2024-03-04 11:59:09
In a recent communication, the CNIL highlighted the insufficiency of the measures implemented by health establishments aimed at guaranteeing the security of their computerized patient files (DPI). The main complaint is the following: too many staff within these organizations would have access to patient health data. The ethical and legal issues are enormous. Improvement measures are proposed by the CNIL, valid for all healthcare structures where many people have access to patient files.
By Alexandre Fievée, associate lawyer, and Alice Robert, Lawyer Counsel of the Derriennic Associés firm for La Veille Acteurs de Santé.
The sensitivity of the electronic patient record (DPI)
The computerized patient file (DPI), a file in which all the health data of patients cared for by the health establishment or any care structure is centralized, allows health professionals in this place of practice to easily access their medical information.
Given the volume and sensitivity of the data it contains, the DPI must, according to the CNIL, be subject to “ enhanced security measures“. But, it is clear that these measures are very often insufficient, if only because of the application of an inappropriate authorization management policy, allowing in particular categories of personnel to access data that They don’t need to know.
Security measures recommended by the CNIL
In order to strengthen the security of the computerized patient file, the CNIL recommends the choice of rules meeting the requirement that a healthcare professional or agent/staff can only access data that they strictly need to know.
In defining these rules, two criteria can be retained:
The criterion of “ profession practiced », which means that an agent/staff responsible for welcoming patients into the healthcare structure must not access “ only to the patient’s administrative file and not to medical data”while a doctor or health professional will, of course, be able to access the administrative file but “ also to medical data » ; The criterion of »care team [telle que définie par la loi (art. L.1110-12 du Code de la santé publique)]which means that only professionals actually involved in the care of a patient or in the care provided to them must be able to have access to data covered by medical confidentiality.
Aware of the challenges and needs of the profession and the emergency situations in which the staff of these establishments find themselves confronted, the CNIL specifies, however, that the authorizations granted can be supplemented with a “ glass break mode », in order to allow administrative agents/staff and health professionals to have access to other data for any patient.
Other measures can complement this arsenal, such as the implementation of a robust authentication policy, which should provide a minima :
(i) a unique identifier per user and prohibit accounts shared between several users and (ii) the use of sufficiently complex passwords.
The implementation of a logging system allowing access to the DPI to be traced is also recommended by the CNIL: “ this traceability must not only indicate who connected to the database at what time, but, more precisely, who accessed what. Regular checks of these accesses must be carried out, in order to identify those likely to be fraudulent or illegitimate. It is strongly recommended to have a system for automatic analysis of connection logs in order to identify accesses that seem abnormal.. »
Challenges
From an ethical point of view, the stakes are just as high. The respect for safety (and in particular the confidentiality of health data) must be at the center of the concerns of health professionals, with a view in particular to maintaining a high level of trust between them and their patients.
From a legal point of view, the stakes are enormous. In application of the GDPR, the sanction incurred, in the event of a breach of the security obligation, is 2% of global annual turnover. Moreover, in a recent case, the Spanish data protection authority did not hesitate to sanction a hospital which had not put in place measures to limit access to the clinical file to health professionals only. needing to know (AEPD, decision no. PS/00587/2021).
In France, following checks carried out since 2020, several health establishments have been served with formal notices to take appropriate measures. The CNIL plans, for 2024, corrective measures against other establishments with IPRs.
To be continued…
For further :
1709793015
#Security #computerized #patient #files #CNIL #puts #pressure #health #establishments #Analysis