On the 22th of October 2021, the Belgian Data Protection Authority (GBA) ruled on a complaint regarding an unsecured connection of a hospital’s website. Finally, the GBA sets some considerations about the necessary security measures to protect personal data. Because let’s be honest, the term ‘technical and organizational measures’ remains to this day a catch-all term that is not clear to companies.
There is some general advice, guidelines, considerations, etc., but decisions from the GBA with specific parameters are still lacking for the time being. A rough reading of the published decisions of the GBA shows that only two previous decisions address the security aspect:
- A first decision dealt with the problematic identification procedure in which a third party had wrongly been assigned a telephone number that belonged to someone else. However, this decision, which imposed a fine of 25,000 EUR, has already been withdrawn by the intervention of the “Marktenhof”.
- A second decision dealt with the lack of a logging procedure on the access to a secure database. The lack of this measure resulted in a fine of 100,000 EUR.
So the expectations of this ‘third’ decision were set high.
A hospital’s insecure website
The complaint that the GBA dealt with in this decision was from a visitor to the website. This visitor noted that the contact form would be sent to the hospital in an unencrypted manner. By using an unsecured connection, third parties could gain access to the entered (health) data. According to the visitor the hospital did not take sufficient technical and organizational measures.
The hospital, for its part, defended itself by stating that, on the one hand, it had started a project with ISO27001 certification as its ultimate goal and, on the other hand, it had concluded data processing agreements with the processors involved. Since the website was linked to its internal systems, the hospital also stated that it used two-factor authentication. However, despite these measures, the hospital did seem to recognize that a security certificate should have been implemented when it was pointed out. The form itself was removed from the website.
Considerations from the GBA
Before addressing the substance of the issue, the GBA notes that the complainant had no personal interest so the file was dismissed. After all, the complainant only wanted to search his doctor’s information with no personal data being processed. The complainant had not completed the online form in question herself, which meant that no personal data were processed. In itself, this is an unfortunate conclusion, since in this way the reporting of vulnerabilities in an organization’s system will only be practiced to a limited extent.
Nevertheless, such a complaint and effective handling of it is in itself an important security measure in the public interest. We would like to refer here to the practice of vulnerability disclosure policies as a recognized security measure. The possibility of reporting and effective complaint handling offers a valuable counterbalance to the low reporting rate of data breaches by companies. With this being said, this is not the main subject of this article.
Despite the dismissal of the complaint, the GBA did consider it useful to make a number of general considerations regarding technical and organizational measures. This is in the context of its general role to contribute to a high level of data protection. The GBA mainly provides a brief overview of the applicable principles under the GDPR, namely:
- the obligation to take measures that must be constantly evaluated and updated;
- these measures must be risk-based, including pseudonymization and encryption of data, the permanent guarantee of confidentiality, integrity and availability of the processing systems, the ability to respond to incidents and to restore data in a timely manner and a permanent evaluation of these measures;
- the principle of increased vigilance when it comes to sensitive data.
In addition to these general considerations, the GBA notes the importance of approved certification mechanisms. Focusing on the problem of the contact form, it states that data must be sent sufficiently encrypted from the user’s computer to the server that offers a website with a form. This can be done by using a security certificate.
A security certificate, what exactly is it?
To be able to secure communications online, you use encryption protocols. These are known as SSL or TLS protocols. You need a certificate to be able to use these protocols. That certificate allows your website visitor to confirm that you are indeed who you are behind the visited website and/or that the communication you are exchanging with this website is effectively encrypted and thus cannot be intercepted by cybercriminals. This system protects you against man-in-the-middle attacks.
You can receive such a certificate from a Certificate Authority (CA) that first checks whether you actually have control over a domain. If you have a secure website with a certificate, you can recognize this by the ‘lock’ placed at the top and before the domain name. If you click on it, you will receive the confirmation of the security and you can also check which certificate is associated with it. It is very likely the complainant at the GBA easily discovered it was an unsecured connection through this way.
I have a security certificate, but is it sufficient?
In its decision, the GBA only refers to ‘using a security certificate’. The question is whether obtaining such a certificate and thus merely having a certificate is sufficient.
No, we are of the opinion that a lot of additional measures should be taken with the description of ‘using’. The reason is that anyone can play the CA role and in principle anyone can issue such a certificate. You have to be certain that your CA is indeed reliable (due diligence is needed) and is itself equipped against possible cyber attacks. A well-known example of a CA that has run into trouble is Diginotar. By not updating the software, a hacker got into the web server, obtained passwords and issued 531 false certificates. As a result, Diginotar was no longer considered reliable by browsers and other certificates from other domains were also no longer considered valid. As many Dutch governmental agencies were using Diginotar certificates, it took all hands on deck to ensure that their online services would be guaranteed.
Additional measures are therefore necessary. So what can you do? We are pleased to provide you a number of tips:
- Ensure effective certification management: who is responsible for and involved in applying for, installing and revoking certificates? Which certificates are in use? Who is responsible for monitoring the expiration date and who takes care of the necessary renewals in time? Who is my CA, how reliable is it and which guarantees do I have? Does the system offer the possibility to replace certificates?
- Take technical measures to protect your private key. Provide a solid authorization management for this.
- Make use of a Certificate Authority Authorization (CAA). This is a security measure that allows you to determine in your Domain Name Servers (DNS) which CAs may issue certificates for that domain.
- Make use of CT (Certificate Transparency) logs to periodically check if any unjustified certificates were issued for your domain.
- Do a regular SSL check, e.g. via SSL Labs
- Finally, make sure you have a plan that allows you to revoke and replace compromised certificates as quickly as possible.