Hello everyone,
Given these recent headlines in the media regarding security breaches, such as "Sensitive Calgary Health Region Laptop Stolen" and "Patient data exposed in two separate security breaches - Personal information on more than 45,000 people is at risk," I thought it was important to share a recent incident that happened at UHN, as well as what we learned, and how we can prevent this from happening again.
Just before the holidays, a staff member had his laptop stolen from his home. On the laptop was personal health information. Under the Personal Health Information Protection Act, UHN was required to contact the patients to let them know what had happened and what we were doing to lower the risk of it happening again.
Here are some important tips that will help us protect our patients and ourselves from a security breach:
1. Don't store patient information on your hard drive
Whether you call it your "C" drive, your "Desktop" or "My Documents," UHN's policy is to never store patient information on the hard drive of a computer. This is particularly important in relation to laptops and applies in all settings including Research. When information is stored on the hard drive of a stolen computer, the information has been stolen too. The best way to store confidential documents with patient information is in a network folder.
Be careful with mobile devices, such as PDAs and Blackberries and portable devices too. USB keys and other small devices are easily lost and tempting for targets for theft.
2. If you don't need it, don't take it with you!
Minimize the amount of patient information you carry with you and make sure that you actually need what you're carrying. If you must take your work home with you - strip off the identifiers (this includes MRN).
3. Use strong passwords
Password protect sensitive files and mobile devices with a strong password. Strong passwords have a minimum of 8 characters, upper and lower case letters, numbers and special characters (%, *. @, $). Protect your passwords by NOT writing them down.
4. If something goes wrong, report it, quickly!
As an Ontario hospital, UHN must notify patients as soon as reasonably possible when any identifiable information is lost, stolen or inappropriately accessed. If a device you were carrying is lost or patient privacy is breached in some other way notify your manager and call the Privacy Office.
5. Ignorance isn't bliss
Be sensitive to situations occurring around you that are not privacy friendly, and speak up about them. If you or your department could use a refresher course on Privacy, call the Privacy Office at 14-6937 and get the information you need to be "in the know."
Protecting our patient's privacy is everyone's responsibility - it's patient-centred care and it is the law in Ontario. Stay tuned to the intranet for additional privacy and related security initiatives.
Bob
