Holistic thinking on data protection

When dealing with patient and health data, information security and data protection are the top priorities.

Patient record projects bring different organizations into contact with one another­—and potentially conflicting requirements as well. This makes setting up a patient record especially challenging. The benefits provided by digital health data processing and increased networking bring with them a greater threat potential in the form of ransomware, social engineering attacks, denial of service attacks, and so on.


Built on standards

One question is particularly relevant to cross-organizational patient record projects: What technologies will be used? International standards, such as Integrating the Healthcare Enterprise (IHE), create a common technological and semantic base for data exchange and provide an implementable framework. IHE standards form the technical base for modern patient records. By linking policies (XACML), consent documents (APPC, BPPC), and the access control system, they satisfy all the requirements of the data protection laws.

In the Austrian Electronic Health Record (ELGA) system, to take one example, all communication between ELGA domains is also TLS-encrypted and directed centrally by the Austrian Federal Computing Center.

Modern patient records involve a delicate balance of personal property rights, organizational requirements, and other rights and standards. The wealth of experience within the highly networked international IHE community furnishes numerous examples of best practices, which can be adapted to an individual country’s circumstances at reasonable expense.

Walking the technology tightrope

 The ELGA rollout in Austria is a model for how to reconcile European data protection requirements, national legislation, and physical patient records within the same project. The control system that was ultimately chosen, which includes situational opt-out, reflects the basic differences in data protection needs at the following levels:

  • At the level of European data protection legislation and the individual decision-making power the law demands for data subjects
  • At the level of the national healthcare system, which relies on solidarity among all the parties involved, from which it derives an inherent mandate to participate (including participation in technical systems like the ELGA)
  • At the practical level in healthcare itself, which involves powers of attorney and the confidential doctor-patient relationship

All of these levels must be kept in mind and reflected in the technology of any nationwide records system project. In the ELGA project, clear responsibilities were established for the “domain operators.” Every participant (affinity domain) in the cross-organizational patient records system must comply with defined operating specifications and undergo audits by an independent body. Here too international standards and guidelines like ISO-IEC 27001 help to maintain a minimum level of operational security and data protection.

The interplay of technology, organization, laws, and people in the area of information security and data protection is complex and calls for appropriate expertise from all actors.

Processes in practice

 Information security and data protection must always be viewed holistically. Individual measures are ineffective—there needs to be a harmonious interplay of legal, organizational, and technical components. To achieve this, management is called upon to establish the appropriate standards and processes (e.g. security and data protection guidelines). It must be clear who is responsible for what. This entails creating roles and clear-cut responsibilities and adhering to processes.

Focusing on people

No matter how much technology is deployed or what the organizational requirements are, all of these measures also need to be accepted in the end. Therefore, the top priority is raising awareness among patients, but also among the participating physicians and staff. If everyone involved understands what the standards are and why they need to be followed, many security issues will simply never arise, or else can be nipped in the bud.