S1-Episode 10: From the bedside to the board: Building a culture of privacy and security in health institutions.

Patricia Kosseim: Hello. I'm Patricia Kosseim, Ontario's Information and Privacy Commissioner, and you're listening to Info Matters, a podcast about people, privacy, and access to information. We dive into conversations with people from all walks of life and hear real stories about the access and privacy issues that matter most to them. Hello, listeners. Thank you for joining us today. In this episode of Info Matters, we'll be discussing the responsibilities of large healthcare institutions to protect the personal health information of patients. Personal health information is probably one of the most sensitive types of personal information there is containing the most intimate and personal details about us. Our medical information stays with us for a lifetime, literally. It can affect our job prospects and our insurance coverage. In the wrong hands, it can cause serious harms, including damage to reputation, discrimination, and stigmatization. In order to feel confident about sharing our medical histories with healthcare providers, in order to get a medical diagnosis and proper treatment, we need to be able to trust that they will keep our information secure and confidential, even more so since the pandemic, which has accelerated the adoption of new digital health technologies. In a previous episode of Info Matters, we spoke about the privacy and security responsibilities of healthcare providers operating as sole practitioners or in small group clinics. Today, we shift our focus to large-scale health institutions. For years, hospitals across the province have been investing heavily in the development of electronic health records, patient portals, and digital communications between providers across the province. And as these information systems become more complex, so too must be the means of securing them. The problem of hospital employees snooping through large volumes of electronic health records of their family, neighbors, exes, friends, and enemies made much easier now with a quick and easy click of the button has become a notoriously concerning issue. We are seeing play out before our very eyes the rise in cyber threats against very large healthcare institutions that fall prey to cyber criminals and ransomware attacks that can affect hundreds of thousands of patients and bring an entire healthcare system to a grinding halt. How hospitals protect their electronic health record systems against these rising threats is becoming highly sophisticated, as it should. In this episode, we'll explore how two highly dedicated executives at the Ottawa Hospital, one of Canada's largest academic health sciences centers, are working together hand in hand to protect the privacy of patients. Now, in the interest of full disclosure, I formerly sat on the board of directors of the Ottawa Hospital, but our objective in profiling them in this episode is simply to bring to light the kinds of issues that many hospitals are facing today. My guests are Shafique Shamji, the Ottawa Hospital's executive vice president and chief information officer, and Nyranne Martin, the hospital's general counsel and chief privacy officer. Shafique, Nyranne, welcome to the show. Nyranne Martin: Thank you so much for having us. Shafique Shamji: Thank you very much for having us. PK: Well, thank you both for being here. In terms of corporate culture, we know that privacy and security policies do little good unless the employees are willing to follow them in practice. So what are some of the ways you've encouraged a privacy and security culture at the TOH? NM: Well, thank you again for the invitation to join you today. It's a pleasure to talk about a number of issues, including our privacy culture. I'm fortunate to wear five hats within my portfolio, which includes legal services, risk, privacy, freedom of information, regulatory compliance and governance, all within one. That ensures that I have privacy top of mind and cutting across the various issues that fall to my desk. So what I would say is in our experience a layered approach to policy, process, education, awareness, training has been effective in fostering a culture of privacy protection. And really, that tone starts from the top. So early on in my tenure at the Ottawa Hospital, which is a little over seven years now, what we started to do was to examine where there might be gaps and find a new way to kick off that tone from the top. Actually, we engaged your predecessor, then Commissioner Beamish, to come to the organization and do a high-profile event to talk about the consequences of snooping, to engage with our senior leaders and our frontline staff. And that allowed us to kick off a new focus on the importance of privacy protection. Over time, what we also started to hear was that privacy can be perceived as a barrier to access, to information, to efficient operation. So we found it important then to shift our tone to an era where we kicked off a communication campaign around being proud to protect privacy, so a positive focus on the importance of privacy protection and reminding staff from the C-suite to frontline providers to housekeeping staff of all the things that they do on a day-to-day basis to protect the privacy of their patients. So I would say that culture is formed over time by being responsive, by listening, through governance, through communications, through events, and showing that we are truly and deeply committed to privacy protection. PK: You did point out that you wear several hats as general counsel and chief privacy officer and that in fact helps you weave that culture of privacy right across the organization. One area I'm interested in exploring a little further is your role with respect to enterprise risk management. How do you ensure that privacy and security feature in that enterprise risk management framework and get addressed appropriately? NM: The Ottawa hospital, like many institutions of our size, has an enterprise risk management program. That involves a process by