Keep the Privacy Genie in the Bottle

In the fall of 2019, cyber criminals hacked into medical testing company LifeLabs and accessed the private information of an estimated 15 million Canadians. A civil lawsuit launched three months later is seeking $1.14 billion in damages.

Earlier that year, three hospitals in Ontario were crippled after being hit by ransomware created by Russian cyber gangsters. A phishing expedition into the Nova Scotia Health Authority compromised 3,000 patient records, and in Alberta, thousands of patient data were laid open after the theft of an unencrypted hard drive.

The average cost of a single U.S.-based data breach in 2019 was US$3.9 million, according to IBM. Healthcare facilities paid double, averaging US$6.45 million per breach.

Those costs don’t include personal liability settlements against directors, officers and even managed IT service providers. The message is clear: it’s not enough to have a firewall. Protecting personal data requires a multi-layered approach that accounts for your current technology, employee awareness, third-party suppliers and privacy legislation.

Built-In Privacy Controls

Healthcare services across Canada have been in place for decades. And while the human condition hasn’t changed, how services are delivered has. The rise of the internet and digital space has irrevocably changed how data is collected and shared, prompting new, innovative ways to meet peoples’ needs in a cost-effective way.

At the same time, concerns around safeguarding personal data have risen. Social media has broken down many privacy barriers as people share more and more of their lives online, including that most intimate of data, one’s DNA. But most draw the line at sharing healthcare records on the public stage.

Most government agree companies, organizations and institutions should secure the privacy of their clients. Canada adopted cyber breach notification regulations in late 2018, levying penalties for failing to alert individuals they may have been impacted by a breach.

If organizations in the healthcare industry, from hospitals to labs to private practices, want to be more cost effective and efficient, embedding privacy considerations into the design of a service delivery is the fastest way to be compliant. Rather than building an approach to securing data after the fact, build it into the program from the start.

The bonus of this methodology is repetition: If an organization has its privacy program incorporated in a generic service delivery model, every time they run a new service they can borrow from that general model.

Data, Privacy and Research

While keeping personal data private has been made a priority for institutions and organizations, being able to utilize data for research purposes has also gained prominence. In an era of heated competition for post-secondary dollars, being able to offer abundant, clean data to researchers can be a major selling point for educational institutions.

One Canadian province established a leading practice and MNP, working with its healthcare service, realized it had a wealth of information in their health data holding. However, prior to making this data available to health researchers, the data had to be de-identified to protect personal information, a process which often can muddy the results and impact the quality of the information.

Working with alliance partners, MNP’s Risk Analytics team implemented a system where, by using statistical algorithms to prioritize fields, researchers were able to extract specific data about citizens’ health. The method “perturbed” the data sufficiently to minimize exposure of personal data while preserving the quality and usefulness of what was left.

Privacy Audits

Organizations are used to completing internal and external audits to ensure their financial and operational controls are effective and they are following regulatory standards. The purpose of a privacy audit is similar: to assess how effective and compliant an organization’s privacy programs are.

Not surprisingly, the call to do privacy audits has risen alongside the number and volume of personal data breaches. The importance of this is only increasing as a result of the connectedness of our world. The more connected organizations are and the easier it is to get information through those connections, the more vulnerable they are.

A privacy audit will help determine what personal information your organization is collecting, where it is stored and how is it managed. A privacy auditor will look at who your organization serves, through what services and activities and to what end. The information collected provides a rich analysis of where and how the organization connects with its stakeholders, what opportunities are available and what risks exist.

The risks are critical. Because once privacy has been breached, once personal data is made public, from social insurance number to sexual orientation, it’s hard to take back. Moreover, where information is stored on servers indefinitely, providing the ability to access cached information from years ago, it’s hard to put that privacy genie back in the bottle.

Contact Hash Qureshi, CPA, CMA, CRISC, CISA, CISSP, CRMA, P.ENG, MSC, at 613.271.3700 or [email protected]