Cavoukian’s order to encrypt health data not enough

Comments (3)

pete hillier

by pete hillier 2/4/2010 1:02:42 PM

Privacy Commissioners at the Provincial Level are the wrong people to look to for advice on security. They'll barrage you with requirements for security enabling technologies, like encryption, but without the full context of the problem at hand being addressed, they'll always miss the boat.

You have to look to the people that are setting the standards, but I'm afraid you will be sorely disappointed in the results. EMR vendors have to comply with controls set by the Canada Health Infoway, which are lack lustre with regard to security and privacy and for which the risk assessment methodology is sparse at best. Don't look to the OntarioMD, or their underlying HL7 assessment criteria for any added value either.

Another problem in this web is that collaboration is done in silo's. Province by Province, with minimal info sharing, quasi standards bodies are being established. Like the Infoway, they want to be the standards body, the regulator, the evaluator and the accreditor. Smell like a conflict of Interest based on the need for revenue generation? Sure it does!

Why isn't Health Canada setting the standards? Why do we not have a piece of legislation that regulates the protection of health information, akin to the US-based HIPAA? Why does everything fall to PIPEDA and provincial privacy rules, when it is obvious that they are not enough to ensure the level at which we demand our health data be protected? Where are the requirements for audit of EMRs? Why are they not addressing the technical security and privacy issues in development and when in use? Who is setting requirements for the configuration of desktops and laptops and mobile devices used by doctors?

I could go on, but now you have the basis for another piece in the continuing story of eHealth gone wild!

rhonda wilson

by rhonda wilson 2/4/2010 4:47:25 PM

In rebuttal to Pete Hillier this is not a gone wild - but an insufficient funds and time provided to implement the law problem. The PHIPA legislation was passed without proper funding or notice to healthcare facilities to implement it. Cavoukian's attempt to up the bar with respect to security must be balanced against the lack of financial support to achieve good protection. As CIO of a major teaching hospital I made a presentation on this matter to the standing committee of our legislature prior to enactment of PHIPA in Ontario. I dont disagree that the risk cost balance may have not yet been achieved yet; however I worry that we create more irrational behaviour in such an immature system.

pete hillier

by pete hillier 2/5/2010 4:23:19 PM

Rhonda, I'm unsure where in my comments we argue, because I know that I do, in fact, support your argument. That said, as the person responsible for setting the privacy agenda and recommending the supporting security architecture, there is no point in doing it in a silo that does not support the funding. In essence, the role becomes futile without $$ attached to it. Much like the dilemma we are in with the treasury board articulating security policy without funding attached to it; nobody is complying!

The irrational behaviour is evident in the fact that the eHealth architecture, info sharing, partnerships keep trying to mature to that south of the border without the legislative framework and subsequent control objectives to ensure it work properly.

Name: (required) eMail: (optional)
Your email address will not appear online and will be used only if the editor wishes to contact you personally for additional comments.

Comment: