Editing AP - Ziekenhuis OLVG

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 48: Line 48:
 
}}
 
}}
  
The Dutch DPA fined a hospital 440,000 for violating Article 32(1) of the GDPR by failing to comply with the requirement of two-factor authentication and regular review of access log files.
+
The Dutch DPA fined a hospital 440 000 EUR for violating Article 32(1) of the GDPR by failing to comply with the requirement of two-factor authentication and regular review of access log files.
  
 
==English Summary==
 
==English Summary==
Line 58: Line 58:
  
 
Since 19 October 2015, OLVG has been using a new information system to store which electronic patient records. OLVG provided medical care to approximately 500,000 patients in 2018 alone, which leads the AP to conclude that the hospital processes personal data, including special category (health) data under GDPR, on large scale.
 
Since 19 October 2015, OLVG has been using a new information system to store which electronic patient records. OLVG provided medical care to approximately 500,000 patients in 2018 alone, which leads the AP to conclude that the hospital processes personal data, including special category (health) data under GDPR, on large scale.
 
 
The AP found two potential issues.
 
The AP found two potential issues.
  
 
1. Two-factor authentication.
 
1. Two-factor authentication.
 
 
The AP found that employee authentication was done in two ways, depending on whether access is requested from inside or outside the OLVG network. When logging in from within the OLVG network, the employees must use their usernames and passwords to access their virtual workstations (VDI); a second factor like a staff pass or a token are not required in this case. A single sign-on functionality is also used, allowing the employee who is already logged in to the VDI immediate access to the hospital information system with the electronic patient records.  
 
The AP found that employee authentication was done in two ways, depending on whether access is requested from inside or outside the OLVG network. When logging in from within the OLVG network, the employees must use their usernames and passwords to access their virtual workstations (VDI); a second factor like a staff pass or a token are not required in this case. A single sign-on functionality is also used, allowing the employee who is already logged in to the VDI immediate access to the hospital information system with the electronic patient records.  
 
 
When logging into the VDI from a computer outside the OLVG network, employees must use a username and password in combination with a changing token which they received by SMS or via an application. OLVG linked a token reader to each computer on 9 March 2020, changing this method of authentication. This means that before they can access to the computer, employees must hold their employee card in front of this reader and enter a password.
 
When logging into the VDI from a computer outside the OLVG network, employees must use a username and password in combination with a changing token which they received by SMS or via an application. OLVG linked a token reader to each computer on 9 March 2020, changing this method of authentication. This means that before they can access to the computer, employees must hold their employee card in front of this reader and enter a password.
 
 
OLVG has also indicated in its Information Security and Privacy Policy that that policy is based on: 1) the Dutch standard for information security in healthcare: NEN 7510, NEN 7512 and NEN 7513, and 2) the current laws and regulations, including the GDPR. OLVG has thus also committed to complying with the NEN security standards, which dictate that the identity of users must be established by means of two-factor authentication.
 
OLVG has also indicated in its Information Security and Privacy Policy that that policy is based on: 1) the Dutch standard for information security in healthcare: NEN 7510, NEN 7512 and NEN 7513, and 2) the current laws and regulations, including the GDPR. OLVG has thus also committed to complying with the NEN security standards, which dictate that the identity of users must be established by means of two-factor authentication.
 
 
Given the sensitive nature of the data, the large scale of the processing by OLVG and the risks to data subjects, the AP has concluded that OLVG should have implemented two-factor authentication when accessing personal data in electronic patient records. However, this was not done when these records were from inside of the hospital’s network.
 
Given the sensitive nature of the data, the large scale of the processing by OLVG and the risks to data subjects, the AP has concluded that OLVG should have implemented two-factor authentication when accessing personal data in electronic patient records. However, this was not done when these records were from inside of the hospital’s network.
  
 
2. Access logs review.
 
2. Access logs review.
 +
The AP found that during the period from 1 January 2018 to 17 April 2019, OLVG conducted two sample checks of “Break the Glass” behaviour across larger groups of employees and eight incidental checks of the logging of health records. Further, the AP found that OLVG did not conduct systematic checks of anomalies in the access logs to all electronic health records during the period from 1 January 2018 to 22 May 2019, nor did it allow for systematic or automated alerts when certain logging limits were exceeded.
 +
  
The AP found that during the period from 1 January 2018 to 17 April 2019, OLVG conducted two sample checks of “Break the Glass” behaviour across larger groups of employees and eight incidental checks of the logging of health records. Further, the AP found that OLVG did not conduct systematic checks of anomalies in the access logs to all electronic health records during the period from 1 January 2018 to 22 May 2019, nor did it allow for systematic or automated alerts when certain logging limits were exceeded.
 
 
===Dispute===
 
===Dispute===
 
1. OLVG is of the opinion that the AP incorrectly concludes that OLVG has not applied two-factor authentication. According to Standard 9.4.1 of NEN 7510-2 (2017), health information systems that process personal health information should establish the identity of users and this should be done by means of authentication involving at least two factors. According to OLVG, its computers are in rooms to which can only be accessed with a personal employee pass. The pass only allows an employee access to the rooms she or he is authorized to enter. According to OLVG, there is no fundamental difference here between access limited to the person holding a pass in front of a reader which is built into the computer.  
 
