Cyber risks in the hospital sector
Recently, hacker attacks have once again made the headlines - this time in the healthcare sector, particularly in Germany, the USA and now also in Switzerland. Until now, Swiss hospitals were thought to be particularly safe for many reasons, but appearances are deceptive: cyber risks know no privacy, on the contrary.
Unlike re-settable credit card numbers, patient data provides "key data" for health spies over a lifetime, if not generations.
A recent IT security report from IBM lists the biggest cyber risks. It shows that cyberattacks on the healthcare industry are reaching a high level. The motives of the attackers, as the IBM Security Index underlines, are probably aimed at identity theft. Such detected "incidents" were carried out by insiders - often employees or contractors.
With regard to the digital dangers from the outside, but also from the experienced users themselves, aspects must be considered in the health and social services sector that are less in focus in other sectors: It is about sensitive patient and client data, which would have to be kept secret at all times - even in the outpatient sector.
Unlike re-settable credit card numbers, patient data provides "key data" for health spies over a lifetime, if not generations.
Electronic patient dossier
Naturally, electronic patient data in the form of a dossier are considered "particularly worthy of protection" by the legislator. From December 2016, patient records for doctors and for patients will be standardised throughout Switzerland with the Electronic Patient Dossier Act (EPDG), actually only a framework law.
Some advantages: The patient knows about any inquiries or additions made by a doctor. In case of emergencies, insights from specialists are registered. The patient could also encode the reports himself, add further data e.g. about allergies or view doctor's prescriptions). Verification bodies will certify and control the decentralized data communities.
Two major disadvantages: Personal explanatory talks with the doctor become obsolete. - The encryption is ultimately up to Mr. and Mrs. Swiss.
The bigger challenge, if one thinks of the current hospital-internal recording systems or other private measuring devices and notes: The control and distribution of patient data are not yet consistently regulated.
Territory: Medical secrecy
In addition to all the technical and organisational aspects, there is one particularly important element to consider in the healthcare sector: medical confidentiality. On the one hand, it takes on a new dimension in times of the digital revolution, and on the other, doctors and their deputies could be duped on a grand scale by cyber spies when comparing outpatient dossiers.
Digital technology knows no professional secrecy and also does not distinguish which bit or byte is not appropriate or worth protecting (see DSG Data Protection Act), sensitive or usual? This task still falls to the doctors, respectively the users, and starts with the practice computer. Who is responsible for the patient data stored on it? Who manages the backup or an external e-health cloud?
In the practice of the future, there may only be tabloids. These could be infected by cryptoviruses via apps. The consequence: Instead of actually encrypting patient data from A to Z, cybercriminals could copy and manipulate individual processes - and even log in to other devices of a company.
Who now assumes liability for which treatment process if something were to suddenly go wrong? The damage situation would be devastating in any case.
For doctors and users, one thing is clear: electronic media significantly promote the exchange of health data and image files. In addition to these advantages, however, there is also an acceleration of delicate clarifications and diagnoses. If, for example, these were to be delayed by simple timer viruses, medical professional secrecy would be at stake.
Privacy and security?
After all, it is not only doctors, assistant doctors, dentists, pharmacists, midwives, chiropractors or psychologists who are subject to greater responsibility in terms of "data security" and "duty of confidentiality", but also patients and billers. Here lies the real crux when it comes to official data protection and one's own data security.
By Michael Merz (galledia verlag ag). The editorial article on the Electronic Patient Dossier can be found in Management & Quality, issue 5/2016.