which we identify, mitigate, and report on risk and our risk management efforts. Privacy and security, just because of the nature of our sector, of the importance of personal health information, those two risks always feature very prominently in our approach to enterprise risk management. In addition, I would say as we've started down a path of trying to integrate our risk management efforts across the organization, it also filters one level down at program and project initiative level. Cybersecurity and privacy issues are always top of mind because of the importance and the potential impact that those risks can have on our day-to-day operations and on the sense of public trust in our healthcare institutions. PK: Already a good introduction to how robust a privacy and security governance framework is so essential to a healthcare organization as large scale as yours. Shafique, what would you like to add to that? SS: Thanks, Patricia. I think I agree quite a bit with Nyranne on two fronts. One is because of the methodical and constant recognition and learning that the privacy team has provided through the organization over time. What we found is people are actually more aware, right up to the executives, of the importance of privacy. Cybersecurity, frankly, doesn't need a lot of help to get awareness. It's all over the news, it's all over the media, and it impacts everyone in a large way. What we've learned over time is that they're so integrated, that they always come together. So I'd like to say that Nyranne and I are tied at the hip in some ways and you'll see there's a lot of alignment in our approach to how we address a lot of the cybersecurity and privacy risks for the organization. As a result, they are very prominent in our ERM, enterprise risk management framework. PK: Nyranne, you've been very innovative in how you ensure and monitor compliance at the hospital, including by using artificial intelligence systems to pick up things like erratic patterns of access to electronic health records that may be indicative of snooping behavior. What's that experience been like and how have you been able to use innovative technologies to help you in your compliance role? NM: We know that random audits are rarely productive. Targeted and focused auditing can detect, and through promotion of the tool can deter, snooping, which is a perennial problem in all sectors. Wherever there is opportunity, individuals on rare occasions may take advantage of their access to systems. So I was very fortunate to be able to collaborate with Shafique and his team, very skilled IT professionals, to co-create an innovative auditing and monitoring tool a few years back which allowed us to detect and deter privacy breaches through the use of artificial intelligence. We did quite early on engage the IPC for advice and through consultation to ensure that the way in which we developed that tool would be privacy protective and would've considered all the potential risks and opportunities. We learned that that was very powerful and we leveraged, I think, most importantly, Patricia, our communications and automated messaging through the tool in order to get as much engagement and understanding of the parameters of appropriate uses of personal health information and to ensure that there was appropriate oversight and follow-up wherever there were gaps. What I can say was that that approach allowed us to continue to build a culture of privacy protection as opposed to only pursuing compliance, because what we found from the information that the tool provided to us was that the overwhelming majority of "breaches" were actually circumstances of human error, of unintentional breaches, of gaps in understanding of policy and procedure. As a result of better understanding when those instances occurred, we were able to focus our compliance efforts on the overwhelming majority of the circumstances that applied to us. We also used it as an opportunity to apply our just culture framework which allows us to focus on being a learning institution. So when people make mistakes, we coach them, we correct, we console, and we ensure that we share the learnings with others. There are very rare circumstances where you have malicious, intentional, inappropriate contact and we are always able to act quickly on those instances as well. PK: That's a brilliant example of how innovative technology can actually aid and assist in building a privacy protective environment. You mentioned twice now the integration between privacy and security as part of the enterprise risk management framework, as part of the overarching governance of the organization, and in the collaboration that forged and helped create and introduce this new tool. Now, lots has been written about the need to ensure strong integration between an organization privacy and security functions. How do you and Shafique's teams work together to integrate privacy and security at TOH? NM: The way that privacy and security can work together when they're not integrated under one leader is first of all through the building relationships of trust and collaboration at the senior levels and you embed that within a governance structure. So at our institution, together we work on the privacy and information security steering committee, which is an internal governance structure where we oversee privacy and information security risks, opportunities, and ensure that our teams are aligned in building our programs together. SS: I would totally agree with that. I think that we're actually really lucky at the Ottawa Hospital in that we do have an expert in charge of our privacy and an expert in charge of our technology. The key is really building that trust relationship between those two experts, who are experts in their field, but can also open up and learn from each other and figure out ways to work together so that in the end we're not only protecting the information about our patients and our staff, but at the same time making life easier for all of us, including our patients, to use the health system. And that's a delicate balance because we don't