Earlier this year, a health care professional did something seemingly well-intentioned: she placed a USB key into her purse as she left the office, planning to do some further work at home. As it happened, the files in question were the personal health information records of 763 patients.
Her purse was stolen. And regrettably, all of the records – unencrypted and easily read by anyone – were lost. Lost, too, was any sense of privacy for those 763 patients.
Scenarios such as this have been played out countless times all across Ontario and around the world. Indeed, a U.S. database has documented 121 incidents of mobile computing and storage devices being lost or stolen since September 2009, impacting over five million patients. It’s a privacy problem of epic proportions, compromising the most sensitive and personal types of information possible. And it must stop – now.
In Ontario, the Personal Health Information Protection Act requires that you take reasonable steps to ensure that personal health information is protected against theft, loss, and unauthorized use and disclosure.
Mobile devices, such as laptops, PDAs, and USB keys, add a new layer of complexity to this task. The great advantage of these devices – portability – is also their greatest vulnerability, making them easily susceptible to loss and theft.
IT professionals within the health-care sector play a critical role in the protection of patient privacy – your dedication to ensuring that the technology used by health practitioners enables data to be transported securely can make all the difference. That’s why I am calling on you to lead the way and stem the unacceptable flood of privacy breaches.
If there’s one message I’d like to leave you with, it is this: the default rules. If the default condition relating to personal health information on mobile devices is “encrypted”, then sensitive information is always protected, from the outset. Encryption is just one of the steps available to ensure privacy protection; however it is the element that you will likely have the most control over as IT professionals.
With that in mind, I would ask you to consider the following guidance issued by my office with regard to strong encryption practices for your organization:
- To begin with, a good encryption algorithm must be used — one that has been subjected to rigorous peer review. Next, the algorithm must be properly implemented. This may only be confirmed if the encryption system is tested by an independent security testing lab.
- Once the encryption system is deployed, the encryption keys must be protected and managed effectively. Users who are authorized to decrypt data must be securely authenticated by means of passwords, biometrics, or security tokens. Systems must not leave unencrypted copies of data in web browser caches or on laptop disk drives where they may later be read by an unauthorized third party. Authorized users should be properly registered, trained and equipped.
- The encryption system’s protections should be operational, by default, without busy health-care users needing to take additional steps to ensure that the data remain encrypted. Finally, personal health information must remain available throughout its entire life cycle, regardless of forgotten passwords or misplaced security tokens.
For more information and resources, visit the website of the Information and Privacy Commissioner of Ontario at www.ipc.on.ca,
In particular, you may be interested in the following documents:
- Fact Sheet – Encrypting Personal Health Information on Mobile Devices
- Fact Sheet – Health-Care Requirement for Strong Encryption
- Safeguarding Privacy In a Mobile Workplace
Remember – patient privacy is in your hands. I would love to hear about successful IT initiatives that you have adopted to help protect personal health information within your organization. Please send me a message to [email protected]