Office of the Information & Privacy Commissioner for British Columbia, Sept 2015: “Over the past 10 years, the OIPC has received 200 reports of breaches from across the health authorities. This may sound like a large number but the OIPC estimates that these reports comprise less than one percent of the suspected breaches that have occurred”
Clinicians have professional obligations
According to the College of Physicians and Surgeons of BC, “A physician is legally obligated to maintain a medical record of the care provided, while the doctor-patient relationship requires a patient’s confidence and trust in the management of his/her information, and establishes a burden on the physician to maintain that trust”. (CPSCBC Data Stewardship Framework 2007).
The Canadian Medical Protection Association (CMPA) provides an extensive electronic medical records handbook,with practical tips, including the following: “Since the regulation of eRecords is continually evolving and can be complex, physicians should be familiar with the legislation, regulatory requirements, technological standards, and software options that apply to eRecords. For advice and information, doctors may consult with their colleagues; regulatory authority (College); provincial or territorial privacy regulator; provincial, territorial, or national medical association; and the CMPA.”
According to the College of Dental Surgeons of British Columbia, “Dentists may make and keep electronic records provided certain guidelines are adhered to. Practitioners must also take steps to ensure the reliability of data input and the subsequent accessibility and security of information.” (CDSBC Dental Record Keeping Guidelines April 2013)
Most health care colleges or professional associations across Canada have similar statements, together with broad guidelines around what you must do to meet your obligations in the health care community to protect your patient’s records.
Clinicians have legal obligations
According to the Personal Information Protection Act of British Columbia, (PIPA), the legislation that most private medical and dental clinics must adhere to, “An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.” (Personal Information Protection Act, PIPA, section 34).
Threats to business continuity
Ransomware is on the rise in Canada. Medical clinics and health care organizations are being targeted. It has the potential of immediately shutting down access to any information needed to treat patients and operate your clinic, with a demand by extortionists located anywhere in the world to pay in order to restore your data. This is an emerging and potentially very serious issue. Click here for steps you can take to help protect yourself.
Clinicians are increasingly using interconnected electronic data systems
The advantages of using EMR’s, point of care medical devices and accessing the health record across teams is tremendous. However, more than ever before, the health care community is faced with a bewildering array of privacy and data security threats.
“All signs indicate that sophisticated and targeted cyberattacks in the healthcare industry are increasing” (PaloAlto Networks December 2015)
“In addition to the fact that there were nine times (9x) more breached healthcare records in 2015 compared to 2014, the top six healthcare breaches in 2015 account for over 98 percent of the 112 million total breached records for the year. Each of the top six was caused by an advanced cyberattack. “
“The healthcare industry is more than 200 times more likely to encounter Data Theft and sees 340 percent more security incidents and attacks than the average industry” (Raytheon Industry Drill-Down Report on Healthcare, 2015):
“No other single type of record contains as much personally identifiable information (PII) that can be used in a multitude of different follow-up attacks and various types of fraud.
Health records not only contain vital information on the identity of an individual (name, address, social security) but also often link to financial and insurance information. Access to PII allows an attacker to commit identity fraud, while the financial information can lead to financial exploitation. ”
“Symantec saw a 25 percent increase in the number of healthcare data breaches in 2014” (Symantec Internet Security Threat Report, April 2015)
“Unfortunately, for the most part, the healthcare industry is not prepared to face today’s cybersecurity risks…. There is a thriving underground market for medical information, and criminals are monetizing it in many ways and for many reasons….”
- Discrimination, stigmatization, psychological harm
- Loss of trust or confidence in the health care provider
- Loss of confidence in electronic health record
- May deter them from seeking testing or treatment
- May withhold or falsify information
for Clinicians, their staff and contracted providers
- Damage to reputation
- Lost time and expenditure of resources
- Legal liabilities and ensuing proceedings.
- Suspension or termination
- Disciplinary action