Specific information security rules in Belgium
Must hospitals in Belgium comply with specific information security rules and where can I find these rules?
Dear Eva,
In most of the EU Member States, hospitals have to comply with specific cybersecurity rules in order to get access to the government eHealth network or to be subsidized. In Belgium, for example, so-called “minimum standards” have been elaborated in the framework of the social security network. They are based on ISO 27002 and available in Dutch and French. These minimum rules are quite “high-level”. For example, with regard to the topic “management of passwords” (which is one of over 100 topics dealt with in the minimum rules), the “minimum rules” are: “) every hospital shall ensure that the user takes sufficient measures to protect his/her own authentication credentials (usernames and passwords), 2) the system used for authentication shall depend on the risk and the technical possibilities to take one or more of the following measures; technical measures to enforce multi-factor authentication for the use of individual user-ids and passwords, 3) allow users to choose and to modify their passwords and provide a procedure to refuse weak passwords, 4) enforce users to change their passwords at the moment of their first login, 5) enforce regular periodical changes of passwords and refuse re-use of earlier passwords, 6) never display passwords on the screen of the user, 7) keep password files always separate from system data of the application, 8) always store and send passwords in encrypted form”. To support the hospital to evaluate their own compliance, these rules have been transposed in a checklist of about 150 questions. This checklist is also available in German language (for the hospitals in the German-speaking part of Belgium). In a further step the minimum rules are used as input for policy guidelines. Contrary to the minimum standards, these policy guidelines are not binding for the Belgian hospitals. However, the policy guidelines are extremely useful because they explain how to implement the minimum rules. Please keep in mind that these documents are regularly updated and that similar standards for hospitals exist in many other European countries.