Organizations have a duty to keep personal health information secure
By Kirsten McMahon, Associate Editor
It's also possible that health-care providers hold information in a repository or system where it's not encrypted, but there is a secure perimeter. “You have a fence around it that people can't just walk through," says Dykeman, a partner with DDO Health Law.
She makes her comments in connection with an investigative report which alleges that the detailed medical histories and contact information of thousands of home-care patients in Ontario are being held for ransom by hackers.
An organization which provides home medical care services on behalf of the Ontario government announced last month that it had been breached. It said only that personal health and financial information of patients had been "inappropriately accessed.” However, a group claiming responsibility for the breach says it discovered vulnerable software within the health organization’s network, which they were able to exploit.
The attackers claim they requested compensation in exchange for not leaking the data online as well as telling the organization how to fix their security issues. According to CBC News, none of the data they allegedly have was encrypted.
“While Ontario's privacy commissioner requires that personal health information be encrypted when stored on mobile devices, there is presently no similar requirement for desktop computers or servers,” the article states.
In an interview with AdvocateDaily.com, Dykeman says while it’s true that there is no requirement for encryption of desktops and servers, the bottom line is that organizations — from major teaching hospitals to small clinics, private practice or agencies — have a duty to keep personal health information secure.
“This can be done in a variety of ways to make sure hackers can’t get in,” she tells the legal newswire. “The law doesn’t detail how, but common sense dictates that locked doors and cabinets limit physical access.”
She notes organizational policies, training staff on privacy rules and best practices, and security features to keep electronic data safe such as encryption, firewalls, access controls, and anti-virus protection can all assist to secure the perimeter.
According to CBC News, the Information and Privacy Commissioner of Ontario and police are investigating the recent breach. Dykeman says this is entirely appropriate and welcome.
“This group reached in to take information they were not entitled to. They may say it was possible to do so due to gaps in the system — and, in fact, stated that they offered to help the organization they hacked become more secure — but they don’t have a right to the information and could face consequences as a result,” she says.
She points to another type of cyber theft called ransomware, where an email that may look legitimate is sent to staff who mistakenly open it.
“Human nature and curiosity result in threats to electronic data, which may be held for ransom until someone pays up for its release,” Dykeman says. “Many organizations have changed their practices to do a better backup of data so that they continue to have access to it if this happens — but the threats are real and changing.”
She notes a number of health-sector associations are working hard to collectively address the issue and provide guidance to their member organizations.
“It is hard enough to keep pace or ahead of hackers, much less having every organization figure it out on their own,” she says.
Dykeman notes that "this breach is a wakeup call for all health care organizations; a cyber attack erodes trust, and leaves the organization, and most importantly, its clients, vulnerable."