1. OLVG is of the opinion that the AP incorrectly concludes that OLVG has not applied two-factor authentication. According to Standard 9.4.1 of NEN 7510-2 (2017), health information systems that process personal health information should establish the identity of users and this should be done by means of authentication involving at least two factors. According to OLVG, its computers are in rooms to which can only be accessed with a personal employee pass. The pass only allows an employee access to the rooms she or he is authorized to enter. According to OLVG, there is no fundamental difference here between access limited to the person holding a pass in front of a reader which is built into the computer.  
Line 89: Line 85:
 
5. The AP's investigation report refers to Article 3(2) of the Decree on Electronic Data Processing by Healthcare Providers (Begz). This article states that a healthcare provider must, in accordance with the provisions of NEN7510 and NEN7512, ensure a safe and careful use of the healthcare information system and a safe and careful use of the electronic exchange system to which it is connected. OLVG states that the AP can only impose a fine or issue a penalty to enforce the obligations imposed by the GDPR and not for a violation of the Begz.  
 
5. The AP's investigation report refers to Article 3(2) of the Decree on Electronic Data Processing by Healthcare Providers (Begz). This article states that a healthcare provider must, in accordance with the provisions of NEN7510 and NEN7512, ensure a safe and careful use of the healthcare information system and a safe and careful use of the electronic exchange system to which it is connected. OLVG states that the AP can only impose a fine or issue a penalty to enforce the obligations imposed by the GDPR and not for a violation of the Begz.  
 
The AP does not follow OLVG's view in this regard either. The AP imposed an administrative fine for the violation of Article 32(1) of the GDPR, more specifically with respect to authentication and a regular checks of the log files. Incidentally, the Begz does apply to the OLVG and it obliges OLVG to apply the NEN 7510 and NEN 7512 standards.
 
The AP does not follow OLVG's view in this regard either. The AP imposed an administrative fine for the violation of Article 32(1) of the GDPR, more specifically with respect to authentication and a regular checks of the log files. Incidentally, the Begz does apply to the OLVG and it obliges OLVG to apply the NEN 7510 and NEN 7512 standards.
 +
  
 
===Holding===
 
===Holding===
 
The AP has concluded that OLVG has not applied an appropriate level of security for the processing of personal data in its hospital information system. The AP has determined that until at least 22 May 2019, OLVG has been processing sensitive personal data of hundreds of thousands of patients without adequate security. The AP considers the fact that the violation continued in a structural manner for a longer period, partly under the Personal Data Protection Act, which already required an adequate security level, to be serious. In view of the nature, seriousness, scope and duration of the infringement, the AP increased the basic amount of the fine by €80,000 to €390,000 under the 2019 Fine Policy.
 
The AP has concluded that OLVG has not applied an appropriate level of security for the processing of personal data in its hospital information system. The AP has determined that until at least 22 May 2019, OLVG has been processing sensitive personal data of hundreds of thousands of patients without adequate security. The AP considers the fact that the violation continued in a structural manner for a longer period, partly under the Personal Data Protection Act, which already required an adequate security level, to be serious. In view of the nature, seriousness, scope and duration of the infringement, the AP increased the basic amount of the fine by €80,000 to €390,000 under the 2019 Fine Policy.
 
 
OLVG is expected, partly in view of the sensitive nature and large scale of the processing, to ascertain the standards applicable to it and to act according to those standards. In addition, OLVG has indicated in its own Information Security & Privacy Policy that the policy is based on the Dutch standard for information security in healthcare, namely: NEN 7510, NEN 7512 and NEN 7513 and the current laws and regulations, including the GDPR. Which means that OLVG has committed itself to complying with those norms. OLVG also stipulated in its logging policy that it will take a representative sample every four weeks to analyse the log data. OLVG therefore also fails to comply with its own existing policy rules, which is considered by the AP to be extremely negligent. Given the negligent nature of the breach, the AP increases the base amount of the fine under Article 7(b) of the 2019 Fine Policy by €50,000 to €440,000.
 
OLVG is expected, partly in view of the sensitive nature and large scale of the processing, to ascertain the standards applicable to it and to act according to those standards. In addition, OLVG has indicated in its own Information Security & Privacy Policy that the policy is based on the Dutch standard for information security in healthcare, namely: NEN 7510, NEN 7512 and NEN 7513 and the current laws and regulations, including the GDPR. Which means that OLVG has committed itself to complying with those norms. OLVG also stipulated in its logging policy that it will take a representative sample every four weeks to analyse the log data. OLVG therefore also fails to comply with its own existing policy rules, which is considered by the AP to be extremely negligent. Given the negligent nature of the breach, the AP increases the base amount of the fine under Article 7(b) of the 2019 Fine Policy by €50,000 to €440,000.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: