By Richard van Staden ten Brink
On June 2, 2009 the Dutch Data Protection Authority (DPA) took enforcement action against four Dutch hospitals because they failed to improve their information security practices.
The enforcement action results from an investigation of the Dutch Health Care Inspectorate (DHCI) in 2004 and a follow-up investigation of the DPA and the DHCI in 2008. In the follow-up investigation, the DPA and the DHCI investigated the information security practices of 20 hospitals. The DPA and the DHCI established that most hospitals had not implemented security policies that corresponded to industry standards such as NEN 7510 and ISO 17799, and that awareness of information security amongst staff members was low. All 20 hospitals were instructed to develop and implement action plans to improve information security or face enforcement action.
The DPA has issued administrative orders to four hospitals that did not improve their information security practices sufficiently. The orders require the hospitals to perform a security risk-analysis, to appoint an information security coordinator, and to make a member of their executive boards responsible for information security.The hospitals are required to implement all orders before September 1, 2009. If they fail to do so, the DPA will impose penalty sums ranging from EUR 30,000 to 210,000 per hospital.