On the occasion of Data Privacy Day 2023, our office hosted an event on the theme of Building Trust in Digital Health Care.
Nearly three years of pandemic conditions, overburdened emergency rooms, sparse access to primary care, and an exhausted healthcare workforce have worn the country thin. Ontarians — and Canadians — have spoken their minds and want to see improvements to health care services. Sustaining our publicly funded health care system will require innovative approaches and new digital solutions.
First Ministers are preparing to negotiate a new funding transfer agreement with conditions that will drive fundamental changes to health care delivery — including data sharing. One can feel transformation in the air.
The changes we may see coming out of the new funding agreement will add to the many changes already afoot in Ontario, including the creation of Ontario Health Teams.
To be successful, these changes will require a strong foundation based on public trust, especially trust that health providers will respect patient confidentiality and keep personal health information secure.
Without trust, patients will not be forthcoming about their symptoms or be truthful about following treatment plans. Worse, they may avoid seeking help altogether. They may be hesitant to adopt new digital solutions, participate in research, or allow their personal health information to be shared for broader public health purposes, particularly if they fear that information may be used to stigmatize the community to which they belong.
As the old adage goes, “Trust takes years to build, only seconds to break, and forever to repair.”
The key topics we discussed last Friday — eliminating fax machines, stopping employee snooping, and defending against cyberattacks, while also building a transparent and privacy-respectful culture — are some of the fundamental conditions for earning Trust in Digital Health.
Axe the Fax
According to privacy breach statistics that all health institutions must send to my office annually, misdirected faxes continue to be the leading cause of unauthorized disclosure of personal health information in Ontario.
In 2021, 51% of the unauthorized disclosures reported to the IPC were due to misdirected faxes, mercifully down from 58.5% the year before, but still far too high.
My office recently released a report about the high number of privacy breaches at a regional hospital due to misdirected faxes. This report not only provides important insights for health care providers about the risks of using fax machines, it also shows the significant efforts that can be made to reduce misdirected faxes and the use of fax altogether.
It’s a good news story about how stakeholders can work together to replace faxes with more secure digital forms of communication. Last Friday, we got to hear about that first-hand from Wendy Lawrence, Chief Risk, Legal & Privacy Officer at St. Joseph’s Healthcare Hamilton.
This theme aligns with a joint resolution that my office, along with Canada’s federal, provincial, and territorial privacy commissioners issued last September on Securing Public Trust in Digital Healthcare.
The resolution outlines measures for adoption by governments, health institutions, and providers, including a coordinated plan to phase out fax machines and unencrypted email. It also promotes the adoption of more secure digital technologies and responsible data governance frameworks.
Last Friday, I publicly reiterated our office’s standing offer to work with governments, regulatory colleges, health institutions, providers and others to put an end to fax machines that unnecessarily expose individuals to potentially harmful privacy risks and undermine trust in the system as a whole.
That being said, we recognize that axing the fax is not so easy.
Michael Hillmer from the Ministry of Health explained some of the practical challenges across the sector. This is particularly the case among community health providers, as Ariane Siegel from Ontario MD explained. Sylvie Gaskin from Ontario Health described concrete steps that have been taken so far to move health providers towards more secure and interoperable forms of digital communication, incrementally and over time.
Employee Snooping – AMPs
Another persistent, trust-breaking issue is employees snooping into health records.
Whether out of malice, personal gain, mere curiosity or well-meaning concern about the health of friends and family, snooping through medical records can have devastating consequences for patients, health professionals, and the health care system as a whole.
While the reasons for snooping may vary, the result is the same — it undermines patient trust.
Reports to our office for 2022 reveal that snooping by health care workers accounted for 29% of self-reported health privacy breaches. This is up from 21% the year before, reflecting a disturbing and persistent trend we’ve seen over the past few years.
We need to work together to stamp out snooping once and for all, through awareness training to prevent inappropriate access — however well-meaning — and effective disciplinary measures when not so well-meaning.
To help deter snooping, Ontario’s health privacy law, PHIPA, was amended in 2020 to give my office power to impose administrative monetary penalties (AMPs) on those who seriously breach the law. Michael Hillmer described the policy intent and objectives behind the AMP regime in Ontario.
While we await regulations before administrative penalties can take effect, our panelists discussed how this new enforcement tool can be used most effectively to curb bad behaviour, like snooping, while still encouraging good behaviour.
The health care sector has become familiar with the concept of just culture, which takes a calibrated approach to addressing medical errors.
From time to time, health professionals make mistakes. Nyranne Martin from The Ottawa Hospital explained how a just culture approach uses a spectrum of responses ranging from consoling, coaching, and systemic course correction, with disciplinary action and sanctions reserved for only for the most egregious cases.
Just like medical errors, privacy breaches also range in motivation and severity. Wendy Lawrence described some of the practical interventions that can be taken to curb snooping behaviour, including stepped-up education and accountability mechanisms, to help employees learn from their mistakes, correct them and prevent them from happening again, consistent with a just culture approach.
Our third theme was cyberattacks, which, unfortunately, have become an increasingly dangerous and pervasive threat to the security of personal information in all sectors, including the health sector.
This is part of a rising global trend in cyberattacks worldwide, particularly since the onset of COVID-19, that increasingly target public sector institutions, critical infrastructure, and essential services.
In 2021, the number of health privacy breaches reported to our office due to cyberattacks was double the number in the previous year.
Nyranne Martin and Wendy Lawrence discussed how large institutions not only have to make risk-based investments in technological safeguards but also invest in people by ensuring staff are aware of the threats, how to avoid them and what to do if a breach occurs.
Cyberattacks are particularly daunting for smaller health care organizations that process large volumes of sensitive personal data but lack the financial resources to mount a thorough cyber-proof defence, let alone pay ransoms when they do get hacked by cybercriminals.
Sylvie Gaskin described a recent partnership between Ontario Health and the Ministry of Health to develop operational centres that can assist the smaller players build their cyber resiliency. Ariane Siegel described the practical training Ontario MD offers health practitioners in the community on how to protect themselves in terms of cybersecurity, including questions of insurance.
Many of the technical tips offered by the panelists dovetail well with the IPC’s recently updated fact sheet on protecting against ransomware attacks.
As Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.”
Building a transparent and privacy respectful culture
Finally, the panel concluded with a discussion on how an organization’s transparent and privacy-respectful culture can help build and sustain public trust.
Nyranne Martin discussed how data privacy and security must stay top of mind and be addressed throughout the organization, starting with the board of directors and c-suite executives. Also, privacy and IT security should be integrated cross-functionally and as part of a broader enterprise risk management framework to ensure that risks are mitigated accordingly. She described how staff at all levels of the organization can see their role of protecting patient privacy not only as an obligation but as a mark of pride.
Other panelists discussed the key role education plays in raising awareness about privacy and security issues and instilling a sense of respect for patient privacy as part of organizational culture.
And finally, Michael Hilmer told us how a transparent and privacy-respectful culture is the necessary condition for building trust — the sina qua non — for implementing Ontario’s ambitious plans to future-proof its health care delivery model in a more financially sustainable way.
Modernizing our health care system through transformative digital tools and enhanced data sharing will need appropriate governance structures and processes to sustain that foundation of public trust on which the entire enterprise critically rests.
Just as “trust is the glue of life,” according to author Stephen Covey, trust is the glue that will hold our health care system together in whatever shape it takes so that it’s there, standing solid and ready, to help our loved ones when they need it the most.
If you could not attend our event or watch the webcast, we’ve posted it on our YouTube channel and I encourage you to share it with your friends, colleagues and networks.
This post is also available in: French