PrivacyGear .nl
Updates Search NL
PrivacyGear .nl
Context profile

Profile: healthcare worker

This is a context profile for healthcare work. As a doctor, psychologist or social worker you have extra obligations around patient data, confidentiality and incident reporting.

Profile: healthcare worker

Profile: healthcare worker

Who this guide is for

This profile is for doctors, nurses, psychologists, therapists, social workers, and other professionals working with patient data, confidentiality obligations, and incident-reporting duties.

This profile is for doctors, nurses, psychologists, therapists, social workers, and others who work with patient data. The healthcare sector is a primary target for cybercriminals — and your obligations go beyond technical measures alone.

Use this as an additive profile. Choose your base profile first, then apply this healthcare context to devices, communication and files.

The main question here is not “which app is most private?” but: which choice is defensible when patient data, professional confidentiality and reporting obligations are at stake?

When this is overkill

If you do not handle patient data, special-category health information, or professional confidentiality in your work, you probably do not need the healthcare-specific layer. This profile matters when the legal and professional stakes are materially different from ordinary office work.

Medical professional secrecy Your duty of confidentiality is legally protected. Patient data may not be shared without consent — not with family, not with colleagues not involved in the treatment. The specifics vary by jurisdiction, but the principle is universal in professional healthcare ethics.

Data protection law (GDPR in Europe) Health data is a special category — the highest level of data protection. Data breaches must be reported to the relevant supervisory authority within 72 hours, and under certain circumstances to the affected individuals as well.

Sector-specific standards In the Netherlands: NEN 7510 (information security in healthcare) is effectively mandatory for healthcare organisations. The updated NEN 7510:2024 was published in December 2024; certified organisations have until February 2027 to complete the transition. The standard specifies requirements including access control, logging, encryption and incident response. In other countries, similar standards apply (ISO 27001/27799, HIPAA in the US).

Regulatory oversight Healthcare regulators can take enforcement action after incidents. Data breaches at healthcare providers are taken seriously.

Threat analysis

Ransomware is the primary threat Hospitals and healthcare organisations are disproportionately targeted by ransomware. The clearest Dutch example: Maastricht University Medical Centre in December 2019 — the hospital paid €200,000 in bitcoin to restore its systems. OLVG Amsterdam received a €440,000 fine from the Dutch Data Protection Authority (AP) in 2021 for years of inadequate protection of medical records. Criminals know that hospitals cannot wait: treatments continue, systems must be available quickly. They demand higher ransoms and receive payment more often than in other sectors.

High value of patient data Medical records are worth more on black markets than credit card data. They contain names, national ID numbers, insurance data, medication history — enough for years of identity fraud. A stolen credit card number loses value as soon as it’s blocked. A medical record never does.

The human link Phishing targeting healthcare workers is a primary attack vector. A fake email from “the EMR system” or “IT support” can be convincing in a busy clinical environment. Attackers also exploit healthcare software names and familiar branding to make impersonation more credible.

What you gain, and what it costs

If you apply this profile seriously, you typically gain:

  • less chance that patient data leaks through personal habits or unofficial tools
  • clearer separation between what feels convenient and what is actually defensible
  • faster incident response when something goes wrong
  • better-documented choices when facing a regulator, employer or patient

But it costs something:

  • less freedom to “quickly” use WhatsApp, personal email or your own cloud
  • more friction in communication with patients and colleagues
  • extra discipline around logging, access control and device management

In a healthcare context that is usually a reasonable trade. Convenience that cuts the wrong corner is not a neutral choice here.

Checklist

Work devices

  • Use only approved devices for patient data — never a personal phone without encryption
  • Auto-lock after short inactivity — an unattended screen showing patient data is a data breach
  • Log in with your own account, never a shared account — accountability requires traceability
  • Use your organisation’s VPN when accessing EMR systems remotely

Communication

  • WhatsApp is not suitable for patient-related communication — this is a common mistake in healthcare
  • Use systems your organisation has approved for patient communication
  • For external parties: start with choosing secure email without overkill and then decide whether a secure portal or encrypted email is the defensible route
  • Don’t discuss patient data in public spaces — waiting rooms, lifts, the cafeteria

Passwords and access

  • Unique password per system — a compromised EMR account shouldn’t cascade to email; start with which password manager should you choose?
  • 2FA wherever the system supports it — 2FA guide →
  • Revoke access immediately when someone leaves — this frequently goes wrong

Data breaches

  • Know what the reporting process is within your organisation — as an independent practitioner you are data controller and report directly to the AP
  • A misdirected email containing patient data is already a reportable breach
  • Also report near-misses — it helps the organisation recognise patterns

Physical security

Digital security is useless if a screen with patient data is freely visible.

