Doctor holding a Security padlock wheel icon with multimedia and social media icon 3d rendering

Data protection in medical practices

Computer security

Data protection in medical practices

May 2, 2022
2,404 views

In medical practices, personal data that are worthy of special protection are processed. Since information on a person's state of health is extremely confidential, such data must be handled with a great sense of responsibility, in particular by equipping oneself with the appropriate technology.

This is because the interfaces and equipment in medical practices often have serious shortcomings in terms of data protection. The following table shows, for each interface or environment, the measures that can be taken to reduce or eliminate the risks inherent in the use of IT.

Interfaces and useful measures

  • protect access with a password or a USB key containing biometric data; encrypt sensitive data;
  • have a good backup strategy; RAID;
  • ensure good maintenance of the RAID system; cluster systems;
  • only allow remote maintenance of the system if there is no patient data in the system or if the data are encrypted -> perform a test with fictitious data. Draw up a maintenance report.
  • store the backup media in a safe place (safe);
  • Define the backup procedure in such a way that, in the event of loss or destruction of a backup media, not all data will be lost;
  • testing the backup -> restore procedure
  • do not connect unnecessary access equipment or switch it off when not in use;
  • it is not recommended to install a wireless local area network (WLAN);
  • access for the maintenance of the network infrastructure must be given by the doctor, who will close the access again once the work is completed; draw up a maintenance report.
  • do not print documents containing patient data on an unattended printer;
  • do not leave printed documents on the printer for too long;
  • printed texts must not be able to be reconstructed either through the printer or through the print server;
  • printer maintenance must be carried out on site.
  • position the screens in such a way that third parties cannot see the video;
  • protect access with a password or a biometric USB key;
  • do not write down passwords on a post-it note;
  • set the screensaver to activate after a short period of time;
  • record access.
  • lock the PC when the doctor is not in the practice;
  • protect access with a password or a biometric USB key;
  • set the screensaver to activate after a short period of time;
  • record access;
  • do not store locally the patient data already stored on the server.
  • Only encrypted data can be transferred between the office and the office/home. The best solution is to save the data you need on a laptop;
  • if stored on a laptop, patient data must be encrypted;
  • Attention: the rules laid down for processing within the doctor's office (including those relating to the Internet connection) also apply to patient data processed on a private computer;
  • the computer must be protected from access by third parties (e.g. family members).
  • installation of a hardware firewall is recommended;
  • if necessary, provide a PC specifically for Internet browsing. However, the PC should not be connected to the LAN network of the medical practice;
  • as far as possible, connect to the Internet only when necessary for professional reasons;
  • do not install other Internet connections in the study; if this is not possible, connect only through the firewall;
  • by default, all doors should be closed;
  • in the event of an attack, the firewall should automatically guarantee the impenetrability of the system;
  • taking minutes of firewall activities;
  • Remote maintenance can only be carried out via modem; a maintenance report must be drawn up;
  • do not download from the Internet using the practice server;
  • install a virus protection system.
  • The firm's e-mail addresses should not be disclosed indiscriminately to anyone;
  • private e-mails should be sent from private e-mail addresses;
  • send patient data only in encrypted e-mails;
  • do not send patient data in a reply e-mail;
  • do not use the e-mail application to manage documents or, even worse, to set up an electronic patient file. In other words: delete e-mails after reading them and transcribe their important contents into the patient's file.
  • check the infrastructure regularly;
  • do not use unnecessary hardware and software;
  • do not allow third parties to access the systems by themselves - not even for maintenance work;
  • do not connect mobile phones to a computer in the practice. Mobile phones can also be used to transmit data.

The list of measures is not exhaustive and, as such, does not guarantee absolute protection against abuse. Nevertheless, it is a first step towards adequately protecting patient data from the risks inherent in the use of information technology. What is important is that every doctor realises that he will be held accountable for any shortcomings in his IT infrastructure.

The following rule therefore follows: the doctor must be familiar with the IT infrastructure of his practice and ensure that it is of a high technical quality. Given that it handles extremely sensitive data, a doctor's practice cannot afford to deviate from this rule.

The Data Protection Act has been updated to mid-May 2022, we discuss it here.