Data security and GDPR are an important part of our DNA
At Emento, we work to create the foundation for good communication between the citizen and the public sector. One of the prerequisites for good communication is trust, and when it comes to digital communication, a large part of that trust lies in the confidence that data is handled in an appropriate and respectful manner. We therefore have a constant focus on ensuring that our services meet the applicable standards for good IT practice, including GDPR. Because trust is a large part of the DNA of our service and business.
Collaboration with REVI-IT
With the help of Væksthus Midtjylland and their entrepreneurship program, we have therefore entered into a collaboration with the state-authorized auditing company REVI-IT, as we want our IT security profile to be quality assured by the best in the market. REVI-IT has extensive experience in advising on regulatory matters (Data Protection Act/GDPR, Health Act, etc.), IT process frameworks (ISO 2700x, ITIL, etc.), IT governance and IT management consulting.
3 questions for the expert
In this connection, I have asked IT auditor, CISA, CIPP/E, CRISC and CEO of REVI-IT Martin Brogaard Nielsen 3 questions to get him to elaborate on some of the conditions that are particularly applicable to public IT systems.
1. How do you improve IT security in the healthcare sector?
"Healthcare is an industry that is, if anything, regulated by laws and standards on how the sensitive information of all of us is processed, stored and what it is used for. While I know that all healthcare professionals are very concerned about protecting health data, there is still a need for a boost in overall IT security, which we see when we as auditors visit both healthcare professionals and suppliers to healthcare professionals. There are many of the latter, and the forest of suppliers to the healthcare system is perhaps an excellent place to start; that the healthcare system is conscious of setting requirements for its suppliers that IT security is high and demonstrable."
2. How can an ISAE 3000/ISAE 3402 declaration act as a seal of approval?
"Both declarations can, in their own way, act as a kind of quality stamp, because it indicates that there has been an independent audit of, for example, how a supplier to the healthcare sector complies with the data processing provisions of the GDPR, or whether the principles of ISO 27001 are complied with. An independent auditor has thus ensured that the organization, company or a specific service has had a series of visits to review policies, procedures and take a number of random samples to see if things are actually happening as promised. One thing is what is stated in a contract between, for example, a health center and a supplier, another thing is whether the supplier actually has a contingency plan ready in case of a data breach, has monitoring of system logs, has control over who has access to data, etc."
3. We must expect that both the threat landscape and IT security requirements will continuously change. How can ISAE processes help ensure IT security in the future?
"GDPR, ISO standards and related ISAE declarations are no guarantee that errors, data loss, hacker attacks, etc. will not occur, but it is proof that there are structured workflows; that there is proof that an organization actually has documented processes to comply with the legislation and standards that you as a player in the healthcare system must comply with. The future will undoubtedly bring other and greater cyber-related risks, and we will also undoubtedly see healthcare as an industry becoming more and more regulated by law. Being able to prove that work processes and thus the level of security that is required and desirable is set as the bottom line, we must therefore probably consider it to be here to stay."
High and provable IT security is something that Martin mentions several times during my conversation with him. The importance of this is therefore even more apparent to me now, and it will clearly continue to be an important part of our DNA here at Emento in terms of building and maintaining trust between us and our customers and users.
