Online security is a growing concern in an increasingly digital world. Without adequate electronic health record (EHR) security measures in place, millions of healthcare records could be left vulnerable to hackers and cyber-attacks.
According to data from a study published in the HIPAA Journal, over 230,954,151 healthcare records were exposed, lost, or stolen in the past decade as a result of cyber-attacks.
With the threat of EHR security breaches growing every year, healthcare providers must take active steps to secure data and protect patient health records.
Section 25 of the National Health Act creates an obligation on persons in charge of health establishments to keep records of every user of their health service. Section 26 of the Act provides that “All information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential.”
However, section 26 (2) makes an exception to the above confidentiality rule by providing that “Subject to section 27 of this Act, no person may disclose any information contemplated in subsection (1) unless- (a) the user consents to that disclosure in writing; (b) a court order or any law requires that disclosure ; (c) in the case of a minor, with the request of a parent or guardian; (d) in the case of a person who is otherwise unable to grant consent upon the request of a guardian or representative; or (e) non-disclosure of the information represents a serious threat to public health.”
A further exception is provided in Section 27 to the effect that “a health worker or any health care provider that has access to the health records of a user may disclose such personal information to any other person, health care provider or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interest of the user.”
Today’s society believes that electronic medical records offer advantages for storing and accessing patient health information, which may improve the management of patient care. However, the features that make electronic records desirable—accessibility, transferability, and portability of patient health information—also present privacy risks.
In keeping with regulatory requirements and policies from the medical regulatory authorities, doctors are required to use appropriate measures to safeguard the privacy of patients’ personal health information.
Use a data sharing agreement to clarify obligations about sharing patient information via electronic medical records.
The theft or loss of desktops, notebooks, smartphones, tablets, USB keys, or portable hard drives, and the inappropriate disposal or transmission of patient files are among the common sources of privacy breaches. Computers and storage devices can also be compromised.
To reduce the risk of privacy breaches consider the following:
Install encryption software on any devices you use to access or share electronic records including USB keys and smartphones. Encryption transforms electronic information into a form that is unintelligible, such as a muddled stream of seemingly random symbols. Only those who are authorized to decrypt such information are able to do so. Privacy commissioners across Canada generally promote the use of encryption software, while some jurisdictions, including British Columbia, Ontario, New Brunswick, and Alberta specifically mandate that personal health information be encrypted when stored electronically on mobile devices.
In addition to the use of encryption software, computers and devices should be appropriately protected using physical and electronic measures. Examples include safeguards such as robust passwords, firewalls, virus protection, and physical security.
Cloud storage allows data to be stored on an off-site server operated by a third party, though information custodians (e.g. physicians, hospitals, etc.) remain accountable for the confidentiality of the information.
Consider security and privacy issues before entering into a cloud service agreement. Considerations include restrictions to access, data security, data back-ups, and service reliability.
Be aware of the jurisdiction in which the personal health information will be stored and whether restrictions prevent information from residing on servers outside of Canada.
While responsibility for privacy of medical records maintained by hospitals rests primarily with the institution as the custodian, if you are a staff physician you should be familiar with any obligations you may have under the institution’s policies, access or data sharing agreements, or your role as an agent or affiliate of the institution under privacy legislation.
The Office of the Privacy Commissioner of Canada Opens in new window2 provides further information on security issues related to cloud computing. Provincial and territorial privacy commissioners may also offer guidance for your jurisdiction.
When computers or other electronic devices are being upgraded or when the applicable retention period for a medical record has been reached, it is important to appropriately transfer or dispose of the information stored on the device. Either transfer the information, physically destroy the hardware, or use data wiping software to permanently and securely delete electronic files.
Avoid selling or giving away electronic storage devices that once contained personal health information. The sensitive nature of the information contained within electronic health records has prompted the need for advanced security techniques that are able to put these worries at ease. It is imperative for security techniques to cover the vast threats that are present across the three pillars of healthcare.
Okeke writes from the Centre for Social Justice (CSJ) Nigeria.