Hi everyone,
Protecting an individual's personal information against fraud and theft continues to be a serious problem facing banks, retailers and of course, hospitals. Early this year, a laptop that was taken offsite by a Hospital for Sick Children researcher was stolen. The laptop contained the personal health information (PHI) of 2,900 patients (listing names, medical conditions). A number of the patients were UHN patients. This was not an isolated incident, but rather just another example reminding us how patient information can be compromised. As recent as last December, UHN experienced it's own privacy breach when a staff member's laptop containing patient information was stolen from his home.
Yesterday, Ontario's Information and Privacy Commissioner (IPC) Ann Cavoukian called on health information custodians, including hospitals, to enhance their privacy practices and policies under thePersonal Health Information Protection Act (PHIPA). In her report, she outlines the following measures:
- Prohibiting, to the extent possible, the removal of PHI from hospital or encrypting (obscuring information to make it unreadable without special knowledge) where electronic;
- Introducing endpoint electronic devices policy for desktop and portable devices mandating storage on secure servers or encryption;
- Designating the IT department to be responsible for ensuring appropriate software is installed and sufficient training provided;
- Establishing a comprehensive remote access policy as alternative to laptop use;
- Creating a privacy breach protocol;
- Providing regular, ongoing training for staff, researchers and clinicians with detailed instructions for securing PHI;
- Reviewing and revising research protocols and applications to comply with the provisions of the Act.
So what does this mean for UHN? It means taking a good, hard look at our current privacy policies and practices to identify any potential gaps. Overall, IPC's recommendations are consistent with UHN's policies so we're in a good position to strengthen our approach. SIMS, working closely with the Research Ethics Board and the Research IT department, will be leading a number of initiatives to protect against security breaches:
- To safeguard against unauthorized access to PHI, SIMS will be purchasing encryption tools to support the use of computing devices outside of the hospital. UHN's policy is to never to store personal health information on the hard drive of a computer, laptop or remote computing device (ex blackberries). Until we've implemented the encryption software, staff are reminded to save sensitive information on a network folder. If the device is stolen, then the sensitive information is also stolen. We also urge staff against installing their own encryption software to ensure a consistent level of protection for all UHN computer devices.
- If your device gets stolen or patient information is compromised, it's your responsibility to immediately report it to the Privacy Office by calling 14-6937. In June, we will be introducing a new e-Form to make reporting breaches fast and easy.
- UHN has hired a dedicated Information Security Officer who will work closely with the Privacy Office to raise awareness and educate staff on how to store information safely.
- Finally, computers can also get stolen at work and we've had a number of recent laptop thefts. So if you have a laptop that sits on a docking station, it's your responsibility to get a laptop lock cable cord by completing a "Computer Hardware" form on the intranet.
All of these steps, including the other measures recommended by the IPC will be implemented by June 15, 2007. For more helpful tips, I encourage you to read an earlier Straight Talk, "Help Protect Privacy at UHN."
Thanks everyone for making privacy and security a priority at UHN.
Bob
