340 likes | 600 Views
PRIVACY With Advancement in Technology and the Introduction of Social Media. HRPA North Bay Chapter November 16, 2010. Marc Bouchard CIO/CPO. Agenda. Who I Am IT & Privacy Evolution of Privacy PHIPA Privacy Trap Privacy and Social Media What You Can Do To Protect Your Organization
E N D
PRIVACYWith Advancement in Technology and the Introduction of Social Media HRPA North Bay Chapter November 16, 2010 Marc Bouchard CIO/CPO
Agenda • Who I Am • IT & Privacy • Evolution of Privacy • PHIPA • Privacy Trap • Privacy and Social Media • What You Can Do To Protect Your Organization • Review Some Cases
Who I Am • CIO / CPO for NBGH and NEMHC • CIO/ CPO for SAH • MOHLTC/MCSS/MCYS • Chair of NEODIN (60 hospitals) • Privacy • Chair of CIMS (90 agencies) • Privacy from Health Perspectives • NE LHIN Security • Information Sharing Agreement
IT & Privacy Technology has made it easier to share information. The need for Privacy has never been greater: • increasing electronic exchange of information • increased use of technology & portable devices • evolution of Social Media • increased sensitivity around Privacy
Evolution of Privacy • Rules about Privacy have been around for a long time • Professional College • (i.e. Physician, nurse, etc. had rules) • Not always well enforced • no one's to job to enforce/interpret • rules not always very specific • With technology advancements • Greater expectation around privacy
Ontario Privacy Legislation Privacy Health Information Protection Act
PHIPA • In Health Care this led to the introduction of the “Personal Health Information Protection Act” (PHIPA) • PHIPA came into effect November 2004 • Continue to evolve as precedents are established • Still very young legislation • Must show reasonable effort • Must show due diligence
The 10 Principles of Fair Information Practices • Accountability • Identifying purposes • Consent • Limiting Collection • Limiting Use, Disclosures & Retention • Accuracy • Openness • Individual Access • Safeguards • Challenging Compliance
Requirements of PHIPA • Requires consent for the collection, use and disclosure of Personal Health Information (PHI) with limited exceptions • KEPT confidential AND secure • A statement of our practices must be made available to the public • NBGH/NEMHC must establish clear rules for the use and disclosure of PHI for secondary purposes
Requirements of PHIPA • Take reasonable steps to ensure accuracy and security of PHI • Establish remedies for breaches • Must have a contact person to ensure compliance with PHIPA • e.g.. Chief Information Officer & Chief Privacy Officer • Must notify Chief Privacy Officer when there has been or suspected breach- initiate investigation
Requirements of PHIPA • Patients have a right to… • access their own PHI • request correction of their own PHI • instruct the NBGH not to share any part of their PHI with other health care providers • complain to the IPC about NBGH practices pertaining to PHI
Consent • Implied Consent • permits you to conclude from surrounding circumstances that a patient would reasonably agree to the collection, use or disclosure of the patient’s PHI. • Required inside health care context • Express Consent • patients explicitly agree to the collection, use and disclosure of their PHI • Required outside health care context
Consent • Consent is implied for information sharing within the“Circle of Care”on aneed to knowbasis
Circle of Care • Health care providers that provide direct patient care • Other providers who do not work at NBGH and health care institutions to whom a patient may be transferred to • The patient has the right to withdraw consent • for information sharing at any time
“Privacy Trap” • Most breaches committed by someone with good intention • Having access does not give you the right • Cannot make assumptions • Often individual does not realize they are doing anything wrong • Prevent with education
Social Media Web Technologies + User Generated Content + Social Interactions = Social Media
Social Media (Some Numbers) • More video is uploaded to Youtube.com in 60 days than all 3 major US networks created in 60 years • More than 500 million active users on Facebook.com • 28,751,709,706 Tweets and counting • Mode of communication for new generation
Social Media (The Mobile Connection) • Location based social applications • Status updates and more status updates • Always connected
Social Media (Risk) Everybody brings their own expertise (and risk biases) • Privacy and Security: confidentiality risks • Public Affairs: reputation risks • Human Resources: business and human safety risks • Legal: defamation, intellectual property risks • IT: availability risks
Social Media (Risk) • When presenting risks, always provide a recommended course of action • Without a recommendation, management is just as inclined to think of reasons the risk doesn’t apply to them as they are to think ways of actually addressing the risk
Social Media (Bad News) Social media tends to amplify security risks!
Social Media (Good News) You’re likely already dealing with these risks today, in some manner
Social Media (Security Risk) • Intentional / accidental exposure of confidential information • Introduction of viruses and malware into the corporate network • Exposure of corporate user credentials on external web sites
Social Medial (Security Risk) • Technology can’t solve your security problems • Most risks are introduced by people due to: • poor practices • lack of knowledge • poor judgment • making assumptions • Good technical controls are also required
Social Medial (2 Approaches) • Allow Social Media (work with) • this approach is growing • some required for work • way of communication for younger generation • provide guidelines • Social Medial not allowed • corporate equipment is for work only • not allowed during work hours
What You Can Do To Protect Your Organization • Good user practices • training and awareness • enough to be able to say “should have known” • set reasonable expectation • Processes • incident response • system review and assessment • Privacy Impact Assessment (PIA) • Threat Risk Assessment (TRA)
What You Can Do To Protect Your Organization • Good Policies • Acceptable Use Policies (eg. cell phone cameras) • Confidentiality Agreement • Privacy Policies • Portable Device Policies • Due Diligence • Audits + Disclosure (phone, e-mail, etc…) • Technical Controls • anti-malware suite, patching, web filtering / DLP / IPS
Let’s Review Cases • Sending information by fax vs. email • Occupational Health – employee wants access to own record • Discussing case with colleague via Facebook • Accessing family/friend/colleague's medical information
References • Presentation “Managing Risk to Enable Social Media Use in Health Care” by Lyndon Dubeau, Cancer Care Ontario • Presentation “Protecting PHI on Mobile and Portable Devices” by Fred Carter, Information & Privacy Commissioner of Ontario • Personal Health Information Protection Act: The Role of the IPC, Ann Cavoukian, Information and Privacy Commissioner of Ontario