top of page
  • Writer's pictureAmir Gilboa

Information security and privacy in EHR systems

The topic we will deal with today is not related only to information systems or medical record systems, but rather to a slightly broader topic that also relates to information systems at the end, of course.

I'm talking about information security and privacy.

As you probably know, there are various laws and regulations regarding information security and privacy.

There are a lot of topics to discuss and, of course, we will not reach all of them, however, I find it important to speak about the principles and highlight the aspects related to the medical information we are dealing with.

In many countries, there are privacy regulations. In recent years, the GDPR regulations have come into force in Europe which in fact set standards that are binding on everyone who deals with information about EU citizens.

There is a separation between different types of information and their level of sensitivity. Medical information is of course at the highest level of sensitivity and therefore needs to be best protected in the best way.

The fear is that unauthorized entities will have access to people's medical information and misuse it or sell it to various entities that are interested in the medical information.

The regulations do not distinguish between computerized and non-computerized information and the obligation imposed on those who deal with medical information also applies to information kept in paper form and binders. Of course, digital means have more diverse options to protect the information like encrypting the information or restricting access to the information only through strong identification, but the obligation also exists for non-digital information.

When referring to medical information systems regulations, there is usually a separation between the information owner, who is the health organization (the clinic, institute, or hospital), and the information processor that is the software provider.

There are different obligations for each of the position holders and as managers of a health organization, it is important that you know them.

In addition, if you have patients who are citizens of one of the EU countries, you are required to comply with the GDPR General Data Protection Regulation and other countries may have other regulations relevant to their citizens.

I will attach below some links that refer to the relevant authorities' websites so that those who wish to deepen their knowledge and learn more, can easily do so.

The various authorities, such as the Ministry of Health or the Privacy Protection Authority, occasionally conduct inspections and controls to ensure compliance with the regulations.

I recommend that in order to make sure that you act properly and correctly, reach out to a consultant who is an expert in the field and he will be able to guide you on which actions you are required to take. I personally was assisted by a consultant who is an expert in the field to make sure everything was working properly and meeting the requirements.



bottom of page