The current situation of health information security in Vietnam was reviewed through former researches and national regulatory documents. Generally, there is no published article on the health information security in the context of Vietnam that could be found by using the well-known search engines like Google Scholar and PubMED. Searching on some online resources for publications in Vietnamese also gave no relevant result. Hence, all health informatics-related publications found were scrutinized carefully to see if information security was discussed or not.
Published researches on the health informatics in Vietnam cluster in two main groups: the implementation of eHealth initiatives (cf. Sobowale et al. 2016; Katona et al 2014; Lam et al.
2018; McBride et al. 2018; Vu et al. 2016; Landgraf et al. 2016; Nguyen et al. 2013); and review of the current state of information technologies adoption at hospitals (cf. Nguyen &
Hoang 2017; Do et al. 2018). In some of those articles, data security and privacy issue was
8
acknowledged at some level. In a case report, for example, about the process of establishing a national laboratory information management system program for clinical and public health laboratories in Vietnam, the authors highlighted the need for stronger health information data security policies, at the laboratory and national levels, to comprehensively tackle with security issues and to fully maximize the benefits of the system (Landgraf et al. 2016). In an attempt to build a web-based system to manage and share anti-retroviral therapy information of human immunodeficiency virus patients in Vietnam, Phung Anh Nguyen and associates (2013) characterized “ensuring good enough security controls for the data stored and transferred among facilities” as one of the five features when building that system. Technical solutions, such as reliable backup tool, firewall, and authorized access were used to strengthen data security. In another recent scoping study about the mobile health initiatives in Vietnam, the fact of not having any legislation relating to mHealth or data security was humbly mentioned without any further discussion (Lam et al. 2018). This is to prove that health information security remains a neglected researching topic in Vietnam.
Regarding the regulatory environment for health information security in Vietnam, below is the list of four regulations directly affecting healthcare providers in taking actions toward health information security:
Law on medical examination and treatment stated in chapter 2
“Article 8. Rights to respect for privacy
1. To have their health status and private information given in their case history dossiers kept confidential.
2. The information referred to in Clause 1 of this Article may be disclosed only when agreed by patients or for exchange of information and experience between practitioners directly treating the patients to improve the quality of diagnosis, care and treatment of patients or in other cases provided by law.”
(“Law on medical examination and treatment”, translated by author)
In the same law, article 59 explains further that the head of the healthcare provider holds the right to give permission of using medical records in two cases: one case is for training and researching purpose; and the other is for legal purpose such as investigation or audit. This means patient consent is unnecessary in these cases.
Circular on requirements for provision of online healthcare services issued in 2014 by the Ministry of Health addressed information security in article 4 which consists of five
9
specifications about the policy, online system, application software, data and incidents management.
In the circular on criteria for information technology adoption in health care providers issued in 2017 by Ministry of Health, there are 15 criteria for information security and confidentiality divided into basic and advanced levels. 13 criteria out of them are technical requirements, such as antivirus softwares, data encryption, back up or restore.
Only two criteria are about policies and procedures.
A brand new circular on regulations for electronic medical records (EMR) was just launched lately in 2018. There are 12 articles relating to electronic medical records management, three out of them take on some aspects with respect to information security and privacy. First of all, article 6 covers the storage of EMR in terms of managing software, storing hardware, data center for backed up data, acquisition of healthcare providers. Secondly, article 7 specifies the process to use EMR which conforms to the law on medical examination and treatment as mentioned above. Finally, article 10 of “Privacy and information security of EMR” requires the healthcare providers to perform a number of technical measures, including access controls, anti malwares, restoring lost data, data encryption, and recording activities on EMR.
(“Circular on regulations for electronic medical records”).
Apparently, information security and privacy issue has been recognized consistently from the basic law to very recent health policies in Vietnam. However, comparing to other countries mentioned in section 2.1, it is still being addressed in a fragmentary and overlapping way.
Indeed, it is focused more on technical and specific measures rather than a systematic and comprehensive approach.
Despite that fact that there is no data breach officially reported in health sector so far, it does not mean that the health information is being secured enough for the future of networking and digitization because there is very limited known things about the information security, including perceptions, infrastructure, administration and so on in Vietnam. Therefore, this thesis is expected to give the very first insight into the situation in Vietnam and to attract the attention from researchers and healthcare providers on the information security issue.
10