The Ministry of Justice's Privacy Protection Bureau released its first policy on patient medical privacy earlier this week.
The new policy document aims to strengthen patient privacy by introducing new regulations on the transfer and use of patient data.
The new policy targets recent innovations in data transfer that complicate patient privacy, such as sending medical information via WhatsApp, Gmail, Telegram, and Signal.
Despite the convenience these technologies provide, transmitting or storing medical information using software or devices not intended for that purpose poses significant challenges to patient privacy. This raises concerns about information security.
Patient privacy protection
The document states that the transfer of health information through unspecified means carries various risks to privacy.
This includes, but is not limited to, the risk of data breaches, inadvertent disclosure of information due to human error, theft of sensitive information, and the risk of misuse by commercial companies providing the infrastructure for information transmission. Not limited.
This policy ensures that employees reduce, to the extent possible, the use of non-designated software (such as WhatsApp and Gmail) to transfer personally identifiable medical information, while also ensuring that personally identifiable patient information is stored on personal devices. We also try to address these issues by avoiding.
Health care institutions are required to make every effort to omit personally identifiable information such as names, ID numbers, facial images, and other images that could identify patients.
This document recommends that you do not store your data on private and unspecified cloud backup services such as Google Drive or Dropbox.
It also recommends stronger security protocols, such as the use of strong and complex login passwords for devices, two-factor authentication, and biometric authentication.
Organizations that use non-designated software should establish clear internal policies regarding storage and transfer of health information, including periodic deletion of information, policies for using device login passwords, and controlling access privileges to information. is needed.