Next month in Vancouver at the Health IT Summit in Vancouver, panelists will discuss a broad range of topics of interest to Canadian and American healthcare and healthcare IT leaders. One of the panels will be “Securing the 21st Century Data Repository: Best Practices for Solidifying Defensive Measures.” The panel will take place on September 17 at the Summit, which is being sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics, under the corporate umbrella of our mutual parent corporation, the Vendome Group, LLC).
One of the panelists participating on the privacy/security panel will be Christina Von Schindler, the chief privacy officer of the Winnipeg Regional Health Authority. Von Schindler leads a team of Privacy specialists who protect the privacy of patient information. The Winnipeg Regional Health Authority serves residents of the city of Winnipeg as well as the northern community of Churchill, and the rural municipalities of East and West St. Paul, representing a total population of over 700,000. The Region also provides health-care support and specialty referral services to nearly half a million Manitobans who live beyond these boundaries, as well as residents of northwestern Ontario and Nunavut, who often require the services and expertise available within the Region.. Von Schindler spoke recently with HCI Editor-in-Chief Mark Hagland. Below are excerpts from that interview.
What are the core elements of your own job?
I’m the chief privacy officer; the crux of my job is ensuring that the region is observing our obligations under applicable law. We have several types of legislation that govern how we manage confidential information including personal health information. In essence, my role is to write policy and procedure that govern those activities for our 28,000 employees with regards to privacy as well as to provide advisement when needed. And that can be quite complicated for an organization as vast as ours.
What are the key challenges you and your colleagues are facing in protecting privacy and security these days?
I imagine that the challenges we face are very similar to those in the U.S. It’s always a balance between ensuring that there is real-time availability of accurate health information to the persons providing patient care, while preventing breaches, whether intentional or inadvertent. It’s always a balancing act in that regard.
Have you had breaches?
Yes, certainly we have had some; they are fact of life. And a breach can mean a fax ending up at a wrong fax number; it’s also a breach when someone willfully looks at a document they shouldn’t; it’s a breach when a home healthcare worker leaves a file in a car that is stolen.
And it’s a challenge for people to understand the letter of the law, For example, if you have more than one role in the Region that it’s a breach if you access information while doing your job under one ‘hat’or role that you have authorization to access under the conditions of your other role.s. So in an organization where we have 28000 folks, many of whom have direct access to data, we need to be available to them to provide guidance and answers
Do you do trainings for the employees of hospitals in the region?
Yes, we do mandatory training according to the Personal Health Information Act of Manitoba. In Canada, there is federal privacy legislation, but personal health information is the privy of the provinces, though if there is a gap, federal legislation jumps in, but provincial jurisdiction trumps federal jurisdiction. That having been said, the legislation governing these issues is very similar across the different provinces of Canada.
What have your challenges been with BYOD phenomenon? Everyone has them.
You’re right, everybody has those challenges. And you’ll find that we’re all, across the U.S. and Canada, looking forsolutions. And the challenges are that people need to have timely and secure access to the information to do their work, but there really is currently not a single readily available technical solution of providing that security. Therefore to date we have relied predominately only administrative solutions. But this is an active concern, on our priority list of issues to address. We have policies that clearly specify that personal health information is never to be stored on personal electronic devices. Doctors are not to maintain personal health information to on their iPhones, for example. We have security controls for personal devices that access our systems and are currently working on strengthening those controls. But we have no ability to audit everyone/everything.
Can you require hospitals to physically securitize personal devices?
Technically, it may be possible; our approved laptops are managed centrally, which means they’re controlled by Manitoba eHealth. My counterpart, Allister Gunson is chief privacy and risk officer for Manitoba eHealth. These are authority-provided devices. And in broad terms, the information is kept on a secure server, and the hard drive is encrypted and password-protected. It can alsoso be ‘wiped’ remotely. So we don’t have concerns about eHeatlh-provided laptops. But we had an incident in September, in which a physician had brought in her own laptop, on which she had kept patient information, which is against policy. But there are no alarms that go off when someone brings in their own device and puts sensitive information on that. So you can have the best policies in the world, but they work effectively only if they’re followed.
What kinds of changes, including improvements, might you and your colleagues be working on in the next two years?
We are working to apply a systemic approach. We do need to look at end-user devices. And we are undertaking a regional risk assessment, which will further help guide policies and procedures. The reality is that you can’t just take away people’s tools without giving them something in return. If we decide that owned devices aren’t acceptable, then we need to come up with an alternative, and that will take a while.
What have the biggest lessons that have been learned across Canada in protecting patient data privacy in the past year or two?
There are several dimensions to this. I am heartened that privacy and breaches of privacy have been increasingly been taken seriously. One change that occurred in Manitoba is that the PHIA, the legislative act that governs prosonal helath informaiotn was strengthened to include provisions for unauthorized access, use or disclosure of personal health information by individuals. In other words, not only institutions, but individuals, can now be held personally responsible. Privacy law is not under criminal law but under civil law. Ontario has been at the forefront of recommending the application of significant fines for privacy breaches but this is a relatively recent development. Privacy breaches are not in the criminal code of Canada; when you breach privacy legislation, you can still be held accountable through a court of law through the imposition of fines. You may also face professional sanctions through your employer or governing body such as may be the case for healthcare professionals.
What advice would you like to offer to healthcare IT leaders at the facility level?
I’m glad you asked me that. Privacy and security are natural bedfellows, but they are distinct in that you can’t have privacy without security, and privacy must inform the goals for security. To give you an example, we have a wealth of data in the digitized world. And the more digitized we become, the more data there is. And we tend to think of data as a single mass. But I joke that privacy is the Jiminy Cricket of data, because it inevitably concerns itself with the rights of the individuals whose information comprises that data. And the privacy laws clearly spell out that personal health information belongs to the individual; the care provider is entrusted with the data. When we lose sight of that; that is how breaches happen.
For more information about the Health IT Summit in Vancouver, or to register, please click here.
