Get rid of unencrypted email, fax in health sector, urge Canadian privacy regulators

Share post:

Canadian privacy regulators are urging governments, health sector institutions, and health providers to strengthen the IT networks that support the country’s medical infrastructure.

Following a meeting in Newfoundland this week, privacy commissioners and ombudsmen from the provinces and territories demanded authorities show “concerted effort, leadership, and resolve in implementing modern, secure and interoperable digital health communication infrastructure.”

Despite rapid digital advancements in the health sector, breaches continue to be caused by the use of insecure communication technologies such as traditional fax machines and unencrypted emails, unauthorized access to health records by employees — often in the form of what the regulators call ‘snooping’ — and cybersecurity attacks, the group said in a resolution released Wednesday.

“To protect and bolster public trust in digital healthcare, action must be taken across Canadian jurisdictions to modernize and protect communications involving personal health information in step with the expanding array of digital means now available to better secure the sharing and use of this highly sensitive information,” they said.

The regulators say new data governance frameworks need to provide reasonable protection for sensitive health information, and that laws and regulations should be amended to provide meaningful penalties for institutions and providers that fail to take the necessary measures to protect health information.

There are now numerous modern and practical alternative ways to facilitate the legal and secure sharing of personal health information, such as encrypted email services, secure patient portals, electronic referrals, electronic prescribing, electronic medical records (EMRs), electronic health records (ERHs), and hospital information systems.

When properly configured with built-in privacy protections and a user-centric design, these technologies can be made more auditable, secure, and resilient against unauthorized access or inadvertent disclosure than either manual or old IT systems, the regulators say.

The resolution notes the expert advisory group for a pan-Canadian health data strategy’s recent report asked for the adoption of a Canadian Health Data Charter. Among other things, the resolution notes, it calls for “security and privacy of health data to maximize benefit and reduce harm.”

The resolution by the regulators comes after the continuing disclosure of successful cyber attacks against Canadian medical-related institutions. In March, security provider Sophos reported two ransomware gangs had separately exploited an unpatched on-premises Microsoft Exchange server at a Canadian healthcare provider last year. Also last year, the healthcare sector was temporarily crippled in Newfoundland and Labrador after a large cyber attack. In 2020, privacy commissioners in Ontario and B.C. blamed medical laboratory LifeLabs for failing to protect the personal health information of 15 million Canadian residents in a huge 2019 data theft.

The resolution asks federal, provincial and territorial governments to

–develop a strategic plan and provide appropriate supports, funding, or other incentives to phase out the use of traditional fax and unencrypted email and replace them with more modern, secure and interoperable digital alternatives in a coordinated fashion;

–ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians, including those living in remote areas, among marginalized communities, and within vulnerable populations;

–promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks that provide reasonable protection of personal health information against unauthorized access or inadvertent disclosures; and

–amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties where appropriate, for health institutions and providers that do not take reasonable measures necessary to protect personal health information, as well as for individuals who unlawfully collect, use, or disclose personal health information.

Healthcare institutions and providers are urged to design, adopt, and implement responsible data governance frameworks, including the adoption of standards such as those developed by ISO, the U.S. National Institute of Standards and Technology (NIST), or the Centre for Internet Security (CIS), that provide reasonable safeguards to protect personal health information.

The post Get rid of unencrypted email, fax in health sector, urge Canadian privacy regulators first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 29, 2024 – PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL...

This episode reports on a US$10 million reward for a ransomware gang, a new Linux version of a backdoor

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways