Written by Ariane Siegel, General Counsel and Chief Privacy Officer, OntarioMD.
When the COVID-19 pandemic took hold in 2020, the federal government’s Canadian Centre for Cybersecurity issued an alert about the elevated risk to health organizations, as cybercriminals threatened to take advantage of the pandemic’s pressure on the health care system to infect online systems.
The threat was soon realized.
The same year, eHealth Saskatchewan was compromised by a cyber-attack, information about patient surgeries was exposed in another incident in Nova Scotia, and frontline services slowed down at the Jewish General Hospital in Montreal after cybercriminals there forced the institution to suspend internet connectivity.
Health care providers are increasingly targeted because they are rich in confidential patient data, and the use of technology is increasing as the medical community responds to COVID-19. Hackers can make huge profits by selling patient records on the black market or back to the health care institution or individual from which it was stolen. But, by using caution and following best practices, clinicians can help protect personal health information from data theft, and protect themselves against liability.
In Ontario, OntarioMD (OMD), a subsidiary of the Ontario Medical Association, offers some practical tips for data protection to clinicians including:
- Deleting emails and any images with personal health information from inboxes and device trash bins,
- Ensuring software and hardware applications have been updated with the latest security patches (i.e., operating system, firewalls etc.)
- Encrypting critical data at rest when stored internally, and in transit when communicated externally
- Transmitting personal health information through secure messaging to ensure messages are encrypted
- Using two-factor authentication and change passwords regularly
- Maintaining audit logs, and
- Working with an Electronic Medical Record (EMR) vendor to ensure data is backed-up, and testing to ensure backup systems are working.
Dr. Lawrence Rosenberg, head of the regional health agency that oversees the Jewish General Hospital, has suggested good security hygiene averted a serious data breach there, as an “anomaly” was detected during a daily verification of the system, which they then determined was a “cybersecurity intrusion.”
By acting quickly to suspend internet connectivity as well as external and remote access to its networks as a preventive measure, the agency was able to protect the population’s data, particularly hospital data, Quebec Health Minister Christian Dubé said at the time.
OMD provides many Privacy and Security tools and resources to help physicians adapt safely to virtual care, and to assess threats, safeguard information and respond to cyberattacks. The OMD virtual care web page at Ontariomd.vc provides a list of vendors with virtual care products and other resources to help clinicians understand how to use virtual tools in their practices. Our OMD Educates sessions also cover privacy and cybersecurity topics regularly.
The OMD online Privacy & Security Training Module, an education tool that offers instruction on how to keep patient and practice information confidential, is available on OMD’s website to all clinicians and their staff.
More than 4,000 users have benefited from the training so far, which covers a range of topics from:
- A physician’s legal obligations under the Personal Health Information Protection Act
- Best practices for safeguarding a patient’s personal health information
- Establishing practice policies and protocols for use of digital health tools
- Patient consent, and
- Responding to privacy breaches and incidents such as ransomware attacks.
If a physician believes a breach has occurred, OMD IT staff can help assess the threat and recommend steps to keep information safe, such as suspending feeds from external digital health assets if the threat originated from a hospital, or other external source.