Thesis Plan: The effects of practical privacy measures on patients in the Netherlands:
insights from the Maasstad Hospital
Health Care Management, Erasmus School of Health Policy and Management
Thesis plan: Digitization of Health Care Governance
March 2, 2022
Word count: 2500 excluding in-text references
, 2
Thesis Plan: The effects of practical privacy measures on patients in the Netherlands:
insights from the Maasstad Hospital
A digital world brings challenges that were not there before, especially in the area of privacy.
For example, the Facebook-Cambridge Analytica data scandal is well known (Wong, 2019).
In healthcare, a lot of work is done with sensitive, medical personal data of patients and
clients, which are stored electronically. Information security and privacy are important in de
medical sector, because digitization of patient records contains potential dangers (Atasoy,
Greenwood, & McCullough, 2019).
In the Netherlands, healthcare institutions are obliged to comply with the requirements
set by the NEN 7510 standard, so that present (patient) data can be handled carefully and
confidentially (NEN, 2020). As a result, healthcare institutions must have an Information
Security Management System (ISMS). According to Susanto, Almunawar and Tuan (2011),
an ISMS is a management system in which policy documents are stored, so that an
organization such as a hospital can effectively manage its information resources.
For a hospital that has taken an ISMS into use, it is a logical step to start using a
Privacy Information Management System (PIMS). A PIMS is a complementary system to the
ISMS. A standard that guides organizations to improves and extends the ISMS with a PIMS is
the ISO/IEC 27701:2019, abbreviated as ISO 27701 (ISO/IEC, 2019).
Potential benefits of a PIMS is described by Janssen, Cobbe and Singh (2020), such as
increased transparency, control of patients over the data captured about them, how the data is
shared and used, and availability of information, so that better informed decision about
whether to engage or disengage with particular processing can be made.
1.1 Problem statement
This problem statement will show what leads to this research. Digitalization is seen as a
solution to problems such as increased demand for healthcare and privacy is becoming a
bigger topic in digitization (Lapão, 2018; Tiga Healthcare Technologies, 2022). Although the
subject is getting bigger attention, the practical privacy consequences of the ISO 27701 on
patients in healthcare has not been widely reported. There are only studies where the main
focus is on possible documentation for the development and implementation of the ISO 27701
or the connection with the General Data Protection Regulation (GDPR) (Anwar & Gill, 2020;
Fal, 2021; Grishaeva, 2021; Lachaud, 2020).
Despite these studies, it is unknown which and how the practical measures taken in the
ISO 27701 has an effect on patients, such as how multi-factor authentication through
identification, authentication or authorization can influence a patient whether they prefer to be
insights from the Maasstad Hospital
Health Care Management, Erasmus School of Health Policy and Management
Thesis plan: Digitization of Health Care Governance
March 2, 2022
Word count: 2500 excluding in-text references
, 2
Thesis Plan: The effects of practical privacy measures on patients in the Netherlands:
insights from the Maasstad Hospital
A digital world brings challenges that were not there before, especially in the area of privacy.
For example, the Facebook-Cambridge Analytica data scandal is well known (Wong, 2019).
In healthcare, a lot of work is done with sensitive, medical personal data of patients and
clients, which are stored electronically. Information security and privacy are important in de
medical sector, because digitization of patient records contains potential dangers (Atasoy,
Greenwood, & McCullough, 2019).
In the Netherlands, healthcare institutions are obliged to comply with the requirements
set by the NEN 7510 standard, so that present (patient) data can be handled carefully and
confidentially (NEN, 2020). As a result, healthcare institutions must have an Information
Security Management System (ISMS). According to Susanto, Almunawar and Tuan (2011),
an ISMS is a management system in which policy documents are stored, so that an
organization such as a hospital can effectively manage its information resources.
For a hospital that has taken an ISMS into use, it is a logical step to start using a
Privacy Information Management System (PIMS). A PIMS is a complementary system to the
ISMS. A standard that guides organizations to improves and extends the ISMS with a PIMS is
the ISO/IEC 27701:2019, abbreviated as ISO 27701 (ISO/IEC, 2019).
Potential benefits of a PIMS is described by Janssen, Cobbe and Singh (2020), such as
increased transparency, control of patients over the data captured about them, how the data is
shared and used, and availability of information, so that better informed decision about
whether to engage or disengage with particular processing can be made.
1.1 Problem statement
This problem statement will show what leads to this research. Digitalization is seen as a
solution to problems such as increased demand for healthcare and privacy is becoming a
bigger topic in digitization (Lapão, 2018; Tiga Healthcare Technologies, 2022). Although the
subject is getting bigger attention, the practical privacy consequences of the ISO 27701 on
patients in healthcare has not been widely reported. There are only studies where the main
focus is on possible documentation for the development and implementation of the ISO 27701
or the connection with the General Data Protection Regulation (GDPR) (Anwar & Gill, 2020;
Fal, 2021; Grishaeva, 2021; Lachaud, 2020).
Despite these studies, it is unknown which and how the practical measures taken in the
ISO 27701 has an effect on patients, such as how multi-factor authentication through
identification, authentication or authorization can influence a patient whether they prefer to be
