Get rid of unencrypted email, fax in health sector, urge Canadian privacy regulators

Share post:

Canadian privacy regulators are urging governments, health sector institutions, and health providers to strengthen the IT networks that support the country’s medical infrastructure.

Following a meeting in Newfoundland this week, privacy commissioners and ombudsmen from the provinces and territories demanded authorities show “concerted effort, leadership, and resolve in implementing modern, secure and interoperable digital health communication infrastructure.”

Despite rapid digital advancements in the health sector, breaches continue to be caused by the use of insecure communication technologies such as traditional fax machines and unencrypted emails, unauthorized access to health records by employees — often in the form of what the regulators call ‘snooping’ — and cybersecurity attacks, the group said in a resolution released Wednesday.

“To protect and bolster public trust in digital healthcare, action must be taken across Canadian jurisdictions to modernize and protect communications involving personal health information in step with the expanding array of digital means now available to better secure the sharing and use of this highly sensitive information,” they said.

The regulators say new data governance frameworks need to provide reasonable protection for sensitive health information, and that laws and regulations should be amended to provide meaningful penalties for institutions and providers that fail to take the necessary measures to protect health information.

There are now numerous modern and practical alternative ways to facilitate the legal and secure sharing of personal health information, such as encrypted email services, secure patient portals, electronic referrals, electronic prescribing, electronic medical records (EMRs), electronic health records (ERHs), and hospital information systems.

When properly configured with built-in privacy protections and a user-centric design, these technologies can be made more auditable, secure, and resilient against unauthorized access or inadvertent disclosure than either manual or old IT systems, the regulators say.

The resolution notes the expert advisory group for a pan-Canadian health data strategy’s recent report asked for the adoption of a Canadian Health Data Charter. Among other things, the resolution notes, it calls for “security and privacy of health data to maximize benefit and reduce harm.”

The resolution by the regulators comes after the continuing disclosure of successful cyber attacks against Canadian medical-related institutions. In March, security provider Sophos reported two ransomware gangs had separately exploited an unpatched on-premises Microsoft Exchange server at a Canadian healthcare provider last year. Also last year, the healthcare sector was temporarily crippled in Newfoundland and Labrador after a large cyber attack. In 2020, privacy commissioners in Ontario and B.C. blamed medical laboratory LifeLabs for failing to protect the personal health information of 15 million Canadian residents in a huge 2019 data theft.

The resolution asks federal, provincial and territorial governments to

–develop a strategic plan and provide appropriate supports, funding, or other incentives to phase out the use of traditional fax and unencrypted email and replace them with more modern, secure and interoperable digital alternatives in a coordinated fashion;

–ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians, including those living in remote areas, among marginalized communities, and within vulnerable populations;

–promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks that provide reasonable protection of personal health information against unauthorized access or inadvertent disclosures; and

–amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties where appropriate, for health institutions and providers that do not take reasonable measures necessary to protect personal health information, as well as for individuals who unlawfully collect, use, or disclose personal health information.

Healthcare institutions and providers are urged to design, adopt, and implement responsible data governance frameworks, including the adoption of standards such as those developed by ISO, the U.S. National Institute of Standards and Technology (NIST), or the Centre for Internet Security (CIS), that provide reasonable safeguards to protect personal health information.

The post Get rid of unencrypted email, fax in health sector, urge Canadian privacy regulators first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways