Data protection within healthcare (NEN7510/AVG): "catalyst for quality"

We regularly see large-scale data breaches in the care sector passing by in the media, for example the data leak at a Youth Care Institution on April 10, 2019 involving the files of 3,000 minors. As a result, national politicians are putting the magnifying glass on safe handling of client data. We expect that this will result in increased regulatory attention to privacy and information security. The thinking is that precisely personal data of vulnerable groups deserve and require a higher level of protection, especially when you put the consequences of these types of data breaches in perspective.

Having a client file digitally "on the street" containing, for example, health information or suspicions of sexual abuse can haunt someone for life. This is in contrast to stolen credit card data, which can bother someone temporarily. The difference is in the type of information made public through a data breach.

A credit card can be blocked by the bank within minutes and affected person can have a new credit card within days. The old credit card data is then no longer usable and irrelevant. With a health record, this is very different. These are static and almost always remain relevant. Leaked information about, say, a chronic condition or suspected sexual abuse will therefore always haunt a person after it becomes public.

Highberg has been supporting the healthcare sector for years in setting up the safe handling of personal data. Primarily to protect clients and also to meet all requirements, for example, the General Data Protection Regulation (AVG) and legislation applicable to electronic exchange of medical data. Certification on the for healthcare specific developed information security standard NEN7510:2017 is an important tool in this.

Triade Vitree is a care institution in Flevoland and provides care in the region including youth aid, mental health care and long-term disability care. Highberg has been supporting Triade Vitree for years with its information security and personal data protection. After its merger in 2018, the organization expressed its ambition to continue investing in this, based on the vision that safe handling of client data is part of primary care.  

Highberg was asked by Triade Vitree to pragmatically guide data protection and ensure that the organization can demonstrably comply with privacy legislation and is ready for NEN7510:2017 certification. Highberg first of all fleshed out all the mandatory and formal components involved. These include the register of processing activities, drafting and aligning information security and privacy policies, setting up an integrated Data Protection Management System and performing combined Privacy Impact Assessments and Information Security Risk Assessments.  

While laying this foundation, Highberg set its sights on all Triade Vitree employees. Employees were intensively involved in the project and thus became increasingly consciously competent with regard to data protection. Highberg then worked with the organization to set up a Privacy/Information Security Office from which Triade Vitree coordinates and monitors all data protection processes. At this Office, anyone associated with Triade Vitree can ask questions about privacy and information security. Employees of the Office also provide information security and privacy training and provide solicited and unsolicited advice on data protection to management and the Board of Directors.  

Successful implementation of data protection requires the involvement of everyone within the organization. Within Triade Vitree, this approach has proven very successful, especially when looking at the results achieved by the Office within one year. 

A year after the start of the project, over 500 privacy and information security related questions have been asked and answered, more than 40 teams have received training, multiple DPIAs and risk analyses have been carried out, and improvements regarding data protection are continuously implemented and monitored. Triade Vitree's Office can therefore be seen as an oil slick that every employee comes into contact with and that employees point out to each other.  

A small selection of the advice that Highberg has initiated during the project and has been or is being implemented within the organization:  

1. A new method for secure e-mail that is in line with NTA7516, the standard that oversees secure e-mail in healthcare.  
2. Implementing the healthcare-specific Instant Message Application as a replacement for Whatsapp, among others.  
3. Advice on a new and future-proof method of authorization within the electronic client file (ECD).The successful execution of the project and the enthusiasm from the Triade Vitree employees have a positive effect on other work within the organization. For example, it is seen as a catalyst for ISO 9001 certification.  

Highberg has assisted Triade Vitree with great pleasure. We see that the protection of client data is now an integral part of the primary care provision. The way Triade Vitree interprets data protection is an example for all care organizations in the Netherlands.  

The project at Triade Vitree is one of the many Highberg school examples, which shows that the elaboration of a mandatory topic can result in so much more meaning and positive effects on an organization.  

Would you like to know more about this case study? Then feel free to contact our cybersecurity and privacy expert Sander Vols