want to lock everything down so it's very difficult for everybody. But at the same time, we don't want to be so open that it's easy for everybody including the bad guys. So I think it's a really good balance where we have very strong controls, very strong technology to protect the information, but at the same time that technology is used in such a way that it's not an impediment to providing care, which is really what we're here for. PK: And when you say that you both work together very closely, I imagine same goes for your teams as well. NM: Absolutely. I think one of the roles that we play at the seniors' leadership level is I like to think of it as translation services. So I translate a little bit from Shafique's technical language to my privacy or regulatory compliance leaders or lawyers and vice versa. So we try to understand what is motivating each of our teams, know that what we're all there to do is to ultimately serve our patients and our community and strengthen our institution, and that when we have technical experts that we have to help one another understand each other's language. SS: You said something earlier about tone at the top. It's amazing what happens when you actually as leaders get along and there's a trust relationship. It emanates throughout the entire organization and your teams pick that up and start working together in a much closer way. So I think the tone does start at the top and it emanates through the organization. PK: Well, you've both been through so much on the front lines of the COVID pandemic in the last year and a half. I just can't imagine what you and your colleagues have been through in recent months. But if we could imagine the glass half full for a moment, have there been, in your view, any silver linings in terms of privacy protection or security enhancements that have resulted from the COVID pandemic. NM: Thank you, Patricia. I think it's been an important exercise throughout the pandemic which has challenged us all in our personal and professional lives to focus on where the opportunities or silver linings have become apparent. The pandemic required instant adoption and rollout or enhancement of tools to facilitate virtual care and remote work. Shafique can speak more to the details of what that required from a technical perspective. But from a privacy and compliance perspective, we had to catch up very quickly to that reality by implementing processes such as privacy guidelines, supports to teams so that they could quickly provide as much care virtually as possible when we had clinical shutdowns to enable those teams to do so in a privacy protective manner and to do that over a period of days, weeks, months, when in "normal" circumstances that would've taken years. So I think that actually because of the amount of virtual work and virtual care that we have had to do, it allowed us to strengthen our technical controls and our administrative controls on a very expedited basis. SS: You're absolutely right. It has been a very difficult time for the entire healthcare system because it's been so overwhelming with the pandemic. But I will say that our approach and our response to the pandemic has truly been powered by technology and all of that hard work and the attention that we paid to methodically build up our systems and our infrastructure in a very solid way paid off in the end during the pandemic. So work at home, virtual care, even simple things like people having access to their test results, for appointments for their vaccinations, and to get tested, all of those results were available in an expeditious way through electronic means. It would've been so much harder had it been all on paper or telephone? The other thing I would say is that there's a lot more awareness about technology and about the importance of security and privacy. So people are aware that even if they are working from home, they have to be really careful about how they access information. So it's really raised the level of awareness in the entire population, frankly, about how important it is to stay vigilant and stay aware of privacy and security issues. From that perspective, those are the silver linings. PK: Now, even pre-pandemic, I think in 2019, your hospital adopted a whole new health information system. Shafique, I know you were largely responsible for the rollout of what was probably one of the largest information transformation projects in the history of the hospital. Can you tell us a little bit about how you planned for such a huge undertaking and what were some of the checks and balances you put in place to ensure successful governance of the project? SS: Yes, it actually was the largest technology project in our history where six organizations came together to put together a single hospital information system that we share. What I will say in terms of the plan is that we relied heavily on those that went before us. So we were not the first to implement a hospital information system. In our case, it was Epic, which is one of the premier systems in the industry. There was a number of people, a number of organizations, both in Canada and the US, that had already done this. So we leaned heavily on our peers to learn from them, to learn about not only how they did it, but what were some of the obstacles that they faced so that we could be prepared and mitigate some of those challenges. The other thing that I would say that we were very proud of is that we actually put the patient at the center of our project. So even though it was a technology project, we were very cognizant about what would this mean for the patient, both from a patient journey perspective through the hospital, which is a very large group of hospitals, that it couldn't be scary and complex when you have to navigate through that system. So our focus was how do we put in technology that will help patients navigate through the health system? Then finally, we wanted to provide access to patient information in an easy and readable way 24 by seven. So that patient portal, we paid a lot of attention to the security component of it, but also