An experts team from HealthySystems, a U.Porto spin-off, is developing a pilot project along with the Agência para a Modernização Administrativa (AMA) (Agency for Administrative Modernization). The project aims to register the accesses to the services of the Portal do Cidadão, so that they are in compliance with the new European Data Protection Regulation, maintaining the traceability of information. “It’s kind of a ‘black box’ that guarantees the maximum traceability of access to the most sensitive data of the Portuguese population,” explain the experts.
The new data protection law results from the implementation of a European regulation that came into force in May 2016, obligating institutions and companies to take action to protect citizens’ privacy, explains Ricardo Correia, co-founder of HealthySystems and researcher at CINTESIS – Center for Health Technology and Services Research, the research center from where the enterprise spun off.
In this context, the Agency for Administrative Modernization – a public institute with special responsibilities in the areas of administrative modernization and simplification and digital transformation, sought through this application to constitute a traceable and auditable registry of accesses in one of the portals with greater external visibility. “These records will enable the AMA to secure, in a safer way and in close compliance with the RGPD, a control mechanism and procedures to ensure safe logs.”
“The project aims to install and configure a pilot version of an audit solution for the Portal do Cidadão (citizen’s portal)”, explains the CINTESIS specialist in Medical Informatics, Ricardo Correia. “The technology that we propose to implement aims to create a ‘black box’ that keeps information related to the access of different users to information systems in the highest level of security. “This information is particularly sensitive and relevant because through it you can prove that a given process was well performed by a professional, but also through it you can miss cases of access or alteration of undue data.
Luís Filipe Antunes, co-founder of HealthySystems and data protection specialist at the Faculty of Sciences of the University of Porto, said: “This solution, leveraged by the good practices already in place at the AMA, will allow auditing to ensure accountability for access to the platform and the legal validity of the evidence mechanisms, an essential requirement for compliance with the European Data Protection Regulation. This solution is essential in the RGPD Privacy Risk Assessment and all public or private institutions must have such solutions.”
Theoretically, information systems already allow information to be traced. However, most of them have security breaches that allow a large number of people with access to computer systems to tamper with the information. What the HealthySystems pilot solution does is to keep the true and unalterable record of each user’s action date and time while allowing to detect in a very efficient way any tampering that may occur during a logged.
It should be noted that HealthySystems is the only entity in the national market that offers this type of computer security solutions. In addition, the CINTESIS spin-off is has already gain much experience in the management of complex information systems and of confidential information, from the various projects developed with healthcare institutions, within the scope of different partnerships promoted by CINTESIS.