Cavoukian fires back at Durham Health report criticism

Ontario Privacy Commissioner Ann Cavoukian has taken issue with a security vendor’s criticism of her recent report following the loss of a USB key containing patient health data at Durham Health region.

Earlier this week, Websense Inc.’s Canadian country manager Fiaaz Walji said Ann Cavoukian’s order that the Durham Health Region should “strongly encrypt” its data when stored on a portable device like USB stick or laptop is just one step that ought to be required among many others. “She’s absolutely right that it should be encrypted, but I think encryption is one piece of it,” said Walji.

In response, Cavoukian disagreed that her report focuses solely on encrypting data on mobile devices and that it does require that health authorities assume an enterprise-wide system of data protection that includes training employees on written policies and practices regarding role-based data access, lifecycle data management and data minimization.

“I wonder what more he would like me to do beyond all of the things we ordered. I don’t think he even read my order,” said Cavoukian. “To suggest that the only thing the order did was to order the encryption of health data I think is really incomplete.”

Cavoukian pointed out that the lifecycle of data management starts with data minimization by refraining from collecting

personally identifiable information to begin with. She went on to say the report does mention a specific instance which is the cessation of the collection of the health card numbers of individuals visiting the H1N1 immunization clinics.

At the suggestion that her report gives the impression that she singles out the practice of encrypting data on mobile devices above other security practices, Cavoukian said the data breach at Durham Health region originated from an unprotected USB device that went missing and that it was necessary to write the report in such a way as to address the immediate cause of the problem.

“So we slam them hard on that, and the reason we slam them hard on that is because in 2007, three years earlier, I said the same thing involving Sick Kids and the loss of a laptop that was unencrypted,” said Cavoukian.

None of what is written in the report about safe keeping and safe handling data in a holistic manner should have been new to Durham Health region, said Cavoukian.

Durham Health region did have a practice of encrypting data stored on mobile devices but the written policy had not been updated. The employee who lost the USB key was new to the organization and had not undergone training. “You have to ensure the practices reflect the policies,” she said.

Another reason the report focused on encrypting data on mobile devices is because laptops and other portable devices so often get lost, explained Cavoukian. It’s understood that placing access and download restrictions on information is a first step, but if an employee unknowingly breaks company policy by transferring data to a portable device, he or she will at the very minimum know to encrypt it, she said.

“If you have it hammered into them that anytime you are going to transfer something to a mobile device it has to be encrypted, at the very least you can reduce the risk of the mistake that’s happening by ensuring that the data is encrypted,” said Cavoukian.

Cavoukian also took issue with Walji’s suggestion that the government is not doing enough to persuade public and private sector organizations to improve data security, in particular because retailers are not currently obliged to publicly divulge a loss of confidential customer data. “It has been an honour system for a long time, the legislation has no bite,” said Walji.

Cavoukian pointed out that the Personal Health Information Protection Act (PHIPA) “is amazing” and that, specifically, section 65 contains two clauses, one pertaining to damages to the individual and the other to damages for mental anguish.

“When they go to court, they don’t have to prove or attempt to prove contravention of the Act. I’ve done that for them … that’s pretty big,” said Cavoukian. “I think that’s huge teeth.”

While Cavoukian agrees that particular legislation doesn’t apply to retailers, it does apply to “everyone in Ontario both public and private sector who collects or uses personal health information.”

Cavoukian further defended PHIPA by saying that last year Washington, D.C.-based Institute of Medicine used Ontario’s PHIPA as the framework for revisions to privacy rules in the U.S.’s Health Insurance Portability and Accountability Act (HIPAA).

Comments (2)

glenn williamson

by glenn williamson 2/8/2010 2:38:53 PM

I agree with the "Ann" but in the short term I so agree with "Walji" as I have followed HIPAA & HITRUST for a long time and it appears there are "teeth" to HIPAA. Isn't it time we move forward on having organizations be compliant (not quite PCI) but force them to use a common set of information security requirements and not just recommend they use end-point security solutions?

Amin Adatia

by Amin Adatia 3/4/2010 9:21:29 AM

I would say that most of the security breakdown are associated with human failures. So asking for more non-human stuff is just throwing more good money after bad. Interesting that for 14 year olds we have "3 Strikes and your are out" rule but for these "adults" we continue to have no penalty for failure. Until that is solved I doubt if any number of Audit Reports will solve anything.

Regards