Home / Press Room / News / IT audit follow-up report: "How to protect personal data in primary health care processed within automated information systems?"

IT audit follow-up report: "How to protect personal data in primary health care processed within automated information systems?"

March 27, 2019 views 663

 

The Court of Accounts of the Republic of Moldova examined on March 27, the Report of the follow-up audit of the IT audit: “How to ensure the protection of personal data in the field of primary health care processed within the automated information systems?”.

The Supreme Audit Institution, being concerned about the improvement of the personal data protection situation, processed in the information systems in the field of primary health care (PHC), including the implementation by the responsible entities of the requirements and recommendations submitted by the Decision of the Court of Accounts no. 48 of 05.12.2016, as a result of the audit mission carried out in 2016, performed the respective follow-up mission.

The purpose of the Court of Accounts' mission was to assess the actions undertaken by the entities concerned by the Court's previous audit in order to comply with the requirements and recommendations submitted by the Decision and their effect.

The scope of the mission was the actions undertaken during the period 2017-2018, referred to as the reference period by the entities referred to in the above mentioned Decision of the Court of Accounts, namely: the National Center for the Protection of Personal Data (NCPPD), the Ministry of Health, Labor and Social Welfare (MHLSW), Public Medical Sanitary Institutions (PMSI): AMT Center, Primary Medical University Clinic, Balti, collecting audit evidence and from other 9 PMSI providing Primary Health Care Services.

The results of the verification mission show a slight improvement in the situation, and some resolving measures taken by decision-makers of the authorities concerned, such as:

NCPPD:

- has drafted and submitted in the established way draft legislative acts related to personal data protection, two of which (the draft Law on Personal Data Protection and the draft Law on the National Center for Personal Data Protection, which transpose the provisions of the European Community Law in the field of personal data protection) were approved at first reading at the end of 2018 in Parliament's Plenary;

- elaborated with the support of the experts from the Twinning Project some drafts of internal normative acts correlated with the provisions of the new laws in the field, which regulate the basic activity of NCPPD;

- has developed and placed on the website of the institution the Guide on the procedure for registration of operators and personal data record systems

 

- has provided consultations and training in the field, MHLSW and medical institutions in order to familiarize them with the provisions of the normative framework on the protection of personal data.

MHLSW:

  • elaborated a series of regulations on the regulation of activities in the SIA AMP (System Operation and Usage Regulations, Security Policy and Personal Data Protection);
  • has concluded / revised the necessary agreements with the National Health Insurance Company (CNAM) and CRIS Registry to provide data exchange between the Automated Information System for Primary Health Care (SIA AMP) and the Information System (IS) held by them;
  • with the support of the Developing Company, eliminated some shortcomings related to the operation of SIA AMP, etc.

At the same time, the actions undertaken at the beginning of this year (identifying the authority responsible for the administration, maintenance and development of the System - CNAM, initiating the adjustment of the regulatory framework related to the functioning of the System, starting the authentication activities in SI through the electronic signature - MPass, of the System, one of the basic conditions for the protection of personal data) creates the necessary prerequisites for the elimination of the shortcomings and malfunctions found by the Court's previous audit and the achievement of the expected impact from the protection of sensitive personal data and information security citizens.

Similarly, as a result of the audit procedures carried out, it is concluded that during the period 2017-2018 the medical institutions audited during the previous mission of the Court of Accounts (AMT Centru, University Clinic, CMF Balti) achieved a series of actions aimed at ensuring the compliance with the provisions of the normative framework related to the protection of personal data, with the elimination of certain shortcomings found by the previous audit, including: elaboration, adjustment and enforcement of the data protection and information security policy, registration in the Register of Evidence of personal data controllers owned by the Center, strengthening the overall IS controls used in the PHC service delivery process.

At the same time, the follow-up mission reveals that, although some resolutions have been taken, they have not fully met the implementation of the requirements and the implementation of the forwarded recommendations, which conditioned the persistence of the problems and deficiencies found by the previous audit and in the reference period.

Thus, it is emphasized that, given the sensitivity and volume of personal data processed in the medical field, especially through the information systems, NCPPD, in its capacity as guarantor of the protection of personal data, is to intensify its activities in order to ensuring adequate control of citizens' data protection.

MHLSW is also expected to deliver a unique strategic vision of process automation in the medical field in order to avoid implementation and fragmentation (at IMMS level) SIs that are not interconnected and compatible, generating maintenance, maintenance and development costs, as well as major risks to the confidentiality of data processed by citizens. In the same vein, it is necessary to strengthen the joint efforts of MSMPS and NHIC in order to strengthen the IT controls of the SIA AMP, implemented at national level, in order to ensure its full compliance with the legislative framework requirements.

In the context of the above, the follow-up mission offered a series of recommendations and solutions to the target entities, in order to eliminate the identified deficiencies and failures and to ensure the impact of the policy in the field of personal data protection.