08.09.2017 | Thomas Kessler

Information Security for the EPR Connection


When a healthcare facility joins an EPR master community and thus the national EPR trust organization, this does not remain without consequences for the internal processes and systems. This article highlights the need for action, particularly in the area of information security.

Hospitals and care homes must join an EPR community by 2020 and 2022 respectively. They will thus become part of the EPD trust area, the rules of which are determined by law and implementing legislation.

In this first phase, the aim is to connect the hospital or care home to an EPR master community in the sense of undirected communication with patients and other facilities such as hospitals, doctors’ surgeries or pharmacies. The hospital or care home becomes a supplier of data to other institutions and a recipient of data from other institutions that participate in the EPR trust room. In the medium term, new B2B business processes can also be defined and introduced on this basis, which will be simplified or even made practicable by the electronic patient record. In the long term, the EPR will also have repercussions on the internal systems and processes of the healthcare facility. Illustrative examples would be the use of the national patient identification number (PID) within the hospital or the use of an EPD authentication tool for logging into the clinical information system (HIS).

The Confederation will provide a number of central services, of which the national directory of all healthcare professionals (HPD) is particularly important. Other infrastructures such as the regional patient directory of the community (MPI), the document directory (registry) and the access portals for patients and healthcare professionals will be set up and operated by the operators of the EPR master communities. However, they will also delegate various tasks and processes relating to the EPR to the participating healthcare facilities such as care homes and hospitals. It is important for them to play an active role in this distribution of tasks and to implement the tasks assigned to them in good time.

Relevant aspects

Information security will play a part in determining the hoped-for success of the electronic patient dossier. The security requirements are therefore an important element of regulation at the federal level, the parent community and the healthcare facility. The aspects of information security in the EPR that are particularly relevant for nursing homes and hospitals and and the operational areas affected are listed below:

  • Patient administration: patients who wish to use the EPR must be registered in various directories and provided with secure means of identification, similar to e-banking. This will affect patient administration. For large hospitals in particular, the question arises as to whether they want to play an active role in the processes for EPR onboarding and, for example, offer legally compliant patient information as a service. As a minimum, each institution will have to consider how it will synchronize its own patient data with the patient directory of the community (MPI).
  • User and authorization management: Each healthcare facility must clarify which healthcare professionals and auxiliary persons should have access to the EPR. In addition, the management of groups of healthcare professionals must be regulated, as access authorization in the electronic patient record is essentially based on a practicable group concept. This information must be compared with the national federal register (HPD) and the identity provider (IdP) and updated on an ongoing basis. The existing internal system for Identity and Access Management (IAM) in the hospital or care home must be expanded accordingly. See also the RACI table below for a possible distribution of tasks between the participants in a master community.
  • Login to the IT systems: The EPD requires so-called strong authentication of healthcare professionals with two factors. Even if the infrastructure of an external identity provider (IdP) should be used for this purpose, consideration should be given to whether and how the EPD authentication solution should be linked to the hospital’s internal login systems. In this context, the question also arises as to whether a healthcare professional employed by the hospital should only have access to the EPR at the hospital workstation or whether they should also be allowed to use other (in particular private) devices. Such context-dependent access control is not currently prescribed by the EPR legislation, but is recommended from an information security perspective.
  • IT system operation: IT components operated by the hospital itself that belong to the EPD trust room must meet the basic protection requirements defined by EPD implementation law. This applies in particular to any local EPR document repositories and all internal workstations with access to the electronic patient record.
  • The security organization: The communities will establish a DSDS officer for the management of data security and data protection. Together with the EPD operator, this person will also drive forward the processes for identifying and handling security incidents. However, it is important that the security officers of the participating healthcare facilities are also included in the community’s security organization, for example by sitting on an overarching security board.

What needs to be done?

Hospitals in Switzerland still have a good two years to join an EPD community. In view of the many questions that need to be clarified, this is not much time. Most core communities are currently in the start-up phase and various questions, including fundamental ones, have not yet been definitively clarified. Nevertheless, the management should already be taking a concrete look at how the EPD connection will be approached, what role their own company should play in the community and how the EPD will affect internal systems and processes. Active development work by all participants is essential for every community and offers the best guarantee that the merger will ultimately result in a coherent whole for all participants.

RACI-Matrix for the EPR connection

RACI table for user and rights management in an EPD master community

Note: This article was also published in the magazine HEIME & SPITĂ„LER 5 | DECEMBER 2017.

Compliance Information Security Management System (ISMS)

About the author
Thomas Kessler
About the author
Thomas Kessler, Partner, Managing Security Consultant