Keep the Privacy Genie in the Bottle

February 18, 2020

Keep the Privacy Genie in the Bottle

Synopsis
3 Minute Read

In a connected world, embedding privacy considerations into your services delivery model from the start becomes critical. Read more with MNP’s Hash Qureshi blog.

In the fall of 2019, cyber criminals hacked into medical testing company LifeLabs and accessed the private information of an estimated 15 million Canadians. A civil lawsuit launched three months later is seeking $1.14 billion in damages.

Earlier that year, three hospitals in Ontario were crippled after being hit by ransomware created by Russian cyber gangsters. A phishing expedition into the Nova Scotia Health Authority compromised 3,000 patient records, and in Alberta, thousands of patient data were laid open after the theft of an unencrypted hard drive.

The average cost of a single U.S.-based data breach in 2019 was US$3.9 million, according to IBM. Healthcare facilities paid double, averaging US$6.45 million per breach.

Those costs don’t include personal liability settlements against directors, officers and even managed IT service providers. The message is clear: it’s not enough to have a firewall. Protecting personal data requires a multi-layered approach that accounts for your current technology, employee awareness, third-party suppliers and privacy legislation.

Built-In Privacy Controls

Healthcare services across Canada have been in place for decades. And while the human condition hasn’t changed, how services are delivered has. The rise of the internet and digital space has irrevocably changed how data is collected and shared, prompting new, innovative ways to meet peoples’ needs in a cost-effective way.

At the same time, concerns around safeguarding personal data have risen. Social media has broken down many privacy barriers as people share more and more of their lives online, including that most intimate of data, one’s DNA. But most draw the line at sharing healthcare records on the public stage.

Most government agree companies, organizations and institutions should secure the privacy of their clients. Canada adopted cyber breach notification regulations in late 2018, levying penalties for failing to alert individuals they may have been impacted by a breach.

If organizations in the healthcare industry, from hospitals to labs to private practices, want to be more cost effective and efficient, embedding privacy considerations into the design of a service delivery is the fastest way to be compliant. Rather than building an approach to securing data after the fact, build it into the program from the start.

The bonus of this methodology is repetition: If an organization has its privacy program incorporated in a generic service delivery model, every time they run a new service they can borrow from that general model.

Data, Privacy and Research

While keeping personal data private has been made a priority for institutions and organizations, being able to utilize data for research purposes has also gained prominence. In an era of heated competition for post-secondary dollars, being able to offer abundant, clean data to researchers can be a major selling point for educational institutions.

One Canadian province established a leading practice and MNP, working with its healthcare service, realized it had a wealth of information in their health data holding. However, prior to making this data available to health researchers, the data had to be de-identified to protect personal information, a process which often can muddy the results and impact the quality of the information.

Working with alliance partners, MNP’s Risk Analytics team implemented a system where, by using statistical algorithms to prioritize fields, researchers were able to extract specific data about citizens’ health. The method “perturbed” the data sufficiently to minimize exposure of personal data while preserving the quality and usefulness of what was left.

Privacy Audits

Organizations are used to completing internal and external audits to ensure their financial and operational controls are effective and they are following regulatory standards. The purpose of a privacy audit is similar: to assess how effective and compliant an organization’s privacy programs are.

Not surprisingly, the call to do privacy audits has risen alongside the number and volume of personal data breaches. The importance of this is only increasing as a result of the connectedness of our world. The more connected organizations are and the easier it is to get information through those connections, the more vulnerable they are.

A privacy audit will help determine what personal information your organization is collecting, where it is stored and how is it managed. A privacy auditor will look at who your organization serves, through what services and activities and to what end. The information collected provides a rich analysis of where and how the organization connects with its stakeholders, what opportunities are available and what risks exist.

The risks are critical. Because once privacy has been breached, once personal data is made public, from social insurance number to sexual orientation, it’s hard to take back. Moreover, where information is stored on servers indefinitely, providing the ability to access cached information from years ago, it’s hard to put that privacy genie back in the bottle.

Contact Hash Qureshi, CPA, CMA, CRISC, CISA, CISSP, CRMA, P.ENG, MSC, at 613.271.3700 or [email protected]

Insights

  • Progress

    May 20, 2022

    Enhanced hospital GST / HST rebates for long-term care facilities

    If you operate a long-term care facility and are currently only claiming the GST / HST rebate for charities or qualifying not-for-profit organizations, it may be time to revisit your eligibility for an enhanced hospital rebate announced in the 2022 Federal Budget.

  • Agility

    May 19, 2022

    Crypto asset mining – A review of recent proposals

    Proposed amendments to tax rules around crypto assets could impact business engaged in crypto mining activities. We explore how new definitions shift GST / HST costs under the proposed changes.

  • Agility

    May 17, 2022

    The power of putting people first

    For your organization to thrive in a modern and competitive workforce, you may need to shift your mindset and your approach towards employee satisfaction.