Ontario Raises the Stakes for Protected Health Information
The 11-year-old Personal Health Information Protection Act governing Ontario is set to change. Bill 119 was tabled in September in an attempt to strengthen patient privacy in the healthcare industry following the Rouge Valley scandal. The scandal, which saw the theft and sale of 8,000 patients’ private information by a registered nurse, has upped the stakes for any healthcare organization operating in Ontario.
The amendments seek to strengthen the act by requiring mandatory reporting of breaches, loosened rules around prosecution (lifting limitations on commencement of actions against privacy violations), and a doubling of fines for health-care workers caught snooping.
Canadian Lawyer Magazine wrote that the amendments seek to extend the requirements to report data breaches beyond patients:
“Hospitals, long-term care facilities, and even doctors running their own offices will have to report privacy breaches to their respective medical colleges as well as to the information and privacy commissioner.”
Further amendments lift “a six-month statute of limitations on commencement of actions against privacy violations, a narrow window that left little time for Crown prosecutors to gather proper evidence” and sees the doubling of fines for privacy violations.
Mary Jane Dykeman, a lawyer at Toronto-based DDO Health Law said that under the amendments, small private practices will be given the same consideration as hospitals and other large organizations. As a result, it’s imperative that doctors and office managers train staff to understand their obligations under the act.
“If I’m a physician in private practice, I’m the custodian. I have all the same duties as the large hospital,” she says. “So I should be sure that I train the people for whom I’m responsible and have proof that I’ve done that. That’s where the focus has to be.”
The Threats Come Fast and Furious
The Fifth Annual Ponemon Institute Benchmark Study on Privacy & Security of Healthcare Data showed that criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breach. Combined with internal breaches – like the Rouge Scandal – the threats are coming fast and furious.
Dr. Larry Ponemon, chairman and founder, Ponemon Institute said:
“While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number-one cause.”
Some worrying statistics that the Benchmark report showed is that a whopping 91% of healthcare organizations had one data breach, 39% experienced two to five data breaches and 40% (that’s right 40%!) had more than five data breaches over the past two years! Even worse, half of all healthcare organizations have little or no confidence that they have the ability to detect all patient data loss or theft. As a patient that is terrifying and as the budget owners it’s just as bad – these data breaches are costing the healthcare industry $6 billion annually.
Protecting Against Cyber Threats
Regardless of the source of a data breach, you need to take steps to harden your environment to better defend your networks and applications. Our latest eBook ‘I’ve Been Breached! Now What?’ offers 7 steps to protect against data breaches including how to:
- Think beyond the firewall
- Classify and encrypt sensitive data
- Prevent the unauthorized distribution of confidential documents
- Control privilege user access
Download the eBook I’ve Been Breached! Now What? Now.