How to handle personnel information

When considering cybersecurity in healthcare, the focus usually lies on the protection of the personal data of patients. However, as is the case for each organisation, healthcare organisations deal with a second category of data subjects, namely their staff. According to information security experts, human resources and administrative departments receive little to no attention when healthcare organisations update their security procedures and implement training sessions (SecureHospitals.eu, 2019).

Personnel data protection issues

According to the European Data Protection Supervisor (EDPS), there are five core issues that should be addressed (Simoncini, 2017):

  • Data quality: do not process more personal data than necessary. Only process data that is relevant to HR activities.
  • Right of information: inform staff members of their rights and for what purposes their data is processed. Information about this right should be available at all times.
  • Right of access: when requested, provide access to staff members’ (medical) files for verification and rectification purposes. Information on how to exercise this right should be available at all times.
  • Retention period: ensure data is kept according to the appropriate retention period.
  • Data security: make sure personnel data is handled by the appropriate staff members and that staff members are reminded of their confidentiality responsibilities. All staff dealing with any personal data, including administrative or financial data, should sign a confidentiality declaration.

Personnel data protection issues in the workplace

Additional issues to those stated above may exist (Van Der Sype, 2017). The following lists were found to be core aspects of personnel data handling (Kaminski, 2018; Mintern & Rayner, 2018; Rouse & Rosencrance, 2019; SecureHospitals.eu, 2019):

Physical access

  • A lock on the door prevents unauthorised access to personnel files
  • Storage and filing space should be locked to prevent unauthorised access
  • Access should be granted only on a need-to-know-basis, e. to those who need access in order to perform their job (HR staff, maintenance, facilities)

Digital access and devices

  • Identity and Access Management (‘IAM’) lies at the basis of roles and access rights to personnel files
  • Implement multi-factor authentication
  • Workplace owned device management
  • Bring Your Own Device policies
  • Guidelines for storing personal data on portable storage devices

Technology

  • Software updates and patches
  • Regular maintenance of hardware
  • Secure wireless communication
  • Encrypt data (both stored and ‘in motion’)

Training

  • Information security awareness
  • Confidentiality and data sharing guidelines
  • Privacy and data protection

Cybersecurity management

  • Risk assessment
  • Cyber incident and response plan
  • Policy and guidelines development
  • Foster a cybersecurity positive culture

Further reading and resources

Literature

Kaminski, J. (2018). Nursing and Cyber Security Awareness. 13(3/4). Retrieved from https://cjni.net/journal/?p=5849

Mintern, T., & Rayner, S. (2018, March). 8 steps to GDPR compliance: A brief guide for HR functions. Retrieved 3 September 2019, from Bird & Bird website: http://www.twobirds.com/en/news/articles/2018/uk/8-steps-to-gdpr-compliance-a-brief-guide-for-hr-functions

Rouse, M., & Rosencrance, L. (2019, May). What is Identity and Access Management? Retrieved 3 September 2019, from SearchSecurity website: https://searchsecurity.techtarget.com/definition/identity-access-management-IAM-system

SecureHospitals.eu. (2019). Trainer interviews report. Retrieved from https://project.securehospitals.eu/

Simoncini, N. (2017, January 4). Health data in the workplace. Retrieved 2 September 2019, from European Data Protection Supervisor website: https://edps.europa.eu/data-protection/data-protection/reference-library/health-data-workplace_en

Van Der Sype, Y. S. (2017). Naar een geïntegreerde privacybescherming in de onderneming. Mechelen: Wolters Kluwer.