eISSN: 1897-4309
ISSN: 1428-2526
Contemporary Oncology/Współczesna Onkologia
Current issue Archive Manuscripts accepted About the journal Supplements Addendum Special Issues Editorial board Reviewers Abstracting and indexing Subscription Contact Instructions for authors Publication charge Ethical standards and procedures
Editorial System
Submit your Manuscript
SCImago Journal & Country Rank
5/2011
vol. 15
 
Share:
Share:
Original paper

Practical guidance on implementation of the Personal Data Security Management System in an oncology centre

Mirosława Mocydlarz-Adamcewicz

Wspolczesna Onkol 2011; 15 (5): 279–285
Online publish date: 2011/11/22
Article file
Get citation
 
PlumX metrics:
 

Introduction

In the era of the information society, data processing has become easier than ever. While providing many benefits, the removal of technical barriers supported with legal regulations has also brought some threats, as there is a growing interest in acquisition of private data. Such data are at risk of being accessed and used by unauthorised persons. The disclosure of personal details may, in turn, lead to the loss of patients’ trust in a health care institution. Therefore, many health care institutions are putting more and more stress on protection of medical data processed by their IT systems. Data on health status, addictions or genetic code represent, under the Personal Protection Act, the category of personal data which are subject to special legal protection. Hence, each health care institution should put in place such an information protection system which will ensure confidentiality, integrity and accountability of processed personal data. This can be achieved through a properly implemented Personal Data Security Management System (PDSMS).

Aim of the study

The main aim of the study is to analyse practical aspects of developing, implementing and utilising a PDSMS in health care centres, based on applicable legal requirements and professional standards. The study presents chief security mechanisms (both technical and organisational) that should be put in place by a health care institution that processes personal data, particularly by means of IT systems.

Material and methods

The study provides a review of legislative measures, quality standards and available literature on protection of personal data in health care institutions. The situation in the Greater Poland Cancer Centre was also analysed with respect to PDSMS implementation in terms of technical and organisational security measures that have been taken by the centre, with particular stress on protection of personal medical data. Interviews were conducted with heads of units responsible for medical data protection in their respective departments with the focus on ensuring confidentiality of data processed in the hospital’s IT systems. We analysed activities of IT System Administrators, whose responsibilities include guaranteeing the security of the centre’s IT environment.

Results and discussion

Concept of personal data

Security is a concept with many meanings. In popular understanding, security is a state of being safe from threats. In the era of the information society, security applies primarily to information in the context of IT systems. The PN-I-13335-1 standard defines IT security as all aspects related to defining, achieving and maintaining confidentiality1, integrity2, accessibility3, accountability4, authenticity5 and reliability6 of information, which is the most valuable asset held by each health care institution. Indeed, internal information processed by hospitals includes that of crucial importance for their activity, public policy or information representing personal data.

Personal data means all information concerning a specific person, by means of which – without much cost, time or effort – this person can be directly or indirectly identified, in particular by referring to an identification number or specific details determining his/her physical, physiological, mental, economic, cultural or social traits. With regard to the health services, personal data are not limited to identification details (name, surname and personal identification number), but also include medical information, such as that concerning patients’ health condition (e.g. referrals, diagnosis results, delivered treatment procedures, nursing history, information sheet, follow-up), addictions or genetic code. Such data fall into a special category of personal details, known as sensitive data.

Data processing7 is a commonplace activity at health care institutions. More and more often it is done using IT systems [1]. Therefore, implementation and operation of the PDSMS becomes necessary.

Appointment of data protection officers

The first step towards productive implementation of the PDSMS in the oncology centre was to appoint persons responsible for protection of personal data. The Personal Data Administrator (PDA)8, responsible for ensuring technical and organisational protection of processed data (protecting data from being made available to unauthorised persons, illegally processed, changed or lost) delegated his duties to the Information Security Administrator (ISA) and IT System Security Administrator (ITSA). The ITSA supports the ISA in ensuring security of data processed in IT systems. Appointments were made by internal decision. Furthermore, roles and responsibilities within the organisational structure were established for the hospital director, managing staff (LISA9, i.e. heads of departments, line managers, chief nurses), data processing officers (medical division, administrative division), security division (ISA, ITSA, ITA10), and physical security staff in the area of IT security.

