Inadequate efforts for information security in health and social care
Health and social care providers handle large amounts of sensitive personal data digitally, for example in medical records. The central government is responsible for supporting their information security work and also conducts supervision. The audit of the Swedish National Audit Office (“the Swedish NAO”) shows that the central government’s work needs to be more effective.
Health and social care providers have a responsibility for ensuring correct processing and protection of personal data. Information security is a complex area undergoing rapid change, and which is regulated by numerous laws.
The Swedish NAO’s audit shows that the Swedish Authority for Privacy Protection, the Swedish Civil Contingencies Agency, the Health and Social Care Inspectorate and the National Board of Health and Welfare do not contribute to reinforcing information security in health and social care effectively.
This is partly because none of the agencies consider themselves to bear a clear responsibility for providing specific support to the information security work of health and social care providers. Also, the agencies work in silos and rarely cooperate to design support to meet needs.
Neither the Swedish Authority for Privacy Protection nor the National Board of Health and Welfare follow up on the support needs that exist, or whether the support provided is adequate. Therefore, they cannot assess whether initiatives have helped to strengthen information security work.
“Support is not adequately adapted to needs, for example in terms of appropriate security measures. Health and social care providers do not receive the legal guidance they need to attain adequate protection of personal data,” explains Nedim Colo, project leader of the audit.
One consequence is that regions and municipalities do not obtain sufficient support with how their information security work could be improved, which can lead to inadequate protection of personal data and varying levels of protection in different parts of the country.
Furthermore, the audit shows that the agencies’ supervision does not contribute to reinforcing the protection of personal data effectively. Supervision has encompassed only a handful of healthcare providers and no social care providers.
In addition, the Health and Social Care Inspectorate’s supervision does not fully cover security in healthcare providers’ information systems and networks in which personal data is processed. Furthermore, since no follow-up of their supervision is performed, it is unclear what its effects will be and whether it targets the areas that would benefit most.
The audit also covers the management of the Government in the area. The Swedish NAO considers that the Government’s initiatives to reinforce information security work in health and social care have been inadequate. For example, the Government has not clarified which agency is responsible for providing health and social care providers with specific support concerning information security.
Neither has the Government ensured that social care providers are subject to the same requirements concerning security measures and systematic information security work as healthcare providers, even though they process similar sensitive personal data.
“The information security efforts of the central government within health and social care need to be more effective. It is recommended that the Government and the agencies take measures in several areas,” comments Auditor General Helena Lindberg.
Recommendations in brief
Recommendations to the Government include clarifying the responsibility of the National Board of Health and Welfare for devising operations-appropriate support for information security work in health and social care. The Government should also ensure that social care providers and small-scale healthcare providers be subject to requirements to conduct systematic and risk-based information security work.
Recommendations to the Health and Social Care Inspectorate include conducting supervision that examines whether healthcare providers meet all legal requirements concerning security in networks and information systems.
Recommendations to the Swedish Authority for Privacy Protection include enhancing efficiency in processing complaint and supervision cases, thus freeing up resources for more risk-based supervision.