success stories

360º Security: Ensuring the viability of more than 295 applications

Customer

Health Information Systems Security Office (OSSI) under the Madrid Health Service (SERMAS) of the Ministry of Health of the Community of Madrid (CSCM).

Sector

Digital Health

Capabilities used

  • Technical and legal staff to perform a 360º analysis of the applications to be put into production.
  • Software for dynamic and static analysis of vulnerabilities.
  • Questionnaire on relevant aspects related to data protection and information systems.
  • Parameterization of applicable controls.

Situation

In 2016, OIOS was notified of the existence of applications in the Department of Health that were installed without any type of restriction, which made the organization more vulnerable to failures and attacks, as well as to non-compliance with regulations. All this taking into account that we are in such a sensitive sector and with such a high value on the black market.

In this sense, and pursuing to make effective the provisions of the General Data Protection Regulation 2016/679, of April 27, 2016, on the principle of proactive responsibility, which translates, among other things, into implementing adequate controls to mitigate risk, as well as measures to ensure privacy from the design, understanding this as the application of data protection guarantees from the initial planning phase for any technological development. On the other hand, it also implies privacy by default, understood as the application of measures to ensure that only the data necessary for the intended purpose are processed.

To this end, for each new information system project, an initial document must be created to define the scope and scope of data processing and security measures, providing basic information to ensure the viability of the application.

Additionally, in the First Additional Provision of Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights, it is indicated that Public Administrations have the obligation to implement and comply with the provisions of the applicable National Security Scheme.

Tasks

OIOS is developing an analysis methodology based on the performance of an "Preliminary analysis of application feasibility". (AVA), which aims at the preliminary analysis of the application, in order to detect basic problems that may be encountered in the future, and the preliminary feasibility (or not) of the same, giving the responsible the opportunity to solve the initial problems that have been detected.

The AVA includes a series of specific questions aimed at gaining in-depth knowledge of the functionality of the application, as well as the specific security measures provided for in the provisions of the ENS and RGPD.

In this document, in addition to the technical specifications for the implementation of an application, an additional review is made from a data protection perspective, in order to verify that the organization that has requested the installation of any application has previously informed.

Based on the information provided, OIOS issues a series of recommendations aimed at ensuring that the application has the necessary measures to guarantee compliance with data protection and information security. Subsequently, the recommendations issued are validated and signed by the CSCM's Data Protection Delegate Committee, in accordance with the competencies set forth in the GDPR on the supervision of the provisions contemplated therein.

This methodology is intended to be an effective and preventive privacy control from the design stage, taking into account that no application will be installed in the CSCM without the approval of the OSSI and the CSCM's Data Protection Delegate Committee.

Action

OIOS issues a series of legal-technical recommendations on the information systems under analysis, so that the responsible organizations can incorporate the proposed improvements or compensatory measures prior to putting them into production.

If deemed necessary, meetings are held with the necessary participants to clarify those aspects considered relevant.

During the course of the analysis it is common to request corrections due to lack of information, or even to determine that the system is not viable.

Currently, and understanding the technological advancement driven by the exceptional situation of COVID-19, the analysis of applications that contemplate advanced technologies based on Big data, Iot, AI has substantially increased. This has involved, among other things, the supervision of anonymization processes to ensure the irreversibility of the data.

Likewise, with the fall of the privacy shield, the number of applications that did not have the necessary guarantees for making international transfers has increased, making it necessary to carry out a detailed analysis of these applications.

Result

The legal and technical control before putting the applications into production has made it possible:

  • Implement actions aimed at privacy by design.
  • Improve overall data protection compliance by updating or re-signing "Data Processor Contracts" with suppliers and personalized "Confidentiality Agreements", in compliance with the European General Data Protection Regulation and other legislation in force.
  • The adequacy of the technical requirements of the software to the real needs of the CSCM organizations.
  • Control over possible security breaches in the Information Systems installed by performing the corresponding vulnerability analysis.
  • Centralization and updating of the inventory of applications that make up the CSCM framework.
  • Discard applications that, due to their characteristics and features, could put the organization's information at risk.
  • Increased collaboration between CSCM services and organizations, optimizing resources and systems administration.