End-to-end encryption (e2e) will not become part of the legally required standard when exchanging medical data. Outgoing Minister of Health Hugo de Jonge indicates that he will not implement the encryption requirement in a new law ‘because of the system of the bill’.
Outgoing minister de Jonge responded to questions from the Party for the Animals (PvdD) about a bill regarding the Electronic Data Exchange in Healthcare Act. This law must, among other things, determine the requirements that healthcare institutions must meet when they exchange patient data with each other.
The PvdD asked the minister whether end-to-end encryption is included in this law. De Jonge responded that end-to-end encryption itself is not explicitly included in the law, but that the institutions must adhere to the so-called NEN standards that are already in force. These standards already set requirements for information security in healthcare. The minister indicates that if end-to-end encryption becomes part of the security of medical data, this will most likely be included via the NEN standards instead of via a bill.
The right solution?
The question remains whether end-to-end encryption is the right solution for data that has to be exchanged with a complex network of healthcare providers. End-to-end encryption is desirable, for example, in a chat application such as WhatsApp, where data exchange takes place between only two devices. Only the sender and receiver have access to the decryption key.
Moreover, security standard NEN 7510 already provides a framework within which “each process owner can specify the information security deemed relevant to his/her process, including the associated measures”. These standards already apply to all healthcare providers and organizations in the healthcare and wellness sector that manage personal health information, “regardless of the nature and size of the business process”.
Catch up on more articles here
Follow us on Twitter here