End-to-end encryption will not become a legally required standard when exchanging medical data. Outgoing Minister of Health Hugo de Jonge will not implement this in a new law ‘because of the system of the bill’.
De Jonge responds to questions from the Party for the Animals about a bill for the Electronic Data Exchange in Healthcare Act. This must, among other things, determine what requirements there will be in the future for healthcare institutions that want to exchange patient data with each other. The PvdD asked the minister whether he wanted to legislate end-to-end encryption. “Given the system of this bill, end-to-end encryption is not made mandatory in the bill itself,” writes De Jonge. According to him, healthcare providers must adhere to ‘generic requirements that already apply to healthcare providers’. He mentions various NEN standards that prescribe such requirements.
The outgoing minister does say that a NEN standard can possibly be adjusted to record encryption. This would involve minimum requirements for, for example, key lengths or encryption algorithms used.
De Jonge says that patients also do not become the owner of their data. This remains the property of the parties that exchange the data, although they must of course follow the privacy law. De Jonge states that ‘property right can only rest on material objects that are susceptible to human control’, and that does not include data. The CDA minister does not want to adjust the law to this either, while his party did argue in its election program to make data property.