With technology rapidly developing, it is the human factor that remains the weakest link of the security system. Therefore, appropriate selection of staff to be involved in personal data processing (physicians, nurses, psychologists, medical secretaries, administrative staff for human resources, pay roll, accountancy, financial settlement, statistics), IT administration (ITA), and data security (ISA, ITSA, LISA), became a strategic component of PDSMS implementation in our oncology centre. Information security largely depends on the staff’s determination, knowledge and commitment in the process of PDSMS implementation. Proper organisation of security structures, distribution of roles, tasks and responsibilities between the hospital management and the personnel, particularly persons responsible for protection, forms the foundation of so-called trust systems [2]. The absence of the above-listed prerequisites might result in low reliability of the system, leading to IT security breaches.

Review and interpretation of legal acts

The next stage of designing the PDSMS involved development of an action plan for persons responsible for effective and efficient implementation of personal data protection. At its initial phase, the plan provided for the following measures:

1. Review and interpretation:

a) of national legal acts, including the Constitution of the Republic of Poland, relevant laws concerning personal data protection regulations and specific laws regulating the medical sector, providing specific implementing provisions for general rules contained in the Personal Data Protection Act [3]:

• Act of 27 July 1997 on Personal Data Protection (Ustawa o ochronie danych osobowych – UODO),

• Ministry of Internal Affairs and Administration Regulation of 29 April 2004 on Personal Data Processing Documentation and on Technical and Organisational Conditions to be Met by IT Devices and Systems Used for Processing of Personal Data (Rozporządzenie Ministra Spraw Wewnętrznych i Administracji z dnia 29 kwietnia 2004 r. w sprawie dokumentacji przetwarzania danych osobowych oraz warunków technicznych i organizacyjnych, jakim powinny odpowiadać urządzenia i systemy informatyczne służące do przetwarzania danych oso­bowych – RDOiWT),

• Act of 15 April 2011 on Medical Activities (Ustawa o działalności leczniczej),

• Act of 6 November 2008 on Patients’ Rights and the Commissioner for Patients’ Rights (Ustawa o prawach pacjenta i Rzeczniku Praw Pacjenta),

• Act of 5 December 1996 on the Professions of Doctor and Dentist (Ustawa o zawodzie lekarza i lekarza dentysty),

• Act of 5 July 1996 on the Professions of Nurse and Midwife (Ustawa o zawodach pielęgniarki i położnej),

• Ministry of Health Regulation of 21 December 2010 on Types and Scope of Medical Documentation and Methods of its Processing (Rozporządzenie w sprawie rodzajów i zakresu dokumentacji medycznej oraz sposobu jej przetwarzania);

b) European Union and Council of Europe Acts, including in particular the Charter of Fundamental Rights, Convention No. 108, Directive 95/46/EC of the European Parliament;

c) ISO quality standards in the context of practical rules of information security management, in particular information security management in health care (PN-I 13335-1:1999; PN-ISO/IEC 27001:2007, PN-EN ISO 27799:2008);

d) professional codes, which – while not being legally binding – represent ethical models of conduct for specific professional groups: Medical Code of Ethics, Code of Professional Ethics of Nurses and Midwives, Code of Professional Ethics of Psychologists;

e) patients’ rights with regard to protection of their privacy, access to contents of medical documentation and correction thereof, temporary or permanent termination of data processing: European Convention on Biomedicine, Lisbon Declaration on Patients’ Rights, Charter of Patients’ Rights.

2. Analysis of IT environment for personal data processing by taking stock of its elements:

a) mobile and stationary hardware (servers, arrays, computers, notebooks, monitors, printers);

b) passive and active network devices;

c) software;

d) carriers and back-up copies;

e) system documentation.

3. Risk analysis to identify those components of the IT system which require high level security measures and those which are not so critical [4] for the hospital, in particular:

a) identification of datasets (medical dataset, staff and pay dataset, health and safety dataset) and classification of data processed in them (non-sensitive, sensitive);

b) identification of sources and types of threats (internal, external), with an indication whether the threat is purposeful or incidental in nature (fire, flood, software break­down, electricity breakdown, transfer of data to unauthorised parties, e.g. unauthorised patient’s family, disclosure of temperature charts, interview with a patient in the presence of other patients);

c) establishing frequency of the threat and technical or organisational vulnerability, e.g. incorrect location of the IT system, lack of authentication procedures or back-up copy and data archiving management;

d) identification of effects (loss of confidentiality, integrity, accountability of data).

