Report: Medical institutions, labs bad at protecting data
There are several deficiencies in the way that Israel’s medical institutes and laboratories are protecting citizens’ information, a new report by the The Israel Protection Authority found.
In a report published Monday, the authority showed some institutions allowed caregivers access to information in unsecured ways, often without differentiating by role or need to know. Moreover, some do not take adequate measures to prevent physical intrusion into the areas where servers or electronic databases are stored, do not have proper encryption in place or do not monitor and record security events.
“The medical institutions and laboratories are considered to be particularly high-risk for a possible violation of the right to privacy, both because of the scope of information and the high level of sensitivity of the health information collected and maintained about the patient population,” the report explained.
The institutes and laboratories examined by the authority hold sensitive and personal information, including medical information relating to tests of various types, such as imaging tests like mammograms, hearing diagnostics and various treatments such as physical therapy. The report found that patients are not always aware of how information about them is being used or to whom it has been passed on and how.
To complete the audit, the authority asked 23 parent institutions that represent some 300 medical institutions and labs to complete an audit questionnaire. The authority focused on four areas: organizational control and corporate governance, database management, information security and outsourcing services.
Overall, 25% were severely deficient in the realm of organizational control and corporate governance and 15% were moderately deficient. In the areas of database management and information security, 15% of institutions were severely deficient.
In each category, 60% to 65% were found to sufficiently protect patient information.
The most acute problem among all institutions seemed to be in the realm of patient information being processed by external companies – some 40% of institutions were deficient. This was the case even among those institutions which implement proper internal controls.
It was also found that some institutions did not perform any screening procedures of new employees before they were granted access to information.
“The importance of this audit was to identify and reduce the gaps between the requirements of the Protection of Privacy Law and its regulations and their actual implementation,” said attorney Ali Calderon, who is in charge of administrative enforcement for the Israel Protection Authority. “The findings of the report emphasize the obligation of institutions to comply with the provisions of the Protection of Privacy Law and its regulations.
“The Israel Protection Authority is confident the publication of this report may be a tool for all agencies managing patients’ medical information and raising awareness of the requirements of the Protection of Privacy Law for these entities.”