Canadian Government … Defending Your Data … (and Your Loonies)
According to the Ponemon Institute, the cost of a data breach in Canada is around $250 per record. The Government has a massive amount of precious data, making the Government and its taxpayers liable for the cost of any breaches of data. This is significant in light of the record number of Government data breaches as well as Alberta Health being cited for failing to provide proper oversight in protecting its data. However, the proposed Health Information Protection Act of 2015, which would amend the Personal Health Information Protection Act, would require increased protection of Healthcare Data.
Breaches are Up ….
Canadians are often required to provide sensitive information to Government Agencies. It is up to these Agencies to protect that information. However, according to the Office of the Information and Privacy Commissioner (“IPC”), the Government had a record 256 data breaches in the year ending March 31st. That was up from 228 breaches reported in the same period the previous year. In one instance, two employees of the Canadian Revenue Agency (“CRA”) improperly accessed several hundred tax accounts over a period of two years. In another, 900 social insurance numbers were stolen from CRA.
Lack of Oversight….
The IPC has indicted that Alberta Health violated the law as it failed to provide the proper oversight of healthcare data that was available via Netcare, the province’s network of databases and systems which forms the provincial EHR. Netcare contains millions of healthcare records that can be accessed electronically by tens of thousands of users. A legally-mandated oversight committee had been disbanded two years back. In the last several years, Alberta Health has provided notifications to the IPC about 14 breaches. However, it was found that officials at Covenant Health and the University of Calgary didn’t understand or were not aware of these. Health Minister Hoffman has indicated that they are taking steps to provide governance over health information in Alberta.
The Health Information Protection Act of 2015 (“Bill 119”) emphasizes the need to have well documented policies and effective systems to protect patient data. The proposed amendment includes: • Requiring the reporting of privacy breaches; • Removing the requirement that prosecutions be started within six months of the breach; • Doubling the maximum fines for offences; Going even further, the Bill recognizes the fact that there are many components to managing and processing healthcare data. There are third parties and also contractors that have access to this information. In addition to requiring organizations to take steps to ensure that PHI is not accessed or shared without proper authority, the Bill also requires them to take steps to ensure that their agents or third parties are properly controlling healthcare data as well. This will require active oversight and auditing of their agents and third parties.
Saving your Loonies….
Assessing the number of environments that have sensitive data and who has access to them is a critical first step for both governments and private organizations. Too often organizations fail to look at the 80% of all data that is behind the scenes, being used for software development and testing. Managing these environments and making sure that ALL Health Data is protected will limit the potential for accidents or misuse as well as save the government from spending your hard earned Loonies. Joe Santangelo Delphix Corp. Joseph.Santangelo@delphix.com +1-646-596-2670 @jisantangelo