Tomorrow, your desktop will turn red and it will remain that colour throughout the week to remind everyone that we are in the process of encrypting all UHN devices.
I know that many of you are concerned about your ability to use UHN's systems and ensure that you can take material outside UHN and have it available when you need it. So – I've got a few suggestions below. What I do want to emphasize – that UHN has no choice in this matter, given the force of law behind the Privacy Commissioner's Order. The fines for ignoring the order are up to $250,000 for the organization and up to $50,000 as a personal fine for any individual who loses PHI. For the organization, this means that we must do everything we can to prevent the possibility of further 'human error' loses. I know that this will be inconvenient for a time, but we will do everything we can to solve the difficulties. Some initial thoughts:
- Explore the possibility of purchasing a hardware encrypted USB key. These keys are encrypted and don't require additional software to access files stored on them. They open with a scan of your thumbprint. SIMS is working to get a supply of these keys at very low cost.
- Before you travel with a presentation, ensure that the place you're going has downloaded the WinMagic software www.uhn.ca/corporate/For_Staff/Pages/winmagic_viewer.aspx necessary so that you can open your file when you arrive or use the file portal to send the presentation in advance. This will certainly work with a PC system and the work is being done now to find a solution for Macs.
- Please be aware that the Commissioner has already ruled and ordered that MRN #s are considered identifying and that a loss of a list with MRN #s would require notification.
- You should be aware that the University of Toronto e-mail system is not a secured system so you should not be using your email at U of T to transmit anything that has patient health information between sites or between your office and other hospitals. If you are transmitting PHI, you should not be using your U of T mailing address. SIMS is looking at how the Global Address book is organized to make it easier to tell whether an email address is secure to reduce the possibility of 'human error' in the transmission of PHI.
As we begin to move through this process, we will run into some issues. Some we have solutions for and others we are on top of and looking into. Some of the potential issues we do have answers for are:
Impacted Devices
Do not plug these devices in or try to encrypt them as this may damage the device. All hospital-issued Smartphone's have been automatically encrypted. If a user has a personal or purchased Smartphone, they are asked not to set up Outlook (email) to open on the device and not store electronic documents containing PHI on the device unless it is encrypted. Users are asked to check their owner manuals or check with their technical support provider to determine if encryption software is installed. It is important to note here that you should not use the WinMagic software to encrypt a Smartphone - it may damage the device.
CD's and DVD'S
If burning CDs/DVDs for external parties is a critical business function, users are asked to please email encryption@uhn.ca. A process to assess these requirements is under development, considering the functions impacting clinical care as a priority.
External Hard Drives
If a user has an external hard drive, they are asked to please email encryption@uhn.ca to have it encrypted by a tech.
We will continue to keep you informed on updates to these issues. In the meantime, you can find a great deal of information on the Intranet homepage as well as more information on Town Halls that will be held at all of the sites. I'd ask that you all take a moment to read through this as it will affect all of us here at UHN. If you have additional questions, please send them to encryption@uhn.ca.
Thank you,
Bob
