OTTAWA — Canadians have good reason to fear for the privacy of their health-care information, experts told the 15th Annual Canadian Information Technology Security Symposium Wednesday.
Speaking to an audience of public sector IT professionals, Ottawa-based physician Dr. Jay Mercer admitted
that even as their offices become automated, doctors remain largely clueless as to what they should be doing to protect the sensitive data they hold.
Fully automated medical offices that move administrative processes online, make use of electronic health records and network with hospitals or labs represent only two to five per cent of Canadian doctors’ offices, he said.While that number is growing, he said the medical community’s deployment or even understanding of security safeguards is not.
Right now, he said, it’s probably best not to ask too many questions unless you want to hear bad news.
“”The situation here is similar to what you hear in medical school, although the context is obviously different,”” he laughed. “”If you investigate the bad smell, you will probably not like what you find.””
The problems with the wired doctor’s office are many. They start with the lack of technical knowledge among most doctors, he said. Not many family physicians understand that their firewall, if they even have one installed, can have holes or how to take care of them. Without technical expertise it’s easy for a doctor to be taken advantage of by a vendor.
Pamela Wilson, an independent security consultant, brought up an example of an office that gave a vendor access to its entire system via a dial-up modem in case repairs were ever needed.
“”I asked the vendor if it was true that their employees could just dial in and see the whole system,”” she said. “”The answer was yes. They needed access in order to do their jobs.””
These are not just regular IT systems, Mercer points out; we should all be concerned about who gets to see them.
“”It’s your information that’s on there,”” he said. “”If you’re not getting shivers yet, I think you should.””
Mercer said that although privacy issues arise around the health care system, they lack a sense of necessary urgency. Part of the problem is that many people see the data contained in their health record as insignificant and benign. It’s not until that data becomes a hazard that we get concerned.
“”Most of us don’t really worry about how safe the demographic data contained in our health record is,”” he said. “”But then you find yourself a battered woman on the run from an abuser, who by the way says that if he finds you he’ll kill you. Now do you want that data, which includes your address, protected? Same goes for your medical history. What if it has bearing on a job you’re trying to get?””
Along with online security, the medical office has to deal with serious physical security issues. Thieves breaking into offices and making off with hardware is an example of how things can easily go wrong. A lot of offices don’t even have alarm systems, Mercer said. And even if they do, there are also the threats created by support staff and patients who can easily access many areas of the office without supervision.
It may be easy to simply want to tell doctors to heighten their security measures and treat it more seriously, Wilson said, but the issue is a bit more complicated. Medical offices are largely public spaces.
“”This is not like in a business environment where I can just give my staff door cards to control who comes into the office,”” she said. “”Patients have to be able to come and go.””
What’s needed is a real cooperative effort between the IT world and the medical world, Mercer said. IT professionals developing, or trying to introduce security safeguards into the wired health-care system have to understand they’re dealing with a profession generally not comfortable with change.
“”There has to be a compromise reached between what needs to be done to safeguard information and what doctors want to do about it, which is nothing,”” he said.
In large part these problems are created by the way privacy issues have been viewed by the tech community, said Computer Associates security, privacy and trust initiatives business manager John Sabo.
“”Right now my view is that privacy is an add-on to systems and that makes privacy management cumbersome,”” he said.
It doesn’t need to be that way, Sabo argued, since privacy and security are closely connected. In fact, he said, security is one of the principles necessary to provide information privacy. What’s necessary then, is an integration of privacy safeguards into system architecture.
“”Those of us who are concerned about privacy have been wondering why you can’t architect privacy into these systems from the beginning,”” he said.
The public should still be wary, Mercer said, because there is still not a lot of information available about how gathered personal data is being shared.
“”And believe me,”” he said, “”there’s quite a bit of sharing going on.””
The Canadian Information Technology Security Symposium wraps up Thursday.