What has this thesis pointed out?

With the theoretical background and the introductory chapter of this thesis, we have seen an increasing digitalisation in how information is being shared.

The first chapter of this thesis provided us with a global background on the increasing digitalization which led to more possibilities in the sharing and mining of information. The example of the first correlation between datasets provided this research with an introduction to trends that would be able to provide new insights. They, however, also made us aware that in order to make use of the correlations, causations of the results would still need to be closely monitored in order to be adequate. The innovations that followed as a result of these trends, introduced a whole new field now known as Big Data and Analytics. The increasing information intensity in the everyday life of citizens, organizations and workplaces, indicated that the use of technology in all aspects of everyday life, and the ability to share, store and receive this digital data was turning into a concept that would have an increasing impact in society. The increasing information intensity in combination with the innovative solutions that Big Data and Analytics could provide, turned into the optimisation of systems in all kinds of sectors. In this thesis, the case of the EPD and the LSP has been emphasized upon to provide an insight in how innovation of a sector is making use of Big Data and how the Dutch government has played a role in its implementation. With the introduction of the EPD and the LSP, this thesis has pointed out that the implementation of new information sharing systems goes hand-in-hand with various risks. These developments composed in the main results of this thesis.

Main results

In order to be able to answer the main research question, the three sub-questions need to be answered which each emphasize an important aspect of the main research question.

The first sub-question was formulated as: How is the current policy set up and what are its effects on medical privacy?

In chapter three of this thesis we have indicated that in order to research the effects of the current policy on medical privacy, an initial look into the outline of the current policy is necessary. As a result, this thesis has analysed the existing legal framework regarding the Dutch healthcare system. The outcome of this analysis has indicated that the core legislative principles regarding medical privacy are

set out in the Wgbo and the Wbp. The analysis also argues that the controversial authorization model used in the LSP, is not restrained/prohibited in the current legislation. This suggests that when patients provide their permission to healthcare providers in order to access their medical files, they have no control over the scope of healthcare providers who will then have access to their files. There is, however, a control function available to see who has had access to the log files. This is only possible in retrospect. In conclusion, the current policy allows for the authorization system to only require generic authorization from the patient in order to access his digital file. Explicit as to who (physician) has access to the file, generic as to what will be done (e.g. shared with 3rd _parties)

with the data. This can have a great negative impact on the medical privacy of the patients. The second sub-question was formulated as: Which Big Data technologies are being used and how could they lead to privacy infringements?

The formulation of this second sub-question allows us to look at to what extent the LSP system makes use Big Data technologies. In order to do so, chapter four analysed the use of technology in Dutch healthcare. One of the main technological systems that allows for the digital exchange of medical data is the LSP. The technologies used in the LSP were analysed by focussing on two issues provided by the Privacy Technology Focus Group of the US Department of Justice. These two issues assess the potential privacy infringement characteristics by linking them to Big Data aspects in the LSP system.

The first category focusses on the Access and Authentication methods. Chapter 4.2 provides an overview with the analyses of access and authentication mechanisms used in the LSP. Healthcare providers are able to access digital patient records by making use of data structure which contains information required by the LSP to verify the authenticity of the request. This mechanism is referred to as a ‘token’. One of the main risks of using the token authentication mechanism, is that the system is not able to verify incoming authentication requests separately. The system is therefore not able to determine if a request is made legitimately by a healthcare professional or an intruder, using malicious software, sending requests directly from a remote location. As a result, this would mean that any intruder, who can successfully position a malicious code in the LSP, is able to obtain any patient records from any decentralized information system connected to the EPD without being questioned.

The second category focusses on the Aggregation and Dissemination of data. In the LSP the process of data aggregation and dissemination is carried out by coupling decentrally stored patient records with the LSP system. This allows Dutch healthcare providers to find and retrieves the digital patient records. The references that are needed to find these records are registered in the central reference index (ZIM). This central component is required for the functioning of the LSP and is used for aggregation and dissemination of the EPD requests. The ZIM is legally designed to keep historical information regarding the transport of messages and the access of records for a period of 15 years. The ZIM is therefore designed to be restored to a previous state in which it can provide historically used and even removed data. Complete removal of information is therefore almost impossible, making the LSP and its systems, a large and vulnerable database of sensitive information. By applying the right analytical tools, a successful attack on the LSP systems would mean a big risk of privacy infringement because a large volumes of medical information would then be accessible.

The third sub-question focusses on the governmental instruments available to protect healthcare information. Which government tools have been applied and how have they impacted healthcare information protection?

In order to answer this final sub-question, this thesis provided an overview of the policy development followed by an assessment of the applied government tools. This assessment selected the three main tools which indicated four important steps in the policy process which negatively impacted the protection of healthcare information. The main government tools were identified are:

1) Command and Control Regulation 2) Government Reorganization

3) Information Monitoring And Release

The impact these tools have had can be determined from several aspects. The first tool, Command and Control Regulation, has been applied in two separate occasions in the policy process. The first use of this instrument was detected with the introduction of the “Information provision in healthcare Bill”. By making use of control regulation, the Dutch government attempted to overcome legislative inertia. The implemented control regulation did allow for better coordination of government efforts and planning in order to address a societal issue but did not take into consideration the risks regarding the medical privacy that are linked with the set-up of the LSP. The neglect of medical privacy risks had a deep impact in the policy process and, as a result, a national EPD has still not been realized.

The second use of the Command and Control Regulation instrument was detected when the Dutch senate mandated the discontinuation of the national EPD. Once again, the Dutch government used its legal powers in order to confront a public issue. After many criticisms from various parties, the Dutch government shifted responsibilities in order to push through the LSP. In 2010, the Dutch senate concluded that the regulations that the Dutch government attempted to push through were inflexible and did not permit the consideration of individual circumstances. Therefore, the Dutch senate voted against the implementation of the LSP. The heavy pressure that was put on the government, forced them to take action and control a regulation that would have had a negative impact on societal behaviours such as civil rights in the form of personal privacy.

The use of the instrument Government Reorganization was detected when the Ministry of VWS financed the creation of Nictiz in 2002 and later revoked the management and supervision back from Nictiz to the VWS. The shifts in authority the Ministry of VWS was able to make indicated that they had the capacity and autonomy to set their own direction. By implementing the reorganization, the government attempted to push their agenda regarding a national EPD despite the fact that several institutions and individuals had criticised the privacy regulations. Therefore, a continuation of the implementation of this governmental tool, would have had a negative impact on the protection of medical privacy.

The application of third instrument was detected in 2008 when the VWS released an information campaign. By applying the instrument ‘Information Monitoring and Release’, the Dutch government intended to inform the citizens about the LSP in order to gain social

consensus. The information campaign was followed by a mandatory participation and registration to the EPD which resulted in a lot of criticism because the raised privacy risks were still not resolved. This mandatory participation and registration in a national EPD, together with the uncertainty of privacy protection, led to heavy criticism. The impact of this method was that people did not know how, to what purpose, and by whom their data would be used. Participation in a national EPD would therefore feel as a direct infringement of their privacy, which they were forced to by their own government.