Health Data in Germany – How Secure is Data in Medical Practices?
Iatrophobia – also known as the fear of the doctor. About 10% of the people worldwide suffer from this anxiety and are particularly stressed in the presence of a physician. This phenomenon can rarely be found in Germany. Here, the average citizen visits the doctor about 10 times a year. All over Europe this is only topped by Hungary (11.1) and Slovakia (11.5). If you are looking more closely at the statistics, one does not only notice that Germans greatly value their physical health. A high number of doctor visits also means that a lot of data is passed on and stored on the servers of a practice.
How Secure is Personal Data in Medical Practices?
In general, medial confidentiality applies in Germany. It is fundamental for the relationship and the trust between a doctor and his patients and even continues after the death of a patient. Not only a doctor is bound by this obligation, but also every employee, who works in a practice. As well as employees of external service companies, for example, commissioned with the repair of the electronic management system.
Furthermore, as in any other company, since 25.05.2018 the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) apply. Surprisingly, data collected in practices is not as well protected in reality as one might suspect.
What Specific Data is Collected at a Doctor’s Visit?
The legal basis for data processing is provided by the so-called documentation requirement. It shows that, in most cases, data can be collected as part of the patient’s medical history, assessment and documentation of the diagnosis and therapy.
This processed data is also known as “special category of personal data.” It is considered to be significantly more vulnerable because it provides accurate information about the physical and mental well-being of a person. For this reason, medical data is extremely interesting for hackers and should be sufficiently protected.
How is the Data Stored?
The data is mostly stored in encrypted form in a practice itself. Relocation of a patient’s data outside of the practice management system, for example to an external service provider, is only permitted under strict legal requirements. Namely, if the service provider agrees to the secrecy and technical and organizational measures are taken to protect the patient data.
The retention requirement demands that business data is kept for 10 years after completion of the treatment. In order to sustainably secure data over such a long period of time, the German Medical Association recommends an automated backup process.
What is the Reality in a Doctor’s Office?
In order to find out how safe the practices and pharmacies in Germany are, the German Insurance Association (GDV) made nationwide investigations and came up with some scary findings.
Some doctors see many opportunities made possible by digitization. Nevertheless, 88% of the interviewed doctors and pharmacists fear that the threat of cybercrime will rise in the future. The more contradictory is the fear of only 17% of physicians and 23% of pharmacists that their own practice could become a victim of a cyberattack at any time. Many respondents think that their own practice is too small to get into focus and the data is of no interest to hackers. The majority also mistakenly believes that their computer systems are fully protected.
IT security expert Michael Wiesner was commissioned to take a closer look at 25 practices. From the outside, the practices often make a good impression, but it was easy to crack from the inside. 22 out of 25 practices use too simple passwords like the doctor’s name or “treatment”. Another common issue are unsuspecting employees. In six cases, a phishing attack was successful.
Another problem is the encryption of data. Only 9 of the 25 practices have an encrypted data backup. Wiesner recommends to regularly save the data separately from the main system by means of back-ups and BSI-compliant encryption – for example, on an external hard disk or in the cloud.
Especially in companies that work with biometric or health data – and therefore with special categories of personal data according to Art. 9 GDPR – it is recommended, in the opinion of data protection expert Wolfgang Schmid, lawyer at JuS Rechtsanwälte, to take special precautionary measures. The person responsible is obliged to maintain specific measures to safeguard the interests of the person concerned. Boxcryptor takes such measures according to §22 BDSG.
Another major shortcoming is the encryption of e-mails. A test of the mail servers revealed: only five (0,4%) of 1200 registered physicians were equipped with encryption methods recommended by German Federal Office for Information Security.
Ask Your Doctor or Pharmacist
Health data is, contrary to many opinions, popular with hackers. It provides a wealth of information and therefore requires sufficient protection. If you are unsure whether your data will be treated with care, just talk to your doctor or pharmacist. For a practice, the protection of patient data is of high existential importance. And not infrequently, doctors are blackmailed with stolen data.
How Can Boxcryptor Help?
Boxcryptor is a simple but highly secure way to encrypt data that resides in the cloud. The Software is both GDPR compliant and features AES encryption with a key length of 256 bits recommended by BSI.
More information about Boxcryptor in the healthcare sector can be found here.
For secure exchange with a patient, we recommend the web service Whisply. The service also uses AES-256 encryption and is ideal for sharing personal information such as diagnostic findings or a doctor’s note with a patient. The zero knowledge principle ensures that only the sender and the recipient can access the file.
Cloud Use in Healthcare: Free Whitepaper
In our free whitepaper we give information on how the use of a securely encrypted cloud enhances the data security in your practice or organization, and how, at the same time, it helps you save costs.
By entering my email address I agree that Secomba GmbH sends me information via email. I can revoke this agreement at any time.