on Monday, February 18, found the magazine Computer Sweden 2.7 million recorded phone calls to 1177 Vårdguiden on an open web server on the internet, without password protection or other security. The calls had been made through the company Voice Integrate Nordic AB, a subcontractor to the Medicall based in Thailand. Medicall is a subcontractor to vårdentreprenören Medhelp receiving calls via 1177.
see the digitisation of the healthcare sector today. The face of health care, we all are naked. We are looking for help for nageltrång, flu, depression, cancer and alcohol dependence. The nurses at 1177 get to know our darkest secrets.
the Event ends this time out in sharp criticism from various quarters; politicians, lawyers, security experts, and others. But also in a complaint to the police against Computer Sweden. You choose to shoot at the messenger. What happened? Someone put in a cord. A mistake. That can happen to anyone. No harm done. Or? Wow. The crap also.
If the responsible caregivers Medhelp followed the rules and conducted regular follow-up of the protection for the talks had the situation never arisen. Detailed regulations and guidelines from both the national Board of health and the data Inspection board are talking about how to work with this type of system should be conducted. The business has the primary responsibility and must therefore also take responsibility for reviewing the subcontractors, not only to believe on what they say match up with reality.
Outsourcing does not mean a transferred responsibility, only a transmitted execution. Let us hope that utkrävandet of the real responsibility of politicians, civil servants and the purchaser begins in earnest when the worst of the dust has settled this time.
The danger now is if we are happy to let Medhelp bearing the brunt of what has happened. It is easy to try to find a blame, point the finger and go on. But outsourcing does not mean a transferred responsibility, only a transmitted execution. Let us hope that utkrävandet of the real responsibility of politicians, civil servants and the purchaser begins in earnest when the worst of the dust has settled this time.
and measures that protect information and information systems from unauthorized access, use, disclosure, disruption, modification, review, playback, or destruction. If you choose to let someone else take care of the digital environment, need the same requirements be imposed on the supplier. And followed up!
In the present case, we note that if the personnel on their own discretion can connect devices with sensitive information directly to the internet without any safeguards, without any know how, when, or why, when the business has problems with both processes and decisions. The supplier seems to lack any form of structured change management, a basal part of the it security work.
To develop society’s information security is not just about dealing with incidents but, above all, to learn of the incidents that occurred. Therefore, it is of the utmost importance that it is made an independent investigation of what happened, how it could happen and how to avoid it from happening again. Let us say this nicely, it is totally inappropriate to a, in this case, the obviously technically incompetent, the supplier shall investigate its own failure. There is an imminent risk that the supplier negligently destroy important forensic evidence.
in both public management and other frequently used services because of breakdowns at the suppliers of the it operation, infrastructure and applications. We have reason to be upset over that information is lost, that the system does not work, and that the authorities are not able to set and follow up relevant requirements. Had it been physical incidents had the Swedish accident long ago been plugged in.
the Trust is today one of the most significant components of our digital world. When technology connects more and more of our lives at an increasingly rapid pace, it is how suppliers manage the trust that controls the success of digital interactions.
everything we do today is connected to the internet. We use the network for everything – health care is no exception. You can be very good at answering the phone, but if you are going to record the calls with sensitive information and save them digitally, you must also be proficient on how modern technology works in order to protect the information. If you do not know, listen to the experts available, and use the standards, advice, and recommendations which have been developed to support you in the process.
An estimate from 2017 shows that 85 per cent of a business ‘ assets are digital so it shouldn’t be a surprise to anyone that the user acceptance, and kindness is directly linked to how information security is managed in the business. If we have sensitive information that needs to be transported via the internet, we need to know how it will be protected in the best way. We do not intend to do it themselves, we must demand that the suppliers we choose have the ability to use the technical standards and methods that are available when it comes to availability, information protection, and a systematic informationssäkerhetsarbete. And follow-up.
There is much to say about what happened. Regardless of where legal responsibility lies, our politicians and public authorities the responsibility to set the relevant requirements, selecting suppliers who have the basic skills and verify that the requirements are met, through the entire chain.
Sweden should become the best in the world to use the digital possibilities. The Swedish management will be easier, more transparent and more efficient through increased digitisation. Governance has, however, been short-term and marked by a lack of a holistic approach. Then it will not be better than this.
Security is a bad besparingspunkt – what we have seen in the past week was probably a cheap deal for Medhelp and 1177 Vårdguiden, but definitely not a good thing. It was also not cheap for the politicians, since the trust society digitisation is damaged, and it was certainly not cheap for the end users – who have no other choice than to trust that it will be good.
the health service’s lex Maria provides an obligation to report, follow-up and systematic learning of the deficiencies. It has been followed by lex Sarah, after the vårdskandalen in the 90’s. Now we make the same mistakes again. It is time to act, so we cannot continue. Not if we are to become the best in the world.