Patients in danger when hacked
Published on 18/11/2019 in Customer Stories
Imagine you find out that your medical data have been hacked and put up for sale online. That’s why cybersecurity is the number 1 priority for hospitals.
How important is data security for the hospital sector?
Stefaan Vansteenkiste, IT Director at Heilig-Hart Hospital in Lier: “It’s a top priority. Patients’ medical data and the personal data of staff and patients are extremely sensitive. As a hospital, you have an obligation to keep patient data for 10 years and, after death, for as long as 30 years. On that basis, you can put together an individual’s entire lifetime. Patient data are a real gold mine for hackers. So we protect our systems to the fullest.”
“A hospital uses 200 or more systems that communicate with one another. If the network is hacked, you run the risk of a data exchange that results in patients receiving the wrong care, for instance, or a forced shutdown of your services or even the total closure of the hospital.”
Discover everything about security and secure your project.
How has the hospital adapted to the GDPR and NIS legislation?
“For GDPR we have drawn up a roadmap to meet all the requirements. We have recruited a data protection officer (DPO) and concluded agreements with our suppliers and doctors. An independent firm has tested whether we meet the NEN 7510 standard on information security in the care sector. All patients and staff have access to our privacy statements and we have set up a channel for people who have questions about their privacy. But it’s still a work in progress.”
“As regards the NIS (Network and Information Security) Directive: the government still has to officially inform the healthcare sector (interview took place on September 5, 2019). After that, we have six months to become compliant. We haven’t taken any steps yet, but our information security is in place. We just have to fine-tune it to fully comply with the ISO 72001 and NEN 7510 standards.”
The legislation on data security needs to be more substantive, include mandatory audits, for instance. At the moment we keep our logs up to date but we rarely screen them.
Stefaan Vansteenkiste, IT Director at Heilig-Hart Hospital, Lier
The GDPR and NIS laws require specific profiles. How are you dealing with this?
“We’ve joined forces with BDO for our information security. To comply with the GDPR legislation, we searched for a data protection officer. But there are few people with the right profile. So we took an offer from Proximus: an external consultant is our DPO now.”
“The aim is ultimately for him to take care of data security for the entire hospital network. For the NIS, we are still waiting to hear from the government. Then we will see what the impact is. We have already organised NIS info sessions for our staff. And responsibility for compliance with the NIS Act goes to our DPO.”
Discover in the video how the Heilig-Hart hospital in Lier goes for cybersecurity.
What do you expect in terms of security in the future?
“That everything will become stricter and more complicated than it is now. But above all, there is a need for substantive legislation. At the moment everything revolves around technical measures. What I miss, for example, are audits and rules on active monitoring and anomaly management. An audit forces institutions to check how they deal with data security.”
“We keep logs up to date at the moment, but we check them rarely. And something needs to be done about the gap between theory and practice. Our doctors are fully on board when it comes to data security, but they are hampered in their work by the stringent rules. And that is not sustainable.”
The Heilig-Hart hospital in Lier dates right back to 1236. The general hospital holds 450 beds and 1,600 staff. The Lier hospital is planning to have a completely new building by 2030. In the meantime, it is being transformed into a hospital of the future. IT is an important part of this.
Stefaan Vansteenkiste worked for a medical software producer for 14 years. He started up a company that provides IT services for the healthcare sector and helped several hospitals to improve their IT. He has been IT Director at the Heilig-Hart Hospital in Lier since 2017.