26. July 2021 By Dr. Philipp Latini
User accounts and inactive access permissions
IT security begins with login
If nothing else, the Corona pandemic has shown that digitalisation and working across hospitals and networks are of utmost importance in the hospital world. As patient data is the most sensitive type of personal data, the implementation of and compliance with data protection in accordance with the General Data Protection Regulation (GDPR) is becoming increasingly important.
Article 9 (I) of the GDPR stipulates precisely that sensitive health data, in particular, must be subject to a high degree of protection. Permission to access data should not be granted to everyone and data should only be accessed when necessary. Furthermore, Article 5 states that integrity and confidentiality must be ensured while this sensitive data is processed.
Heavy penalties for violations
Violations of the GDPR are no longer subject to simple fines. Regulators impose high penalties for data breaches involving personal health data, as these examples demonstrate: Following a patient mix-up during a hospital admission in the year 2019, considerable deficiencies in data protection were discovered in a hospital in Rhineland-Palatinate, Germany. As a result, the state fined the hospital €105,000. The maximum fine ever handed out before was imposed on a hospital in Holland in 2019: Due to insufficient technical and organisational measures, the hospital had to pay a staggering €460,000. The loss of reputation is often even more serious.
Security gaps can be easily closed with authorisation concepts
The examples make it clear: Unauthorised access permissions, data protection deficiencies and incorrectly granted authorisations must be detected immediately using state-of-the-art internal control systems.
In everyday hospital life, there is a lack of logical authorisation concepts. For example, departments are increasingly working exclusively with just one user account, which means that even unauthorised employees can access personal, patient or health data without being noticed. User management in general therefore poses further challenges to clinics. These include unused accounts as well as users who are still active but no longer work in the authorised departments. In this way, access permissions are accumulated without ever being revoked again. The Corona crisis, in particular, and new-found emergency workers, who had to be given ad hoc authorisations, have highlighted the lack of data cleansing. Another important aspect concerns emergency authorisations that allow locum doctors, for example, to access patients from other wards as needed without having to go through a lengthy process. More transparency is to be achieved through a protocol concept in which it is possible to see which documents were opened and/or edited when, how and by whom.
When it comes to digitalisation and data protection, few industries face as great a challenge as the healthcare sector. Risks must be identified and eliminated at an early stage – the protection of patients comes first.
The German Hospital Future Act (KHZG) allows more
The pressure to innovate and digitalise, which is already quite significant, is now also required by law through the German Hospital Future Act. Subsidies for digitalisation in clinical environments have also been made possible. Our KHZG-Readiness-Check PLUS* gives hospitals an overview of the current state of their IT landscape together with a summary of the potential for optimisation and digitalisation in line with the KHZG.
With more than 20 years of experience as an IT service provider, adesso is a long-standing partner of large health insurance companies, clinics, medical technology companies and other service providers in the primary and secondary healthcare markets in Germany. Together with our partner for security issues specifically relating to SAP systems, SIVIS GmbH Karlsruhe, we advise and support hospitals and providers and help them to address their challenges. The adesso/SIVIS Information Security Quick Check provides hospitals and clinics with an overview of the current state of their information security. Our security assessment considers systems, cloud scenarios, existing management systems, network solutions and portal solutions. This allows us to draw up a specific action plan to achieve the legally required protection goals for sensitive patient data.
Would you like to learn how we combine expertise and technology for success in healthcare? If so, just check out our website.
Would you like to learn more about exciting topics from the world of adesso? Then check out our latest blog posts.