the ease of use. Those were the three things. I would probably add a fourth, which was likely the change management. As you can imagine, when we've been doing healthcare in a certain way for a very, very long time, changing that practice is very difficult for some. Frankly, some things are actually easier on paper, and so you have to get very used to doing things in an electronic fashion. After a while you get used to it and you think, "Oh my God! How did I ever do that on paper before?" It's one of the best things that we've done for the hospital and actually set the stage for a lot of the things that we talked about earlier in terms of our virtual visits and our patient portal and those types of attributes and value that it brought to patients in our region. PK: Nyranne, wearing your governance hat, what did you see as some of the key ingredients for building effective privacy and security governance around this project? What did you do to ensure that it stayed on the rails, it built in the necessary features and securities from the very beginning? Basically, how did you ensure a privacy by design approach? NM: Privacy by design was thankfully embedded in the project management, in the project oversight, which contained a risk assurance component, and in the technology itself. So from the very beginning, as an institution, we knew that what we would be seeking would have the best technology available to protect patient privacy. That started from the very beginning of the solution that we considered. It also was incorporated into the way in which the project developed as well as what we call the administrative control. So policies, procedures, education, governance was all with privacy top of mind throughout. Now that we have been up and running for some time with this new information system, that now has just been continued into our operations ensuring that we've got continued effective governance, continued effective risk assurance and oversight, and keeping privacy protection top of mind. PK: You mentioned oversight of the project. How did you ensure privacy and security were top of mind in the oversight of the project plan, everything from conception to development, implementation, et cetera? SS: We had a two-pronged approach to ensuring privacy and security were top of mind. One was that within our governance structure, we actually incorporated a privacy and information security committee that had representation from all stakeholders to ensure that those requirements were embedded as part of the requirements when we were implementing the system. So that committee, which was in fact chaired by Nyranne, fed to our steering committee all of the requirements in terms of the functionality and how patients were going to see the system and how clinicians were going to use the system. And our information security specialists were a big part of that structure. The second prong that we used was we used a third-party risk assurance group that actually looked at all components of the implementation, including the privacy and security. So in the event that we missed anything, this was a third-party oversight committee that was actually reporting directly to our board that would look at all those components and ensure that it was a sober second look from the outside, somebody who's not involved in the project and wants to ensure that patients' information is treated well and is secured properly. PK: So it couldn't have been a bed of roses the whole way through. You must have had a few bumps along the way. Any lessons learned that you can share with our listeners? SS: Just like with any large-scale enterprise transformation, I think we did learn a lot of lessons and we had some bumps along the way. I did mention earlier the change management piece. We learned a lot about how people over time had sort of swayed in the way that they did their work. And it was unintentional. It's just a little bit of movement to the left or movement to the right. When you're putting in an electronic system, there is no sway involved. It has to be done at as per regulation and legislation. So it took a little bit of time, frankly, to remind everybody to stay within guardrails and not take any shortcuts. Not that people were taking shortcuts, but there was that option available. The electronic system, in fact, what it did is it took away those options. So there was a lot of lessons learned on that point. The second point is that I would say that governance is difficult, right? Not every organization is the same and not all of us have the same culture and the same challenges. And scale is very important. We worked with some great community hospitals, which are much more nimble and they're smaller and they make decisions quickly. So one of the learnings was, how can we come together and meet in the middle so that we're not taking so long for decision making and yet we're not making quick decisions without considering all of the long-term impacts. We're very, very happy that we took the time to do that because that effort actually played well in terms of after we did go live, we still have those governance structures in place for decision making. And we're a lot better at it now because we did a lot of that work during the implementation. NM: I think one of the biggest lessons was knowing that it was not an IT project, it was a change management initiative about how clinical operations functions, how we document, how we communicate between providers, how we communicate with our patients, and that technology was enabling that change. Once we got our head around that, I think that was the key path to success. So looking back, I think that was a very important lesson. PK: Shafique, I can't resist the temptation of asking you, as the chief information officer responsible for protecting the hospital against cybersecurity threats, what keeps you up at night? SS: It is in fact cybersecurity that keeps me up at night. It is a potentially devastating thing that could potentially happen to any organization, not just in healthcare. We in healthcare are custodians of people's