This article originally appeared in the November/December 2020 issue of the Ontario Medical Review magazine.
by Ariane Siegel
General Counsel & Chief Privacy Officer, OntarioMD
Cybercriminals are targeting hospitals and health-care providers with malicious ransomware attacks that are resulting in data theft and disrupted patient services, which is particularly alarming as cases of COVID-19 are spiking. Health-care providers are also increasingly reliant on digital information systems, and where virtual care is the new normal for physicians, they should exercise caution and follow best practices to protect personal health information (PHI). Implementing the latest privacy and security measures also help to protect providers against liability.
In Ontario, help is available through OntarioMD, a subsidiary of the OMA. OntarioMD has developed tools and resources to help you assess threats, actively safeguard information and respond to cyberattacks. That’s important, because sensitive health care information is being increasingly targeted.
In December 2019, LifeLabs, Canada’s largest medical testing company, revealed that hackers had accessed the personal health information of 15 million patients in Ontario and B.C. and that it had paid a ransom to recover the data. Around the same time, hackers effectively shut down the computer systems of three Ontario hospitals, forcing employees to transcribe patient information onto paper, by hand, as email systems were taken offline, health records became harder to access, and patient care was slowed down. In this situation, malware struck a laptop, and was able to spread to the entire network. Although the hackers boasted they had easily penetrated the hospital grid after finding a significant hole in the security system, CEO Sarah Downey of Toronto’s Michael Garron Hospital said a firewall picked up the malware before the data could leave the hospital.
While these examples are specific to large companies and hospitals, smaller physician practices are confronting the threat of malware such as ransomware. Physicians in Ontario are encouraged to use electronic medical record (EMR) systems certified by OntarioMD. Certified EMRs are designed based on requirements and standards for privacy and security of patient data. To complement certified EMRs, OntarioMD staff are available to help evaluate and advise on firewalls, software and services that can be put in place to provide additional safeguards.
Ontario’s Privacy Commissioner has said that physicians in this province have a duty to be trained in privacy and security issues, and that training should be extended to their support staff. OntarioMD has addressed this need by offering an education tool to help health care providers and support staff learn how to keep patient and practice information confidential.
The OntarioMD online Privacy & Security Training Module is available 24/7. The module is accredited by the College of Family Physicians of Canada’s Ontario Chapter for two Mainpro+® credits and goes a long way to educate you and your staff on your legal obligations under the Personal Health Information Protection Act, and provides sound advice for protecting the physical assets in your office as well as your electronic data.
To date, approximately 4,000 users have benefited from the online training that covers a range of topics from best practices for safeguarding a patient’s personal health information, establishing practice policies and protocols for use of digital health tools, patient consent, and responding to privacy breaches and incidents such as ransomware attacks. A range of bulletins and information on steps to help keep data secure is also available in the OntarioMD “Resource Library.”
Since the adoption of virtual care tools by many physician practices, OntarioMD—together with the Ontario Medical Association, has also developed consent language that can be copied and used in communications with patients before a virtual encounter. If you believe a breach has occurred, OntarioMD IT staff can help assess the threat and can recommend steps to keep your information safe, by suspending feeds from external digital health assets to your practice if the threat originated from an outside source such as a hospital.
OntarioMD recommends that you and your staff who access provincial digital health assets such as ConnectingOntario ClinicalViewer, Health Report Manager (HRM®), eNotifications, eConsult, and Ontario Laboratories Information System (OLIS) complete the Privacy & Security Training Module once a year to refresh your understanding of the best practices and to learn about new developments.
Digital health care is always evolving, and to help protect you as you navigate the world of virtual care, OntarioMD updates its training to address a broader set of potential issues as more and more physicians go online as part of their practice.
Some practical tips for data protection include:
OMA Cyber Liability Insurance is also available through the OMA Insurance as added protection, and the OMA Legal & Governance teams can provide timely assistance and information to members regarding patient data-related queries. Health-care providers are a target because they have large amounts of confidential and valuable information. OntarioMD invites you to connect with us about our many resources, products and knowledge at email@example.com. OMA Legal support is also available at firstname.lastname@example.org.