In a meeting room on the 7th floor of Helse Sør-Øst’s office in Oslo, two managers try to explain why the country’s largest healthcare company wants to put personal data of patients on an American-owned cloud. – We will use cloud services to create a good service for patients when they arrive at the hospital and when they leave it. The system will record the patient’s attendance at outpatient clinics, name and social security number, and which outpatient clinic they are going to, says managing director Terje Rootwelt at Helse Sør-East. Helse Sør- Øst will begin the rollout of the cloud service during the spring. Sensitive personal data on the cloud The cloud solution will have information on whether the patient, for example, has cancer, heart problems, lung disease, abdominal disease, substance abuse problems or is mentally ill. This is sensitive personal data that unauthorized persons should not get hold of. NO PROBLEM: IT security manager Øyvind Grine and managing director. Terje Rootwelt in Helse Sør Øst believes it is unlikely that the US or others will ask to be handed over personal data of Norwegian patients. Very good work is being done with information security and we give that a high priority, emphasizes Rootwelt. Photo: Anne Cecilie Remen / news The country’s largest healthcare company is responsible for healthcare services for 3.1 million Norwegians. Among the patients are the country’s leading figures in politics, society and business. Now, sensitive personal data from these patients will be available on an American-owned cloud solution. USA and American companies not safe According to Norwegian and European legislation, personal data cannot be shared with countries outside Europe, such as the USA. The reason is that there is no agreement on such a transfer between the EU and the USA. – Today, the USA is not considered a safe country to send personal data to, says Director Line Coll of the Norwegian Data Protection Authority. ACTION MUST BE TAKEN: Line Coll, director of the Danish Data Protection Authority, has proposed encryption as a measure that Helse Sør Øst can implement to protect the personal data of patients Photo: Anne Cecilie Remen / news The danger is that sensitive personal data can be handed over to other countries’ authorities, if they demand the. – As we understand it, the supplier of this system reserves the right to hand over the data to authorities in countries outside Europe. It is basically not legal, says Coll. The management of Helse Sør Øst points out that the subcontractor is not located in the USA, but in Ireland, and that all data processing takes place in Europe. But the company responsible for the cloud service is owned by the American Microsoft. The management of Helse Sør -Øst admits that the cloud provider cannot guarantee that data will not be disclosed. HOSPITALS WITHOUT RECEPTION AREAS: Self-service and cloud solutions are the future for patients. It will be a good solution for the patients and the use of the cloud is both legal and justifiable, says Helse Sør -Øst. Photo: Helse Sør Øst – No, they cannot guarantee that, says Rootwelt. Helse Sør-Est believes that American intelligence will not be interested in the Norwegian patient data and that there is little likelihood that they will in the future. – We have looked at the American legislation, our lawyers have assessed that there is no reason why they would want information about health data, and it has never happened before, and we believe that in practice there will not be an opportunity for that , says Rootwelt. According to a memo from Helse Sør-East which news has gained access to, they believe that Microsoft has never received requests for access from American authorities to European public enterprises. The Norwegian Data Protection Authority does not have the same assessment as Helse Sør-Öst. – The fact that it is considered unlikely that the information will be handed over to the US authorities is not relevant from our side, says director Coll of the Norwegian Data Protection Authority. The Norwegian Data Protection Authority warned a few weeks ago that pressured finances and cost-cutting in hospitals could lead to weakened IT security and poorer privacy. The authority believes that earmarked funds for IT security in the health sector are necessary. Cloud service now The Norwegian Data Protection Authority has given Helse Sør Øst a series of advice on protecting sensitive patient data, so that personal data is not shared and that the cloud solution thus becomes legal. – We have given concrete and practical advice to Helse Sør Øst about how personal data in this system can be protected, for example by encryption or pseudonymisation. So that patient data is not readable by the supplier, the US authorities or the authorities of 3 countries. We expect that Helse Sør Øst will take our advice seriously, says Line Coll, director of the Norwegian Data Protection Authority. But the management of Helse Sør Øst believes that it is not possible to make the information inaccessible to the company behind the cloud service by encryption or pseudonymisation in Health Logistics – This cannot be done together with the payment solution. After all, it must know the identity of the patients, Rootwelt points out. Personal data will be visible to the cloud provider during the treatment period until the patient has paid for the health services. It can be up to a period of 30 days. The director nevertheless emphasizes that encryption takes place during the transport of data and during storage. – We believe that information security will improve. Development is moving in the direction of using cloud solutions, and the question is how we can do this in a safe way, says Rootwelt. CANCER INFO: Personal data about cancer patients will also end up in the cloud at Radiumhospitalet – Photo: Helse Sør Øst One solution is to wait The Danish Data Protection Authority emphasizes that a solution is for Helse Sør-East to wait with a cloud service until the EU and the US agree on an agreement on the sharing of personal data . But Helse Sør Øst does not have time to wait. The country’s largest healthcare company is building a number of new hospitals and they are planned with digital solutions and cloud services. – We need to move forward with regard to the new hospitals being built. If we had not considered this to be legal or justifiable, we would of course have chosen another solution, but it would have been demanding because planning for the new hospitals has come so far. It would certainly have become more expensive and more cumbersome for patients and for the employees at the hospital, emphasizes Rootwelt. – If they do not introduce measures to protect personal data, they will be responsible for personal data being transferred to a country where it is not legal to do so in the first place, says Coll in the Norwegian Data Protection Authority. Hey, do you have any thoughts on this matter? Feel free to send me an email. I work a lot with working life and with IT security, and would like to have input or tips on other matters I should look into. Get in touch then
ttn-69
Your patient data must be sent to an American cloud – The Norwegian Data Protection Authority warns – news Norway – Overview of news from different parts of the country
