When maintenance becomes a spy trap

Unlike in the cloud environment, remote access to "on premise" applications is very poorly regulated. Companies would do well to close precisely this gap. In Switzerland, hospitals with patient data or banks with customer data come to mind first. In the end, however, the question concerns all companies.

Example 1: a hospital

When you turn to a doctor as a patient, you automatically and rightly assume that he or she will treat your medical record as strictly confidential and not disclose it to third parties. In the course of digitalisation, the medical record no longer physically hangs with him in a filing cabinet, but is stored digitally. The doctor may disclose your secrets to his auxiliaries. Auxiliary is anyone who legally assists the doctor in his or her work. Legally speaking, this process is not a disclosure. Consequently, you as a patient do not have to be informed about the involvement of the assistant.

In practice, however, a hospital information system, a radiology system or a laboratory system are not maintained by the hospital alone and IT service providers, possibly even from abroad, log in via remote access. Often - especially in the database - all patient information is openly accessible. The question now is: Where does the hospital "begin" and where does it "end"? The term "perimeter" can be used to describe this. The term refers to the outer boundary of the organizational unit (here: the hospital) that needs to be organized. The question is therefore where the perimeter of the hospital ends (Fig. 1).

The Swiss Criminal Code, the Data Protection Act or the Medical Profession Act do not per se prohibit the use of auxiliaries. The involvement of auxiliaries therefore does not result in disclosure to third parties, even if they are given plaintext access to protected information. If this were taken to its logical conclusion, it would mean that the doctor could theoretically extend the circle of auxiliaries without limit.

The absolutely crucial point is control. It needs control over the "extended workbench". The hospital must integrate all auxiliary persons as if they were employees (binding to instructions, etc.) and not external persons. If there is a lack of control, the unrestricted use of auxiliary persons may lead to a prohibited disclosure.

Example 2: a bank

In a legal opinion (Use of cloud offerings by banks: on admissibility under Art. 47 BankA)*, the question was explained as to whether a bank can extend the personnel and physical perimeter to such an extent that bank customer data can be viewed in the cloud or by a foreign IT service provider. The conclusion of the legal opinion is in the affirmative, because the Banking Act, which has been in effect since 1934, was amended in 1970 to protect against "foreign espionage." Recently, a lot has happened and since 2017, Switzerland has also regularly transmitted detailed information about bank accounts abroad.

Although the employees of a foreign IT service provider may not be prosecuted under criminal law, the legal opinion assumes that the employees in question may be involved in the bank's risk sphere without any disclosure to third parties (Fig. 2).

The bank thus extends the physical and personnel perimeter to the effect that the data centre and the employees of the IT service provider can no longer be regarded as third parties. The crucial point here is that the bank retains control over this by means of technical and organisational measures. This means that a bank may use applications in the cloud or also allow foreign employees remote access.

All other sectors

Other sectors such as commerce or industry are not subject to the same wealth of legislation in Switzerland as a hospital or a bank. Nevertheless, data must be protected. This does not have to be personal data. Every company has trade secrets which, if disclosed, can cause damage to the company. This can be damage to the company's image or future economic damage due to industrial espionage.

This control of the extended workbench can be carried out in exactly the same way with technical and organizational measures, but must be supported by an effective set of contracts. The employees involved in the processes must be turned from third parties into participants across the company boundary.

So what does control mean?

Control must be understood holistically as a continuous process. First of all, the subject matter must be understood and then the risks of data loss must be reduced through preventive measures. We also recommend improving traceability to increase the possibilities of reactive measures in order to be able to take sanctions if the worst comes to the worst. When it comes to remote access by IT service providers who may have privileged access to your data, it is advisable to apply the following organisational and technical measures:

• Conduct a protection needs analysis across all relevant IT systems
• Set up internal directives for access to data (access management)
• Create authorization and role concepts for the exposed IT systems
• Cleanly regulate the management of users and authorizations
• Force users to identify themselves both internally and externally
• Always change passwords of privileged accounts after use
• Log/record the session of remote accesses and data transfer

Remote access, even from abroad, to critical data is legally permitted. However, the risks must be well controllable. The responsibility lies with the company itself. If, for example, a hospital involves third parties in its IT environment, the hospital retains responsibility for protecting the data. Control must be guaranteed at all times through technical, organisational and contractual measures.