Earlier this year, a health care professional did something seemingly well-intentioned: she placed a USB key into her purse as she left the office, planning to do some further work at home.  As it happened, the files in question were the personal health information records of 763 patients. 

Ann Cavoukian

 

Her purse was stolen.  And regrettably, all of the records – unencrypted and easily read by anyone – were lost.  Lost, too, was any sense of privacy for those 763 patients. 

Scenarios such as this have been played out countless times all across Ontario and around the world.  Indeed, a U.S. database has documented 121 incidents of mobile computing and storage devices being lost or stolen since September 2009, impacting over five million patients.  It’s a privacy problem of epic proportions, compromising the most sensitive and personal types of information possible.  And it must stop – now.

In Ontario, the Personal Health Information Protection Act requires that you take reasonable steps to ensure that personal health information is protected against theft, loss, and unauthorized use and disclosure.

Mobile devices, such as laptops, PDAs, and USB keys, add a new layer of complexity to this task.  The great advantage of these devices – portability – is also their greatest vulnerability, making them easily susceptible to loss and theft. 

IT professionals within the health-care sector play a critical role in the protection of patient privacy – your dedication to ensuring that the technology used by health practitioners enables data to be transported securely can make all the difference. That’s why I am calling on you to lead the way and stem the unacceptable flood of privacy breaches.

If there’s one message I’d like to leave you with, it is this: the default rules. If the default condition relating to personal health information on mobile devices is “encrypted”, then sensitive information is always protected, from the outset. Encryption is just one of the steps available to ensure privacy protection; however it is the element that you will likely have the most control over as IT professionals.

With that in mind, I would ask you to consider the following guidance issued by my office with regard to strong encryption practices for your organization:

  1. To begin with, a good encryption algorithm must be used — one that has been subjected to rigorous peer review. Next, the algorithm must be properly implemented. This may only be confirmed if the encryption system is tested by an independent security testing lab.

 

  1. Once the encryption system is deployed, the encryption keys must be protected and managed effectively. Users who are authorized to decrypt data must be securely authenticated by means of passwords, biometrics, or security tokens. Systems must not leave unencrypted copies of data in web browser caches or on laptop disk drives where they may later be read by an unauthorized third party. Authorized users should be properly registered, trained and equipped.

 

  1. The encryption system’s protections should be operational, by default, without busy health-care users needing to take additional steps to ensure that the data remain encrypted. Finally, personal health information must remain available throughout its entire life cycle, regardless of forgotten passwords or misplaced security tokens.

 

For more information and resources, visit the website of the Information and Privacy Commissioner of Ontario at www.ipc.on.ca,

In particular, you may be interested in the following documents:

 

Remember – patient privacy is in your hands. I would love to hear about successful IT initiatives that you have adopted to help protect personal health information within your organization. Please send me a message to info@ipc.on.ca

Share on LinkedIn Share with Google+
  • Indeed, patient privacy is in your hands!
    As such, I always recommend that people not hesitate to ask healthcare providers questions about their privacy and security best practices.

    No need to turn it into an interrogation, but a genuine curiosity about the kind of systems and practices they use will not only give patients greater comfort, but also make the healthcare office aware that their efforts are rewarded with interest, important, and represent a worthwhile investment.

    Our healthcare and medical clients post their privacy practices on bulletin boards for all to see, and we recommend that they take a small step further to educate patients about what it means to fully encrypt data, to not allow it to leave the site and to not collect more information than is required.

    Keep up the good work!

    Claudiu