Hospitals must protect personal health information through encryption

788

Raising the bar on patient safety and security measures

As portable storage devices become more prevalent in the health care sector, so do concerns regarding the privacy and security of personal health information. Though convenient, these devices are at great risk of being misplaced or stolen. The loss or theft of unencrypted mobile computing devices or storage media remains one of the main causes of privacy breaches in the health care sector.

As Ontario’s Information and Privacy Commissioner, I have had to investigate a number of unfortunate cases of lost information in the health care sector which could have been avoided by implementing proactive and preventive measures.  Hospitals need to ensure strong data security and protection of health information, as the potential for privacy breaches can be both costly and cause lasting damage to an organization’s reputation. Most important, this represents a major violation of a patient’s privacy. Every health care facility must take as much responsibility for the care of their patient’s health information as they do for the patient themselves.

Toronto’s Sunnybrook Health Sciences Centre, with 1.2 million patient visits each year, has established itself as the largest single-site hospital in Canada. Sunnybrook’s information assets are vulnerable to loss or theft, like all health care institutions, including risks to the confidentiality of personal health information patients. The solution to this challenge, which Sunnybrook has adopted, is based on the Privacy by Design (PbD) principle of “End-to-End Security.” By applying this principle proactively and systematically, Sunnybrook created an “encryption by default” policy for all of its portable storage devices. The long term benefits cannot be over-estimated – we know from the academic literature that the default rules! Taking these steps provides a doubly-enabling, positive-sum outcome, which benefits both patients and caregivers.

The task of encrypting numerous portable devices is not always easy to ensure, in such a large and dynamic operating environment. However, Sunnybrook has shown its leadership in privacy and security practices by understanding the message that health care can benefit directly from improvements in security technologies and access to information, without significant user or institutional burden.

“Electronic health information improves the quality of health care by enabling informed decision-making wherever the information is needed, but mobile devices have to be kept safe,” commented Sam Marafioti, Vice President Development and Corporate Strategy and Chief Information Officer, Sunnybrook Health Sciences Centre. “At Sunnybrook, encryption technology is mandatory for all portable storage devices to ensure that personal health information is kept safe and secure wherever these devices go, allowing our health care teams to do what they do best: care for patients.”

While the encryption of end-point devices may not be a new idea, the need for seamless access in high-availability environments is growing and means that deployment and support considerations are now major factors when evaluating solutions.  Regardless of how these technologies are deployed in operation, taking a Privacy by Design approach and mandating encryption by default will go a long way towards meeting the challenges of securing an organization’s expanding perimeters, as well as achieving compliance and trust objectives.

To provide an example of how personal health information can be protected, I recently released a paper introducing the “Circles of Trust” concept in partnership with Toronto’s Sunnybrook Health Sciences Centre and CryptoMill Technologies. The concept refers to the mobile encryption deployment scenarios and role-based access that enables the free flow of personal health information among authorized health-care providers, while at the same time, ensuring that the information remains encrypted and inaccessible to everyone else.

To find out more about this concept and its adoption, I invite you to download, Encryption by Default and Circles of Trust: Strategies to Secure Personal Information in High-Availability Environments, from www.ipc.on.ca. Hospitals are now benefitting, and can benefit further, from improvements in security technologies which enable the delivery of privacy for patients, while granting appropriate access to information where and when it is needed, without significant user or institutional burden. No matter what the size of your hospital, the message is the same: secure your perimeter and end-points against unauthorized access – encrypt by default!