framework and apply to all processing of personal data. However, for some areas, the GDPR provides space for specific laws and regulations. This is also the case for the security of patient data recorded in an electronic patient record. For instance, the specific healtcare legislation to be discussed below gives further substance to the measures to be taken in order to be able to speak of ‘appropriate security’.
3. Care-specific security rules
The Additional Provisions for Processing Personal Data in Healthcare Act (Wabvpz) sets further rules for the security and use of healthcare information systems and electronic exchange systems. These rules are further elaborated in the Electronic Data Processing by Healthcare Providers Decree (Decree). This Decree makes a mandatory reference to the so-called NEN standards, NEN 7510, NEN 7512 and NEN 7513.
Within the information security in healthcare, they have been generally accepted security standards. These standards are discussed separately at the end of this blog.
Electronic exchange system requirements
- The system must comply with NEN 7510 and NEN 7512. The controller of an electronic exchange system is obliged under the Decree to ensure that the system meets the technical and organisational requirements arising from NEN 7510 and 7512. Although a healthcare provider will not always be the controller, the Decree stipulates that healthcare providers – in accordance with NEN 7510 and NEN 7512 – ensure the safe and careful use of the electronic exchange system. As a result, a healthcare provider will have to include in the agreement with the person responsible for the system that complies with NEN 7510 and NEN 7512.
- The audit obligation for ICT supplier. Furthermore, the Decree obliges the legal entity, not being the healthcare provider, who manages and maintains the electronic exchange system (the ICT supplier), to have the system audited by an independent third party. This should establish that the NEN standards have been complied with. This must then be recorded in an audit report.
- The system must be logged according to NEN 7513. The person responsible for an electronic exchange system must also ensure that the logging complies with NEN 7513. According to the Logging Retention Period Decree, logging data must be retained for at least 5 years from the time that the log is written.
As an ICT supplier acts as a processor on behalf of the healthcare provider, he must pursuant to Article 28 (1) GDPR demonstrably comply with NEN 7510 and NEN 7512. In addition, the electronic patient record must be set up in such a way that logging is applied in accordance with NEN 7513 and the healthcare provider can meet the requirements of the Decree.
Care information system requirements
- The system must comply with NEN 7510 and NEN 7512. In accordance with NEN 7510 and 7512, the healthcare provider is responsible for the safe and careful use of the care information system.
- The system must be logged according to NEN 7513. The healthcare provider must also ensure that the logging complies with NEN 7513 and that the log data is stored for at least 5 years.
Pursuant to Article 28 (1) GDPR, the aforementioned obligations also rest on the ICT supplier in its role as processor.
Establish security policies and perform checks
Healthcare providers are also obliged to lay down the procedures and responsibilities surrounding electronic patient records in a policy. In addition, the healthcare provider and the controller of the electronic exchange systems must regularly investigate whether patient data is still adequately protected. They must then document these findings. In this context, the ICT supplier can (or is obliged to do so according to the processing agreement) offer support in the provision of information to the healthcare provider.
The NEN standards mentioned in the Decree provide frameworks for the necessary security methods for electronic patient records.
- NEN 7510 consists of two parts and focuses on healthcare institutions and other organisations involved in the provision of information in healthcare. NEN 7510 provides, among other things , instructions on the organisational and technical organisation of information security. For example, access to the electronic patient record should be granted by means of a two-factor authentication (section 9).
- NEN 7512 concerns electronic communication between healthcare providers and healthcare institutions, with patients, health insurers and other parties involved. In addition, NEN 7512 further fleshes out a numer of guidelines from NEN 7510, for example on the security of data exchange.
- NEN 7513 also contains a further interpretation of NEN 7510 (which, in section 12, obligates the creation of log files and checking these periodically) and deals with logging. Logging is a security method that makes it possible to find out who had access to a patient record, according to which rules that access was obtained and which actions were carried out on the patient record. NEN 7513 provides healthcare providers with instructions for logging and the use of logging to meet legal obligations. It also provides developers of information systems with a number of requirements that their information systems must meet. Patients also have a right to look into this log data.
Based on the GDPR, both healthcare providers and ICT suppliers are obliged to ensure that electronic patient records are adequately secured. These security requirements can be both technical and organisational in nature.
The Wabvpz and the Decree give further substance to the security requirements, depending on the type of system (internal healthcare information system or an electronic exchange system). In this regard, the NEN standards must be complied with.
Should this qualification not apply, it may still be advisable to seek alignment with NEN 7510. With regard to the GGD-data breach, Minister de Jonge indicated in a Parliamentary letter that the protection of patient data was ensured, among other things, by a privacy training, the signing of a non-disclosure agreement, the mandatory provision of a VOG and the logging of searches with a random check. Nevertheless, a number of things went wrong. For example, too many employees were given access to the data, the systems used contained a printing or export function, the logging was not automatically monitored and the organization of GGD GHOR Nederland did not comply with NEN 7510 (and more).
For the complete overview, please refer to the Parliamentary letter. Solutions are currently being worked on. For example, in the form of a special team that identifies and implements additional measures.
Want to know more?
With regard to the subject of electronic patient records, there is a wide range of regulations. We have noticed this raises many questions. Therefore, we also wrote an extensive article on the rights of patients and obligations of healthcare providers. You can read this article here.
If you have any questions regarding the above, please feel free to contact Eva de Vries or Jacintha van Dorp.