GDPR fine for a Dutch hospital due to insufficient TOMs
Poor access control
A Dutch hospital was fined because several unauthorised hospital employees accessed the electronic patient file of a prominent person (brief information in English as well as original report in Dutch).
Such incidents are unfortunately not isolated cases. In Switzerland, for example, the attempted sale of Michael Schumacher's patient file caused a stir, and in Germany, the Tugce case revealed that despite internal guidelines, an above-average number of hospital staff read Ms Tugce's patient file.
The Dutch hospital is not the first to be fined under the General Data Protection Regulation (GDPR). A Portuguese hospital suffered a similar fate for similar reasons.
In the current case, the Dutch supervisory authority has deemed the technical and organisational measures (TOM) to be insufficient and imposed a corresponding fine. In addition, the hospital was given a deadline of 2 October 2019 to implement appropriate measures. Should the hospital fail to comply, a fine of € 100,000.00 will be due every fortnight. This is to ensure a quick improvement. However, depending on the hospital information system (HIS), a short-term adjustment and improvement of access rights will be difficult to implement.
The supervisory authority primarily criticised the access rights as being insufficient or too extensive, as too many people were able to access the electronic patient file. In addition, the hospital was requested to expand the authentication to at least a two-factor system in order to generally increase access security.
Access rights always represent a conflict of objectives in a hospital, because an internal as well as external exchange of (patient) information is indispensable for the functioning of such an operation nowadays. This places high demands on the management of the various interfaces. Unfortunately, the danger of misuse of patient data or violation of personal rights is always present. Due to the fact that many people are involved in the care of a single patient, the management of access control will always remain a complex task. For hospital operators and healthcare staff, the care of the patient comes first; data protection-compliant handling of sensitive data is secondary. This can quickly lead to access rights being designed too extensively.
It is therefore not surprising that the access rights were criticised by the supervisory authority.
In contrast to the GDPR, the Swiss Data Protection Act (DSG) does not provide for fines. However, data security(Art. 7 DPA) must still be complied with. The obligation to create sufficient TOMs is also provided for in both laws(Art. 8f FADP). Even if there is no threat of fines, a violation of privacy can also lead to civil proceedings in Switzerland and have criminal law consequences. The issue must not be neglected under Swiss law either.
Technical and organisational measures
Data protection compliance and patient confidentiality form part of a holistic data protection management system (DMS). It is therefore important that these two components are integrated into the overall strategy and that the individual parts are coordinated with each other.
A meaningful data protection concept has to take into account the internal processes, the employees and also the security systems. A data protection concept that only exists on paper but does not correlate with the existing IT infrastructure is worthless. Likewise, an application that is too complicated and cumbersome for the end user, making integration into work processes unnecessarily difficult. Regular training and instructions are therefore indispensable.
The hospital must take technical and organisational measures to ensure that patient data cannot be passed on or accessed without further ado. Access must also be limited internally to what is necessary.
Technically, the hospital information system (HIS) of a hospital is in the foreground here. Today, a modern HIS in particular enables comprehensive linking with the entire IT infrastructure of the entire hospital. For example, laboratory analyses or CT scans can be transmitted directly to the HIS. While this fast and comprehensive exchange of data reduces the risk of information reaching the attending physician too slowly or incompletely, it also increases the risk of misuse, as more people potentially have access to patient data via the many interfaces. Too open and broad access rights are therefore often a weak point in hospitals. Nowadays, however, extensive access can no longer be justified on the grounds that it is necessary for the good treatment of patients.
The first thing to do is to create an authorisation concept to regulate access rights. However, as the Dutch case has shown, both organisational and technical measures must be taken.
In particular, technical possibilities must be implemented so that an effective control of the organisational measures is possible. In order to be able to monitor compliance at all and to trace any misuse, logging is necessary. This usually has a preventive effect, so that, for example, access out of pure curiosity can be prevented.
Every data processing, as well as system administration activities (e.g. maintenance procedures) and the export of data must be logged. However, this presupposes that, on the one hand, all those involved are informed about the logging process and, on the other hand, selected access authorisations are assigned so that only authorised persons can view the logs.
Certain violations can already be proactively prevented through technical measures. However, in the case of older systems, a fine-grained access system cannot be fully implemented because data protection was not yet such a big issue when the HIS was purchased and a subsequent software adaptation would be too expensive. In these cases, monitoring is often the only sensible measure. When procuring a new HIS, it is therefore important to follow a privacy by design approach and to already think about data protection. Most importantly, access to patient data must only be possible for those persons who are involved in the medical, nursing or administrative processing of the treatment.
The following functions are necessary for data protection-compliant operation:
Role-based access allocation,
Automatic restriction to old case data,
Automatic restriction of access to employee data,
Logging of emergency access including the reason for access,
Temporary blocking of user accounts,
Blocking in case of repeatedly incorrect password entry,
Automatic detection of unused user accounts,
Possibility of strong authentication (two-factor authentication) and an automatic password strength check.
Further information on data protection in hospitals can be found in the article by Yves Gogniat - Datenschutz in Spitälern.
This article was written by RA Yves Gogniat.
If you have any further questions about ensuring data protection in the health sector, Balthasar Wicki will be happy to help.