Cavoukian’s order to encrypt health data not enough

Although the Durham Health Region was ordered by Ontario’s Privacy Commissioner to encrypt its data after an employee misplaced a USB key containing thousands of patient’s medical data, a security expert thinks that still won’t be enough.

In January, Durham Health authority said it lost the medical records belonging to 83,000 patients when a nurse misplaced a USB key at its Whitby, Ont., headquarters. The unencrypted data was amassed from the H1N1 flu vaccine clinics between Oct. 23 and Dec. 15 of 2009.

Fiaaz Walji, Canadian country manager for security vendor Websense Inc., said Ontario privacy commissioner Ann Cavoukian’s order that the Durham Health Region “strongly encrypt” its data when stored on a portable device like USB stick or laptop is one good step among many others.

“She’s absolutely right that it should be encrypted, but I think encryption is one piece of it,” said Walji.

The report from Cavoukian stated several requirements, including that “each of the 36 health units in Ontario conduct a review of its practices and procedures with regard to the encryption of mobile devices in order to ensure that any personal health information on those devices is strongly encrypted.”

There must be an overarching data loss prevention strategy that includes both technology as well as policy, said Walji. It may have very well been the case that the nurse was following policy that allowed the data to be saved onto a memory stick, but that turned out to the be wrong policy, he said.

Policy should work to secure who and what data goes where and how, said Walji. Policies should also differ by department and data type. For instance, customer information should only be accessible by sales, customers service reps and maybe marketing. “Having said that,” say Walji, “should the customer service reps be able to cut and paste onto their computer? Is that an acceptable use policy?”

But while many enterprises focus their concern on restricting certain types of endpoints, Walji said Websense suggests the opposite approach which is to restrict access to content regardless of device. “It doesn’t matter whether you’re plugging in a Lexar (memory stick) or an iPod or a CD, as long as that information, like social insurance information, can’t leave the organization, you’re set,” said Walji.

On the technology side, Walji said encryption is one item among others that include proxy, secured information management, digital rights management and access controls.

Walji advises that organizations take advantage of the out-of-the-box functionality in security tools like PCI compliance.

Misplaced USB keys aside, organizations ought to safeguard against sensitive data potentially going missing at the hands of disgruntled employees or the many contract developers who work with software companies, said Walji.

Cavoukian’s order to encrypt data in motion applies to all health authorities in Ontario. Walji said although public and private sector organizations must improve data safe keeping strategies, so must the government provide stronger incentive for them to do so.

“It has been an honour system for a long time, the legislation has no bite,” said Walji, referring to the fact that retailers that lose customer data are not obliged to publicly reveal the loss.

Related Content

First Nations must be part of iPHIS
Ontario's Integrated Public Health Information System (iPHIS) is being heralded as hugely successful in coordinating the province's previously disparate outbreak reporting mechanisms.

Showcase Ontario - Move to include First Nations in public health initiative
Ontario's Integrated Public Health Information System (iPHIS) is being heralded as hugely successful in co-ordinating the province's previously disparate outbreak reporting mechanisms, but the system may have overlooked thousands within the province’s Aboriginal community.

Streamlined reporting saves time, money
Equitable Life of Canada, an 80-year-old independent, mutual life insurance company headquartered in Waterloo, Ont., is saving printing costs while improving service to policy holders and independent producers.

Comments (3)

pete hillier

by pete hillier 2/4/2010 1:02:42 PM

Privacy Commissioners at the Provincial Level are the wrong people to look to for advice on security. They'll barrage you with requirements for security enabling technologies, like encryption, but without the full context of the problem at hand being addressed, they'll always miss the boat.

You have to look to the people that are setting the standards, but I'm afraid you will be sorely disappointed in the results. EMR vendors have to comply with controls set by the Canada Health Infoway, which are lack lustre with regard to security and privacy and for which the risk assessment methodology is sparse at best. Don't look to the OntarioMD, or their underlying HL7 assessment criteria for any added value either.

Another problem in this web is that collaboration is done in silo's. Province by Province, with minimal info sharing, quasi standards bodies are being established. Like the Infoway, they want to be the standards body, the regulator, the evaluator and the accreditor. Smell like a conflict of Interest based on the need for revenue generation? Sure it does!

Why isn't Health Canada setting the standards? Why do we not have a piece of legislation that regulates the protection of health information, akin to the US-based HIPAA? Why does everything fall to PIPEDA and provincial privacy rules, when it is obvious that they are not enough to ensure the level at which we demand our health data be protected? Where are the requirements for audit of EMRs? Why are they not addressing the technical security and privacy issues in development and when in use? Who is setting requirements for the configuration of desktops and laptops and mobile devices used by doctors?

I could go on, but now you have the basis for another piece in the continuing story of eHealth gone wild!

rhonda wilson

by rhonda wilson 2/4/2010 4:47:25 PM

In rebuttal to Pete Hillier this is not a gone wild - but an insufficient funds and time provided to implement the law problem. The PHIPA legislation was passed without proper funding or notice to healthcare facilities to implement it. Cavoukian's attempt to up the bar with respect to security must be balanced against the lack of financial support to achieve good protection. As CIO of a major teaching hospital I made a presentation on this matter to the standing committee of our legislature prior to enactment of PHIPA in Ontario. I dont disagree that the risk cost balance may have not yet been achieved yet; however I worry that we create more irrational behaviour in such an immature system.

pete hillier

by pete hillier 2/5/2010 4:23:19 PM

Rhonda, I'm unsure where in my comments we argue, because I know that I do, in fact, support your argument. That said, as the person responsible for setting the privacy agenda and recommending the supporting security architecture, there is no point in doing it in a silo that does not support the funding. In essence, the role becomes futile without $$ attached to it. Much like the dilemma we are in with the treasury board articulating security policy without funding attached to it; nobody is complying!

The irrational behaviour is evident in the fact that the eHealth architecture, info sharing, partnerships keep trying to mature to that south of the border without the legislative framework and subsequent control objectives to ensure it work properly.