The development and implementation of a comprehensive PDSMS, i.e. a system covering all aspects of security, had to be preceded by analysis of legal and non-legal regulations in the area of information IT security. An in-depth analysis of both Polish legal regulations and EU directives contributed to the improvement in the quality of services provided by our institution [5] as regards security of personal medical data. It became a foundation of reliable risk and IT environment analyses. These, in turn, permitted identification of real threats for the system security in our institution, indicated areas requiring immediate protection, and ensured actions and protective measures to minimise the risk level acceptable for the hospital, thus preventing the IT security from being violated and addressing any possible adverse effects of such violations.

Protection of data processed in IT systems

The risk and IT environment analyses made in the hospital resulted in setting an IT security level. The security level in the oncology centre under study, according to the RDOiWT classification of security levels, was found to be high (Fig. 1).

Based on the above-mentioned analysis, a second stage of PDSMS implementation was put into action, involving definition and implementation of protective measures at the organisational, technical and physical levels. It comprised the following actions:

1. Designating a site for personal data processing, i.e. buildings, rooms, or parts of rooms where IT-based data processing is to be performed.

2. Developing and implementing personal data protection documentation as required by law and arising from good practice, including:

a) Personal Data Security Policy (PDSP),

b) Guidelines on Management of IT System to be used for processing personal data,

c) register of persons authorised to process personal data (Fig. 2),

d) authorisation to process personal data (Fig. 3),

e) non-disclosure agreements concerning received personal data,

f) rules of conduct in the event of an IT security breach11,

g) request for award of IT system authorisations,

h) register of computers, user and administrator identifiers, administrative account passwords,

i) training programme.

3. Training for newly employed staff and regular refreshment training on applicable legal requirements, applied security measures, applicable personal data security documentation, liability for data processed.

4. Authorising hospital personnel to process personal data to the extent indicated by LISA (Fig. 2) and subject to their signing non-disclosure agreements concerning received personal data.

5. Publishing selected parts of the PDSP in such a way as to make it available for all staff involved in personal data processing (Internet, PDSP reports, guidelines for heads of units).

6. Developing guidelines for agreements to be made with servicing companies (processor) who are assigned to process data under software maintenance or hardware service contracts12 (defining authorised persons, time and form of service to be provided: remote access or in-site service, liability and penalties for system security violations).

 7. Preparing and putting in place a list of physical protection measures to secure access to the sites of data processing, including rooms of strategic importance for the security system (server room, computer network hubs, Security and IT Department rooms): access control systems, burglar alarms, fire detectors, heat and humidity sensors, lockable doors and cabinets.

 8. Separating the part of the IT system used for processing personal medical data from the rest of the hospital IT infrastructure and public telecommunication network.

 9. Specifying rules of the personal data processing policy on the centre’s stationary and mobile computers.

10. Selecting user identification and authentication mechanisms in IT systems (password, smart cards), developing procedures for managing such mechanisms, i.e. identifier and password policy, update frequency, complexity, procedures in case of authentication mechanism compromise, etc.

11. Developing procedures and putting into action measures to manage control of user access to personal data in the HIS13 (minimum authorisation principle14, necessary knowledge principle15, task segregation principle16 [7]) (e.g. the procedure to award user access to the IT system used for processing personal data in an oncology centre (Fig. 4).

12. Safeguarding working stations from harmful software, including by definition of antivirus and anti-spam policies.

13. Specifying rules of a software management policy with particular stress on software inventory, licence management, working station monitoring for legality issues, developing a list of standard software to be installed on working stations.

14. Defining security measures against theft, component replacement (passive security cables, locked cases, sealing).

15. Ensuring emergency power for computer hardware to prevent the loss of integrity [8].

16. Selecting and implementing encryption devices: encoding, decoding, digital signature [9].

17. Establishing rules for hardware repair and maintenance, in particular permissible response and repair time, repair documentation: hardware delivery and receipt reports, service notification register.

18. Establishing procedures for management of personal data carriers and creation and storage of back-up copies (schedule indicating type of copy, carrier labelling, back-up procedure, time and place of storage).

19. Implementing the clear screen principle which consists in setting monitors in such a way as to prevent information displayed in them from being seen by other persons, using password-protected automatic screen savers and locking working stations or applications on user’s request.

20. Following the clear desk principle whereby documents containing personal data cannot be left unattended at places accessible to unauthorised persons.

21. Complying with the requirements of sec. 7 of RDOiWT, in particular concerning the registration of: date of first entry of data into the system, user identifier, source of data, date of reported concern, possibility for processed data to be printed out in a commonly understandable form.

