On occasion of his order to Ministry of Health to take organizational, technical and personnel measures for the protection of personal data in the context of the Integrated Health Information System (ISIS), the Commissioner for Information of Public Importance and Personal Data Protection has been informed by letter of the Minister of Health that the Ministry acted on his orders and implemented a security system which eliminated the deficiencies previously indicated by the Commissioner.
The Commissioner previously successively highlighted, on several occasions, starting in October 2016, the rather concerning, serious deficiencies regarding the protection of personal data within the ISIS. In addition to several warnings addressed to the Ministry, the Commissioner has also warned the Government of the Republic of Serbia, and informed the public about all of this.
According to the documentation it has submitted to the Commissioner, the Ministry has, acting upon his order, instead of the dysfunctional, bad and risky "security" measures, assigned new e-mail addresses to all institutions using ISIS within the "My Doctor" system. It has assigned the new, specially structured passwords to access the system to persons within the said institutions with access to ISIS, provided that such persons change the password when they first access the system. The new passwords have been sent to the users’ new address within the "My doctor" system with the use of encryption. The Ministry of Health has prepared a Guide for the Use of Official E-Mail Address of the Institution and the Procedure for Handling the User Account and Password for ISIS users, which determine the manner of using them and stipulate the liability of keeping them confidential.
The Commissioner expects the Ministry of Health to ensure permanent, serious control over the functioning of the taken measures, given the exceptional, indisputable importance of the protection of personal data of patients and medical professionals from unauthorized access or misuse, which is highlighted not only in the Law on the Personal Data Protection, but also in the Law on Rights Patients and the Law on Health Insurance.