The Commissioner for Information of Public Importance and Personal Data Protection has passed a decision ordering the Ministry of Health of the Republic of Serbia to put in place organisational, technical and human resources measures immediately after receiving the decision and in any case not later than 8 days of its receipt in order to protect the personal data it processes in the Integrated Health Information System (IHIS) from abuse, destruction, loss, tampering or unauthorised access.
The Commissioner previously found through inspection that the Ministry had assigned easily “hackable” user names and passwords to the employees of the institutions where the IHIS was implemented; that such passwords had been sent by e-mail, often to addresses that were not hosted on servers operated and managed by the institutions where the users of those user names and passwords were employed, but on the servers of foreign legal entities used by the general public (gmail, hotmail, yahoo); that it had not ensured that the natural persons who access the IHIS change their initially assigned passwords and multiple physicians at the same medical institution therefore used the same password; that forgotten passwords were sent by e-mail to the administrator of the institution where the user is employed, rather than directly to the user; and that communication with the administrators of those institutions often took place via gmail, Hotmail or yahoo.
The Commissioner had already warned the Ministry about all these issues in October 2016 and the Ministry had notified the Commissioner by its letter of 1 December 2016 that it had implemented a system of safeguards which remedied the shortcomings of the personal data protection system built in the IHIS.
Until the date of passing of this Decision, authorised officers of the Commissioner subsequently conducted multiple successive checks of access to personal data in the IHIS using the passwords initially assigned by the Ministry to physicians within the same medical institution and found that the Ministry had not remedied the identified omissions in personal data protection. Based on just a relatively modest random sample of medical institutions, it was confirmed that it was possible to easily download large quantities of patients’ personal data without authorisation, including not only names and surnames and unique personal identification numbers, but also diagnoses, medical histories and treatments in all possible cases, including the most sensitive ones (psychiatric, gynaecological, dermatological etc.).
The only reply by the Ministry thus far was a communication which stated that “any unauthorised access (assuming it has occurred) was not due to inaction or negligence on behalf of the Ministry and the blame for this rests exclusively with individuals within the medical institutions who did not know how to properly use the passwords assigned to them.” The wording “assuming it has occurred” is completely divorced from reality, since it can be assumed from the circumstances and the time during which no safeguards were in place that instances of unauthorised access did indeed occur and were alarmingly numerous. Even more ludicrous is the claim that the blame for any omissions rests with “individuals within the medical institutions” who did not know how to properly use the passwords assigned to them, because the Ministry had implemented the IHIS and was therefore responsible for undertaking all technical, human resources and organisational measures to protect the data, including (of course) appropriate training of the individuals who use the system.
The Commissioner is concerned and astonished to learn that the warnings he had issued both to the Ministry and the Government have not resulted in a proper response. He expects the Ministry to finally undertake appropriate measures and once again underscores that the existing omissions may cause immensurable damage to patients.