22. Meeting requirements concerning information and right to control of one’s personal data, pursuant to Article 24, 32-35 UODO.

23. Implementing principles of awarding access to personal data to third parties in the light of UODO and its detailed implementing regulations for health care.

24. Responding to incidents, investigating their causes and addressing their effects.

25. Periodic security and IT environment controls and audits with regard to effectiveness and efficiency of security mechanisms and PDSP compliance.

Implementing the PDSMS in health care institutions is a duty and necessity arising from both the Personal Data Protection Act and relevant health care regulations. The right to privacy and the right to decide on one’s personal data are guaranteed by the Constitution. In view of the above, each Personal Data Administrator should take such measures as may be necessary to prevent intended and wilful actions, but also incidental events [10], posing a threat to IT data processing IT. It is then necessary to define and implement measures ensuring security of datasets. The choice of the above-mentioned measures by the Greater Poland Cancer Centre meets the technical and organisational requirements laid down in UODO with regard to preventing data from being accessed by unauthorised parties, illegally processed, changed, lost or destroyed, as well as defining physical security measures. Furthermore, the Centre’s user control system [11] and personnel training enable implementation of a resilient PDSMS that has to be periodically reviewed, following the security consultant Bruce Schneider’s words that “security is not a product, but a process” [12].

Conclusions

Effective implementation of the Personal Data Security Management System in health care institutions depends on the efficacy of a legal and organisational framework. There is, beyond any doubt, a strong tendency to develop security systems for medical data. This, however, requires an action plan for a hospital with due emphasis put on:

1) analysis of legal and non-legal acts regarding protection of personal data and professional regulations applicable to health care institutions,

2) promotion of achievements in terms of information security to allow a change in the awareness of data protection needs among hospital personnel and managing staff,

3) appointment of persons responsible for personal data protection with specified roles and action plans,

4) identification of threats, selection and implementation of organisational and technical protection measures appropriate to the accepted security level,

5) improvement of employees’ knowledge and skills through a training system and personal data security documentation.

References

 1. Kaczmarek A. Obowiązki administratorów danych osobowych przetwarzających dane osobowe w systemach informatycznych rejestrujących usługi medyczne. Konferencja naukowa, Warszawa 2000.  

2. Standardy NIST: http://www.nist.gov, standardy CCITT, standardy PN.  

3. Serzycki M. „Gazeta Wyborcza” pyta o zabezpieczanie danych w służbie zdrowia (12.11.2009).  

4. Gałach A. Instrukcja ochrony danych osobowych w systemie informatycznym. Gdańsk 2004.  

5. Bogusz-Czerniewicz M. External review systems for radiation oncology facilities – clinical audit versus other review systems. Rep Pract Oncol Radiother 2009; 14: 11-7.  

6. Pilc B. Ustawa o ochronie danych osobowych. Materiały wykładowe UKSW PSOIN, Warszawa 2008.  

7. Galach A. Ochrona danych osobowych w systemach teleinformatycznych. Materiały szkoleniowe, JDS Consulting, Warszawa 2008.  

8. Drozd A. Zabezpieczenie danych osobowych. Presscom, Wrocław 2008.  

9. Janowski J. Podpis elektroniczny w obrocie prawnym. Warszawa 2007.

10. Polok M. Bezpieczeństwo danych osobowych. Warszawa 2008.

11. Nałęcz M. Biocybernetyka i inżyniera biomedyczna 2000. Systemy komputerowe i teleinformatyczne w służbie zdrowia. Akademicka Oficyna Wydawnicza Exit, Warszawa 2002.

12. Mitnick K. Sztuka podstępu. Łamałem ludzi, nie hasła. Helion, Warszawa 2003.

Address for correspondence

Mirosława Mocydlarz-Adamcewicz

Greater Poland Cancer Centre

Garbary 15

61-866 Poznań

e-mail: miroslawa.mocydlarz-adamcewicz@wco.pl
Copyright: © 2011 Termedia Sp. z o. o. This is an Open Access article distributed under the terms of the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) License (http://creativecommons.org/licenses/by-nc-sa/4.0/), allowing third parties to copy and redistribute the material in any medium or format and to remix, transform, and build upon the material, provided the original work is properly cited and states its license.
Quick links
© 2024 Termedia Sp. z o.o.
Developed by Bentus.