The Bruyere Family Medicine Centre in Ottawa has revealed the theft of two computers. The machines were "secured" with password protection. It doesn't look like this "password protection" was attached to something more secure like drive encryption from AlertBoot.
This story, despite being short, is full of notables. For example: Investigation revealed there was “a high probability” that password-protected patient data for some patients seen between 1971 and July 1, 2006. [ottawasun.com, my emphasis] That's a heck of a date range. 1971? Either this medical facility went through the pains of digitizing their old, paper-based records, or they used to own a mainframe computer. Incidentally, I'd bet on the latter providing more security, seeing how you can't easily find people who know what to do with a mainframe. The information that was lost as a consequence of the computer thefts include: names, dates of birth, addresses, health card numbers, and phone numbers. There was no medical data. Another notable, a quote: Times have changed — it’s an electronic age, and we all need to be reminded how to best protect our personal health information. [Bruyere's CEO, Jean Bartkowiak, in ottawasun.com] Agreed. However, having a data breach is probably not the best way to "remind" oneself of the need for security. I mean, if you need a reminder, just read or watch the news: the stories involving data breaches and loss of person information is legion. Follow up on medical laws and regulations (Canada passed the Personal Information Protection and Electronic Documents Act, or PIPEDA, a while back). Equating an "extremely concerning and regretful" incident (Bruyere CEO's words) to a reminder is a bad move (I get the feeling, though, that the CEO may have been quoted out of context).
This story, despite being short, is full of notables. For example:
Investigation revealed there was “a high probability” that password-protected patient data for some patients seen between 1971 and July 1, 2006. [ottawasun.com, my emphasis]
That's a heck of a date range. 1971? Either this medical facility went through the pains of digitizing their old, paper-based records, or they used to own a mainframe computer. Incidentally, I'd bet on the latter providing more security, seeing how you can't easily find people who know what to do with a mainframe.
The information that was lost as a consequence of the computer thefts include: names, dates of birth, addresses, health card numbers, and phone numbers. There was no medical data.
Another notable, a quote:
Times have changed — it’s an electronic age, and we all need to be reminded how to best protect our personal health information. [Bruyere's CEO, Jean Bartkowiak, in ottawasun.com]
Agreed. However, having a data breach is probably not the best way to "remind" oneself of the need for security. I mean, if you need a reminder, just read or watch the news: the stories involving data breaches and loss of person information is legion. Follow up on medical laws and regulations (Canada passed the Personal Information Protection and Electronic Documents Act, or PIPEDA, a while back).
Equating an "extremely concerning and regretful" incident (Bruyere CEO's words) to a reminder is a bad move (I get the feeling, though, that the CEO may have been quoted out of context).
Obviously, the police are investigating the incident. And, the Ontario Information and Privacy Commissioner was alerted. Plus, the medical center has taken measures to ensure better medical data security. They have implemented the use of encryption software for "clinic computers and secure off-site storage of data." And, perhaps most importantly, they are educating staff about protection patient information.
The Personal Information Protection and Electronic Documents Act became law in 2000. (Ontario medical entities also have to deal with PHIPA, the Personal Health Information Protection Act, which became law in 2001 and was further extended in 2004. That's a lot of reminders.) This is what PIPEDA has to say when it comes to safeguarding data: 4.7 Principle 7 — SafeguardsPersonal information shall be protected by security safeguards appropriate to the sensitivity of the information.4.7.1The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.4.7.2The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.4.7.3The methods of protection should include(a) physical measures, for example, locked filing cabinets and restricted access to offices;(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and(c) technological measures, for example, the use of passwords and encryption. Note that that last bit is passwords and encryption, not passwords or encryption. Why is this important? Well, password-protection doesn't really protect data. Encryption is necessary for safeguarding the data. (Personally, I feel that the presence of the word "passwords" might mislead people into believing that the use of password-protection is fine, per the law. It'd be the wrong assumption, yes, but some people don't seem to understand that there is a fundamental difference between conjunctions.)
The Personal Information Protection and Electronic Documents Act became law in 2000. (Ontario medical entities also have to deal with PHIPA, the Personal Health Information Protection Act, which became law in 2001 and was further extended in 2004. That's a lot of reminders.)
This is what PIPEDA has to say when it comes to safeguarding data:
4.7 Principle 7 — SafeguardsPersonal information shall be protected by security safeguards appropriate to the sensitivity of the information.4.7.1The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.4.7.2The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.4.7.3The methods of protection should include(a) physical measures, for example, locked filing cabinets and restricted access to offices;(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and(c) technological measures, for example, the use of passwords and encryption.
Note that that last bit is passwords and encryption, not passwords or encryption. Why is this important? Well, password-protection doesn't really protect data. Encryption is necessary for safeguarding the data.
(Personally, I feel that the presence of the word "passwords" might mislead people into believing that the use of password-protection is fine, per the law. It'd be the wrong assumption, yes, but some people don't seem to understand that there is a fundamental difference between conjunctions.)
Related Articles and Sites:http://www.phiprivacy.net/?p=5696