Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £29.99 £19.99. New subscribers only. T&Cs apply

Find out more
Home / Healthcare & Medicine / Healthcare / Protecting Health Data in the Modern Age: Getting to Grips with the GDPR / Data security

Data security

Watch Trix Mulder and an information security officer explain more about data security.
View transcript
3.2
TRIX MULDER: While following Anna on her medical journey, we saw that questions of confidentiality were raised when she saw her neighbour in the hospital. Anna’s doctor explained how doctor-patient confidentiality works in practice. She explained that are always risks involved when working with personal data if it’s an electronic or hard copy patient file. This is why the GDPR provides for professions relating to security of personal data. To ensure an adequate level of protection, an organisation, such as hospital, has to take appropriate technical and organisational measures. This includes pseudonymisation and encryption of data. But there’s more. Let’s hear from the information security officer at Anna’s Hospital
43.1
BERT MOORLAG: My name is Bert Moorlag. And I’m the corporate information security officer at the University Medical Centre in Groningen. University Medical Centre is a hospital and a Centre for medical research and education and is one of the largest organisations in north of the Netherlands, with more than 10,000 employees. As a corporate information security officer, I advise and help the organisation with information security and for my security cover three aspects– confidentiality. Are you allowed to see the data? Integrity. Is the data correct and complete? And Availability. Can your access to data at time and place you need it?
81.9
TRIX MULDER: These three aspects are also mentioned by the GDPR, which determines that an organisation like a hospital must ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and surfaces. Each organisation has their own policy in this regard.
100.5
BERT MOORLAG: Information security helps to assure that the quality of the data is in accordance with the need of the organisation. In the hospital, the quality of data is very important for patient safety. In the Netherlands, there is an information security standard for health care. Based on the international standard for information security, ISO-27000 Risk cannot always be avoided, but you need policy on how to handle them.
125.6
TRIX MULDER: These policies need to be organisation-specific, meaning that it needs to address the risks of processing of that particular organisation. This might be different for hospitals, pharmacies, and your GP’s office. But even varies between hospitals depending on external and internal factors. For example, in Anna’s hospital, account needs to be taken of the possibility of earthquakes, which could affect the availability of the data. A hospital in Amsterdam does not need to take this risk into account. One of the ways to tackle risks is to anonymise data. As we heard from the research nurse, research data is anonymised when it is shared between institutions.
164.7
However, patient data cannot be anonymised, because a doctor needs to know that a particular test result belongs to that particular patient.
172
BERT MOORLAG: Patient data is used for health care. This is why it cannot be anonymised. The data identify patients and health care professionals who need to identify patients to provide the right treatment to the right patient. Only staff who needs to use data have access to patient files. As a security officer, I don’t need the data. And therefore, I don’t have access to patient data.
195.3
TRIX MULDER: If it does happen that a patient file is accessed by someone who is not authorised, the GDPR determines that there is a data breach. This data breach needs to be notified to the national supervisory authority. And in some cases communicated to the patient. Another way to prevent a data breach is to not keep the data longer than necessary. When health data is no longer necessary for the treatment of the patient, the GDPR determines that the patient has the right to request erasure of that data.
222.5
BERT MOORLAG: By law, patient data is generally kept for 15 years. Some data has to be kept for a longer period of time. The data stored on the information system of the hospital treated the same as patient data as saved in a readable digital format.
239.9
TRIX MULDER: We will discuss data retention later this week. But first, we would like you to think about the question in the next step.

There are always risks involved when working with personal data, if it’s an electronic or hardcopy patient file. This is why the GDPR provides for provisions relating to security of personal data. Information security covers three aspects:

  1. Confidentially;

  2. Integrity;

  3. Availability.

To ensure an adequate level of protection, the GDPR provides that appropriate technical and organisational measures need to be taken. This may include anonymisation, pseudonymisation or encryption of data, but also organisation specific policies which address the risks of processing of that particular organisation. These policies are necessary considering that risks can’t always be avoided.

One of the risks involved is unauthorised access. If a patient file is accessed by someone who is not authorised, the GDPR determines that there is a data breach. This breach needs to be notified to the national supervisory authority and in some cases communicated to the patient.

Another way to prevent a data breach is not to keep data longer than necessary. When the health data is no longer necessary for the treatment of the patient, the GDPR determines that the patient has the right to request erasure of that data. It is furthermore required by law that data is kept for a maximum amount of time. We will discuss data retention later this week.

Want to keep learning?

This content is taken from University of Groningen online course
Protecting Health Data in the Modern Age: Getting to Grips with the GDPR
View Course
See other articles from this course
This article is from the online course:

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
Join Now
This article is from the free online

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
Join Now
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now

Register to receive updates

  • Create an account to receive our newsletter, course recommendations and promotions.

    Register for free