Medical Data Security: Spain Has Problems, Too
Over on AlertBoot, Sang Lee followed up on one of my posts to databreaches.net:
After finding a tiny story about data breaches in Spain at databreaches.net, I decided to look into the situation since the article it referred to was quite unsatisfying. Turns out that the issue caused quite a stir in Spain, with over 156 articles, according to Google News. The issue is somewhat removed from data encryption software: it tends to center around patient information security on paper, although some articles mention the loss of patient information via eMule in the past (but only as a token data breach reference).
Here are just some of the findings he compiled from numerous sources he tracked down:
A recent survey was conducted on the state of patient information security in Spain, and things look pretty grim. Since I didn’t know anything about Spain when it comes to information security, I’ve laid down the interesting points as I’ve found them:
- Spain has a data protection law (Ley de Protección de Datos) and a data protection agency (La Agencia Española de Protección de Datos – AEPD). The law went into effect eleven years ago
- 64% of public hospitals do not comply with said law, not including hospitals in Madrid, Cataluña, and País Vasco (these are autonomous regions and have their own processes for handling information security, and hence did not participate in the survey). Only 15% of private medical establishments are not in compliance
- Nearly 40% of public hospitals do not have a log of who accessed health information, compared to 15% of private hospitals
- 30% do not have a method to prevent loss of data while being transported (public only?)
- 35% do not have a method to prevent access to health information (ibid)
Read more on AlertBoot, and kudos to SangLee for getting us more info on this and then sharing it.