Canadian privacy regulators are urging governments, health sector institutions, and health providers to strengthen the IT networks that support the country’s medical infrastructure.
Following a meeting in Newfoundland this week, privacy commissioners and ombudsmen from the provinces and territories demanded authorities show “concerted effort, leadership, and resolve in implementing modern, secure and interoperable digital health communication infrastructure.”
Despite rapid digital advancements in the health sector, breaches continue to be caused by the use of insecure communication technologies such as traditional fax machines and unencrypted emails, unauthorized access to health records by employees — often in the form of what the regulators call ‘snooping’ — and cybersecurity attacks, the group said in a resolution released Wednesday.
“To protect and bolster public trust in digital healthcare, action must be taken across Canadian jurisdictions to modernize and protect communications involving personal health information in step with the expanding array of digital means now available to better secure the sharing and use of this highly sensitive information,” they said.
The regulators say new data governance frameworks need to provide reasonable protection for sensitive health information, and that laws and regulations should be amended to provide meaningful penalties for institutions and providers that fail to take the necessary measures to protect health information.
There are now numerous modern and practical alternative ways to facilitate the legal and secure sharing of personal health information, such as encrypted email services, secure patient portals, electronic referrals, electronic prescribing, electronic medical records (EMRs), electronic health records (ERHs), and hospital information systems.
When properly configured with built-in privacy protections and a user-centric design, these technologies can be made more auditable, secure, and resilient against unauthorized access or inadvertent disclosure than either manual or old IT systems, the regulators say.
The resolution notes the expert advisory group for a pan-Canadian health data strategy’s recent report asked for the adoption of a Canadian Health Data Charter. Among other things, the resolution notes, it calls for “security and privacy of health data to maximize benefit and reduce harm.”
The resolution by the regulators comes after the continuing disclosure of successful cyber attacks against Canadian medical-related institutions. In March, security provider Sophos reported two ransomware gangs had separately exploited an unpatched on-premises Microsoft Exchange server at a Canadian healthcare provider last year. Also last year, the healthcare sector was temporarily crippled in Newfoundland and Labrador after a large cyber attack. In 2020, privacy commissioners in Ontario and B.C. blamed medical laboratory LifeLabs for failing to protect the personal health information of 15 million Canadian residents in a huge 2019 data theft.
The resolution asks federal, provincial and territorial governments to
–develop a strategic plan and provide appropriate supports, funding, or other incentives to phase out the use of traditional fax and unencrypted email and replace them with more modern, secure and interoperable digital alternatives in a coordinated fashion;
–ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians, including those living in remote areas, among marginalized communities, and within vulnerable populations;
–promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks that provide reasonable protection of personal health information against unauthorized access or inadvertent disclosures; and
–amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties where appropriate, for health institutions and providers that do not take reasonable measures necessary to protect personal health information, as well as for individuals who unlawfully collect, use, or disclose personal health information.
Healthcare institutions and providers are urged to design, adopt, and implement responsible data governance frameworks, including the adoption of standards such as those developed by ISO, the U.S. National Institute of Standards and Technology (NIST), or the Centre for Internet Security (CIS), that provide reasonable safeguards to protect personal health information.