How to improve data security across a remote workforce: a lesson in security training
Research from NICTIZ/NIVEL and Pharmapartners shows that just 3% of the Dutch has had an email consult with his physician. This percentage decreases even further in the second line (hospitals and other medical facilities) to a figure virtually zero. There is a chance that this will change. Since January 2018 an email consult can be declared to the insurer for the same value as a visit to a polyclinic. The use of email consults can create an increase in effectiveness and patient satisfaction for the healthcare suppliers that use this change. In view of the evermore increasing privacy laws, email consults need to be safe. What are other things that you need to take into account when choosing for this option?
An email consult has some obvious benefits for healthcare providers: Less risk of overextending consulting hours, less needed waiting room, more time available for complicated cases, a more efficient handling of regular care demand, increased patient satisfaction, easily accessible contact, etc.
The patient is open to the email consult. A study from NICTIZ/NIVEL and Pharmapartners shows that between a third and half of all the Dutch would like to communicate digitally with their physician. One of the most important benefits for them would be that digital communication is much easier to combine with their work and private life, they save a lot of time that otherwise would be spent travelling to their physician and waiting in the waiting room.
The reason for the fact that health care suppliers have not yet actively seized email consults is quite clear: until recently a physician would be compensated with only € 4,63 per email consult, hospitals would even get no compensation for an email consult. Besides, and maybe because during a regular visit no time is set aside for answering emails. Most of the time, physicians have to answer their emails in their own time. Moreover, due to safety regulations it is not allowed to have an email consult through regular email. If health care providers have to invest in a solution for safer and easier email, it is quite obvious that email consults are not that popular.
Since last January, however, something interesting happened for hospitals and other health care facilities. Since January it is allowed to declare email consults as DOTs. Within this new regulation, the declared value is equal to a physical visit to your physician. This has finally made the email consult a huge gain.
The risks of using regular email
Since we have put aside the financial barrier, the only thing in our way is a technical challenge. Obviously, your physician wants to protect the privacy of his patients. With regular email it is impossible to have a completely safe email consult. Because health care providers are often unknown to safe ways to do this, many of them use regular mail, often provided with disclaimers like this one:
“Our mail to you is not encrypted and is going by the public internet and therefore not secured. This means that there are some risks to the mailed information. These risks are fully your responsibility. This facility is in no way responsible or answerable for any damage that might result from this email exchange.“
Besides the fact that this disclaimer will not safeguard you from any responsibility, by using regular email there is always the possibility of a data leak! After all, it is impossible to determine whether the information has been seen by a third party. Medical information is very sensitive and personal. The use of a communication channel without encryption and additional safety measures is a violation of the GDPR. The Authority for Personal Data can give you a warning or fine for this infraction, especially since by using this disclaimer you clearly knew the risks of using regular email.
What are you looking for?
Email consults can be safe and easy. There are several different solutions available. For safe email consults you need to give attention to the following topics:
- The use of two-factor-authentication (2FA): Think about the code you get by SMS when you want to use internet banking. 2FA is the only way to ensure that only the intended recipient is able to read your message (for more information read our blog about 2FA). All guidelines say that 2FA is necessary for safe communication. It is not only an option, it is a must! 2FA is not only necessary for your patients, especially since the mailbox of your healthcare provider contains the most sensitive information.
- Best practices: When protecting privacy the supplier can also be the weakest chain. It might be smart to check with your supplier to see if they are ISO27001 and NEN7510 certified and are working according to privacy by design and privacy by default.
- The option to withdraw messages: 61% of all data leaks in health care occur when someone sends information to the wrong person. If this happens, it might be desirable to pull back your message. It is important to be able to see if the receiving party has already read your message. If not, then no data leak has occurred. If this is the case, and if this message contained medical information, you are obliged to get in touch with the Authority for Personal Data.
- The possibility to export data: Eventually it is necessary to register and declare consults in additional systems (HIS/EPR). Therefore it is desirable that users are able to export data, after which they can fairly simple import them in another system.
- The opportunity for the patient to take the initiative: Often the initiative of an email consults lies with the patient, after all he or she has a question. This means that the solution needs to enable the patient to take the initiative and start a consult. The solution needs to have an area in which patients themselves can (freely) login.
- User friendliness for the patient: Last but certainly not least, health care providers are often inclined to choose the solution that fits them the most, instead of looking from the patients' point of view. Maybe hospitals say: “But we do this with the patient portal”. Most portals however are not known for their usability. Especially if you want to use the email consult, you have to think about the user-friendliness and easy accessibility for the patient. Doing so, there is nothing woring with using another solution besides your portal.
My prediction is that in the course of the next year an innovative health care provider will stand up to supply email consults in his package. One that understands the chances this gives and wants physicians to be able to pick up communication during their work instead of beside their work. One that starts a type of service that is so good that it influences patients to change healthcare provider. Ask yourself: who wouldn’t like to be able to ask a question digitally during lunch break instead of having to take a day off?
Zivver tries to assist in the realisation of this service by ensuring that the technical aspects are available. We have already started with a few healthcare facilities to create a solid and safe email consult. It seems that my prediction is kind of a self-fulfilling prophecy…
Rick Goud, CEO and co-founder of Zivver
We have described all the necessary steps you have to take in order to meet the GDPR legislation in our checklist. This document elaborates on things like creating a processors agreement, getting permission for processing personal information and security measures that have to be taken.