Health Data in Germany – How Secure is Data in Medical Practices?
Iatrophobia – also known as the fear of the doctor. About 10% of the people worldwide suffer from this anxiety and are particularly stressed in the presence of a physician. This phenomenon can rarely be found in Germany. Here, the average citizen visits the doctor about 10 times a year. All over Europe, this is only topped by Hungary (11.1) and Slovakia (11.5).
If you are looking more closely at the statistics, one does not only notice that Germans greatly value their physical health. A high number of doctor visits also means that a lot of data is passed on and stored on the servers of a practice.
How Secure is Personal Data in Medical Practices?
In general, medical confidentiality applies in Germany. It is fundamental for the relationship and the trust between a doctor and his patients and even continues after the death of a patient. Not only a doctor is bound by this obligation, but also every employee, who works in a practice. As well as employees of external service companies, for example, commissioned with the repair of the electronic management system.
Furthermore, as in any other company, since 25.05.2018 the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) apply. If this regulation or law is not complied with and a data protection incident occurs, there are high penalties, but also the loss of patient trust.
What Specific Data is Collected at a Doctor’s Visit?
The legal basis for data processing is provided by the so-called documentation requirement. It shows that, in most cases, data can be collected as part of the patient’s medical history, assessment, and documentation of the diagnosis and therapy.
This processed data is also known as the “special category of personal data”. It is considered to be significantly more vulnerable because it provides accurate information about the physical and mental well-being of a person. For this reason, medical data is extremely interesting for hackers and should be sufficiently protected.
How is the Data Stored?
The data is mostly stored in encrypted form in a practice itself. Relocation of a patient’s data outside of the practice management system, for example to an external service provider, is only permitted under strict legal requirements. Namely, if the service provider agrees to the secrecy and technical and organizational measures are taken to protect the patient data.
The retention requirement demands that business data is kept for 10 years after completion of the treatment. In order to sustainably secure data over such a long time, the German Medical Association recommends an automated backup process.
What is the Reality in a Doctor’s Office?
Organizations in the healthcare industry, especially hospitals, are increasingly becoming targets for attackers targeting their highly sensitive data. Officially, the German government recorded a total of 43 successful attacks on healthcare providers from January to October 2020, according to FAZ's response to a question in the German parliament. More than twice as many attacks as in the whole of 2019, but the number of unreported cases is likely to be even higher.
At the same time, numerous companies are still struggling with the implementation of the General Data Protection Regulation more than two years after it came into force (according to a survey by the digital association Bitkom). Seven out of ten survey participants say that the GDPR makes their processes more complicated and innovative projects or technologies fail due to the strict, but often also unclear data protection requirements. The use of the cloud, which offers a lot of potential for companies in the healthcare sector, is also viewed critically. This is because the GDPR stipulates that companies always bear responsibility for the security of data. This responsibility cannot be handed over to the provider of cloud storage services. So, how can hospitals and medical practices ensure that the data stored in cloud storage does not fall into the wrong hands?
Attorney and data protection expert Wolfgang Schmid of the law firm JuS Rechtsanwälte recommends taking special precautions for health data - which are considered special categories of personal data under Article 9 of the GDPR. This is because here the controller is obliged to maintain specific measures to protect the interests of the data subject. Encryption software such as Boxcryptor, for example, takes the necessary measures here in accordance with §22 BDSG new and Art. 32 (1) GDPR:
Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data
Ask Your Doctor or Pharmacist
Health data is, contrary to many opinions, popular with hackers. It provides a wealth of information and therefore requires sufficient protection. If you are unsure whether your data will be treated with care, just talk to your doctor or pharmacist. For a practice, the protection of patient data is of high existential importance. And not infrequently, doctors are blackmailed with stolen data.
How Can Boxcryptor Help?
Boxcryptor is a simple but extremely secure way to encrypt data that resides in the cloud. The software is GDPR compliant and offers encryption that is assumed to be a security standard by the BSI. Highly sensitive health data is encrypted end-to-end directly on the PC or smartphone, so the information never goes to the cloud in “plain text”. This prevents unauthorized third parties such as hackers from gaining insight.
Here you can find more information about encrypting health data with Boxcryptor.
For secure data exchange with patients, we recommend Whisply. The service also uses end-to-end encryption and is ideal for sending personal data such as findings or sick notes. The zero-knowledge principle ensures that only the authorized recipient can access the file.