information and we take that very, very seriously. We know, for example, that the pace of technology is changing and the frequency of cyber attacks is ever increasing. We don't have to look far to see the devastating impact that a cyber attack could take. There's a number of examples, unfortunately in Ontario, and of top of mind obviously what's happening in Newfoundland, which is a horrible situation and my heart goes out to them. But you can see that it can have devastating impacts not only to a personal health information, but also to the healthcare system as a whole. So that does keep me up at night. What helps me sleep, frankly, is three things. One is a fantastic team of experts. I rely on them heavily. They are certified experts that help put in the proper technical controls and technology to keep our systems safe. The second thing is I have a lot of peers in the industry that we work with collaboratively, other CIOs and other CISOs, chief information security officers, throughout the province, where we're all facing the same challenges. So we work together and there's power in numbers that way. Finally, we get a lot of support from the province. I have to say the ministry of health and the ministry of government services have partnered together to help organizations throughout Ontario to work on a standard approach to cybersecurity and security protection. They've been great in terms of providing funding to help us make sure that we're safe and we're keeping our patient information safe. I think that's what helps. I'm very lucky that we've got that and I think that that helps me sleep. PK: Or go back to sleep. SS: Or go back to sleep. That's a good way of putting it. PK: As you both know, my office recently adopted Trust in Digital Health as one of the four key strategic priority areas that will guide and focus our work over the next four years. So as a parting question to both of you, let me ask, what advice would you give our office to help advance trust in digital health in Ontario? NM: We did review that document when it came out with great interest, a fantastic piece of work. I think the IPC plays a really vital role in our ecosystem in its advocacy around legislation and regulation, in its analysis. And us healthcare provider institutions rely heavily on you establishing the guardrails of acceptable conduct and as well as fostering trust by the public in digital health. Technology, especially in the post-pandemic environment, is a critical part of delivery of essential services. And ultimately, that's what we're here to do. So I think that for our part, the modernization of our legislative and regulatory parameters is critical for our continued success and for our continued ability to adopt innovative technology and our continued ability to do the work that healthcare providers do on a day-to-day basis. So to the extent that the IPC can both provide the essential analysis, provide the essential advice to government, and foster confidence by the public in the technological tools that we have, I think that will facilitate the success of all of us. SS: I'd like to echo a little bit of what Nyranne said. Thanks for asking that question. What I've learned by working with you over time is that you really bridge a gap. And the gap is that technology and the pace of technological change is frankly impossible for legislation and regulation to keep up with. So the IPC plays a vital role in bridging that gap between what's happening in the front lines today versus what the legislation had envisioned when it was written many years ago. So I appreciate that you're there. When we did our project many years ago for AI detection and monitoring, you were with us, you worked with us, you took the time to understand the technology, you tried to bridge the gap between the legislation and what was now capable in terms of the technology, which frankly wasn't even envisioned when the legislation was written. So I would say keep playing that role because we need that bridge. Otherwise, we will never progress as much as we can in terms of using technology for good to improve care for patients. I think that's what ultimately we all want, not just technology for the sake of technology, but how can we use it for improving care and improving outcomes for patients. So I would say keep doing what you're doing and keep bridging that gap. PK: Nyranne, Shafique, thank you so much once again for joining me on Info Matters. You've provided valuable insights into some of the administrative, technical, physical, and governance safeguards that large scale health organizations should put in place to protect personal health information of patients. There are so many important lessons to be learned, and you've shared some of those with us today, including lessons about how privacy and security teams need to work well together, how privacy and security risks need to be better integrated as part of an enterprise risk management framework, and how governance of privacy and security must stay top of mind and be addressed in order to ensure that risks are mitigated accordingly. We all need to be able to trust that our personal health information is safe and protected, and this trust must be earned and maintained. For listeners who want to learn more about health privacy, access, and protecting personal information, you can visit our website at ipc.on.ca. You can also contact our office for assistance and general information about Ontario's access and privacy laws. We've come to an end of another episode of Info Matters. Thank you so much for joining us, and until next time. I'm Patricia Kosseim, Ontario's Information and Privacy Commissioner, and this has been Info Matters. If you enjoyed the podcast, leave us a rating or review. If there's an access or privacy topic you'd like us to explore on a future episode, we'd love to hear from you. Send us a tweet @IPCinfoprivacy, or e-mail us at [email protected]. Thanks for listening and please join us again for more conversations about people, privacy, and access to information. If it matters to you, it matters to me.