  • Screen visibility: position work devices so patients in the waiting area cannot see them. Use a privacy screen on laptops and tablets you carry around.
  • Clean desk: don’t leave patient records, forms, or test results unattended on your desk. This includes printed correspondence.
  • Visitors in treatment rooms: lock or log out of your screen if a patient or visitor enters while you’re working on a different record.
  • Laptops and tablets: an encrypted device is useless to a thief — but report loss immediately to IT so accounts can be blocked.

Communication with patients

Patients sometimes send sensitive information via email or WhatsApp — diagnoses, medication lists, results. How do you handle this?

  • Establish clearly which channel your organisation uses for patient communication
  • Never send medical information back via an unsecured channel just because a patient used one
  • Actively direct patients to secure alternatives (patient portals, approved messaging apps)

MedMij-certified apps are specifically intended for patient communication within the Dutch healthcare context.

Don’t treat this section as an invitation to choose your own chat apps for patient care. For most healthcare workers, organisation policy and patient portals come before personal preference.

Independent healthcare practitioners

If you work outside an organisation, the same rules apply — but you’re responsible for implementation yourself:

  • Encrypted device (BitLocker on Windows, FileVault on Mac, or GrapheneOS on phone). On standard Android, encryption is active automatically once you set a screen lock (PIN, pattern or password). You can verify this under Settings → Security → Encryption and credentials (exact label varies by manufacturer).
  • Separate encrypted storage for patient records — not on your personal desktop, not in a non-EU cloud
  • Use GDPR-compliant cloud storage for patient records — Proton Drive (Switzerland) or Tresorit (EU servers) are suitable options
  • As data controller you’re directly responsible for breach reporting to the relevant supervisory authority
  • Sign a data processing agreement with every software vendor that processes patient data (EMR provider, accounting, etc.) — this is a written agreement specifying how the vendor handles the data, mandatory under GDPR Article 28. Request this proactively from any new vendor before you start. See data processing agreement explained for a practical approach.

After an incident: what do you do?

If you suspect patient data has been leaked or your device has been compromised:

  1. Report immediately to your organisation’s data protection officer — or for independent practitioners directly to the supervisory authority if it’s an actual breach
  2. Isolate the device: disconnect it from the network, but don’t turn it off (forensic value)
  3. Change passwords for all systems that device had access to, from a clean device
  4. Document everything: time of discovery, what you observed, what actions you took
  5. Contact your sector’s CSIRT if available — in the Netherlands this is Z-CERT, specifically for healthcare organisations, reachable via z-cert.nl

The 72-hour GDPR reporting clock starts at the moment of discovery, not at the moment of the incident. An incident is reportable if there is a risk to the rights and freedoms of those affected. When in doubt, always report.

Tools

PurposeToolNote
Password managerWhich password manager should you choose?Choose the route first; then Bitwarden or KeePassXC
Encrypted storageProton Drive / TresoritGDPR-compliant, EU servers
2FATwo-factor authentication guideOffline, open source
Secure emailChoosing secure email without overkillFor external communication or portal choice
Privacy screen3M or KensingtonFor laptops in clinical environments
Secure phoneGrapheneOS on PixelFor independent practitioners processing patient data on phone
Secure phone (alternative)Android privacy without custom ROMIf GrapheneOS isn’t an option — encryption + work profile

Don’t treat this table as if every item is automatically needed. For most healthcare workers, password management, 2FA, encrypted storage and organisation-approved communication matter more than getting a new phone.

Next step

Directly relevant

Also relevant

Reviews and further reading

← Back to profiles