1 / 34

PRIVACY With Advancement in Technology and the Introduction of Social Media

PRIVACY With Advancement in Technology and the Introduction of Social Media. HRPA North Bay Chapter November 16, 2010. Marc Bouchard CIO/CPO. Agenda. Who I Am IT & Privacy Evolution of Privacy PHIPA Privacy Trap Privacy and Social Media What You Can Do To Protect Your Organization

nen
Download Presentation

PRIVACY With Advancement in Technology and the Introduction of Social Media

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRIVACYWith Advancement in Technology and the Introduction of Social Media HRPA North Bay Chapter November 16, 2010 Marc Bouchard CIO/CPO

  2. Agenda • Who I Am • IT & Privacy • Evolution of Privacy • PHIPA • Privacy Trap • Privacy and Social Media • What You Can Do To Protect Your Organization • Review Some Cases

  3. Who I Am • CIO / CPO for NBGH and NEMHC • CIO/ CPO for SAH • MOHLTC/MCSS/MCYS • Chair of NEODIN (60 hospitals) • Privacy • Chair of CIMS (90 agencies) • Privacy from Health Perspectives • NE LHIN Security • Information Sharing Agreement

  4. IT & Privacy Technology has made it easier to share information. The need for Privacy has never been greater: • increasing electronic exchange of information • increased use of technology & portable devices • evolution of Social Media • increased sensitivity around Privacy

  5. Evolution of Privacy • Rules about Privacy have been around for a long time • Professional College • (i.e. Physician, nurse, etc. had rules) • Not always well enforced • no one's to job to enforce/interpret • rules not always very specific • With technology advancements • Greater expectation around privacy

  6. Ontario Privacy Legislation Privacy Health Information Protection Act

  7. PHIPA • In Health Care this led to the introduction of the “Personal Health Information Protection Act” (PHIPA) • PHIPA came into effect November 2004 • Continue to evolve as precedents are established • Still very young legislation • Must show reasonable effort • Must show due diligence

  8. The 10 Principles of Fair Information Practices • Accountability • Identifying purposes • Consent • Limiting Collection • Limiting Use, Disclosures & Retention • Accuracy • Openness • Individual Access • Safeguards • Challenging Compliance

  9. Requirements of PHIPA • Requires consent for the collection, use and disclosure of Personal Health Information (PHI) with limited exceptions • KEPT confidential AND secure • A statement of our practices must be made available to the public • NBGH/NEMHC must establish clear rules for the use and disclosure of PHI for secondary purposes

  10. Requirements of PHIPA • Take reasonable steps to ensure accuracy and security of PHI • Establish remedies for breaches • Must have a contact person to ensure compliance with PHIPA • e.g.. Chief Information Officer & Chief Privacy Officer • Must notify Chief Privacy Officer when there has been or suspected breach- initiate investigation

  11. Requirements of PHIPA • Patients have a right to… • access their own PHI • request correction of their own PHI • instruct the NBGH not to share any part of their PHI with other health care providers • complain to the IPC about NBGH practices pertaining to PHI

  12. Consent • Implied Consent • permits you to conclude from surrounding circumstances that a patient would reasonably agree to the collection, use or disclosure of the patient’s PHI. • Required inside health care context • Express Consent • patients explicitly agree to the collection, use and disclosure of their PHI • Required outside health care context

  13. Consent • Consent is implied for information sharing within the“Circle of Care”on aneed to knowbasis

  14. Circle of Care • Health care providers that provide direct patient care • Other providers who do not work at NBGH and health care institutions to whom a patient may be transferred to • The patient has the right to withdraw consent • for information sharing at any time

  15. “Privacy Trap” • Most breaches committed by someone with good intention • Having access does not give you the right • Cannot make assumptions • Often individual does not realize they are doing anything wrong • Prevent with education

  16. Social Media

  17. Social Media Web Technologies + User Generated Content + Social Interactions = Social Media

  18. Social Media

  19. Social Media (Some Numbers) • More video is uploaded to Youtube.com in 60 days than all 3 major US networks created in 60 years • More than 500 million active users on Facebook.com • 28,751,709,706 Tweets and counting • Mode of communication for new generation

  20. Social Media (The Mobile Connection) • Location based social applications • Status updates and more status updates • Always connected

  21. Social Media (Risk) Everybody brings their own expertise (and risk biases) • Privacy and Security: confidentiality risks • Public Affairs: reputation risks • Human Resources: business and human safety risks • Legal: defamation, intellectual property risks • IT: availability risks

  22. Social Media (Risk) • When presenting risks, always provide a recommended course of action • Without a recommendation, management is just as inclined to think of reasons the risk doesn’t apply to them as they are to think ways of actually addressing the risk

  23. Social Media (Bad News) Social media tends to amplify security risks!

  24. Social Media (Good News) You’re likely already dealing with these risks today, in some manner

  25. Social Media (Security Risk) • Intentional / accidental exposure of confidential information • Introduction of viruses and malware into the corporate network • Exposure of corporate user credentials on external web sites

  26. Social Media (Security Risk)

  27. Best Method to Improve Security

  28. Get Rid of Your Users?

  29. Social Medial (Security Risk) • Technology can’t solve your security problems • Most risks are introduced by people due to: • poor practices • lack of knowledge • poor judgment • making assumptions • Good technical controls are also required

  30. Social Medial (2 Approaches) • Allow Social Media (work with) • this approach is growing • some required for work • way of communication for younger generation • provide guidelines • Social Medial not allowed • corporate equipment is for work only • not allowed during work hours

  31. What You Can Do To Protect Your Organization • Good user practices • training and awareness • enough to be able to say “should have known” • set reasonable expectation • Processes • incident response • system review and assessment • Privacy Impact Assessment (PIA) • Threat Risk Assessment (TRA)

  32. What You Can Do To Protect Your Organization • Good Policies • Acceptable Use Policies (eg. cell phone cameras) • Confidentiality Agreement • Privacy Policies • Portable Device Policies • Due Diligence • Audits + Disclosure (phone, e-mail, etc…) • Technical Controls • anti-malware suite, patching, web filtering / DLP / IPS

  33. Let’s Review Cases • Sending information by fax vs. email • Occupational Health – employee wants access to own record • Discussing case with colleague via Facebook • Accessing family/friend/colleague's medical information

  34. References • Presentation “Managing Risk to Enable Social Media Use in Health Care” by Lyndon Dubeau, Cancer Care Ontario • Presentation “Protecting PHI on Mobile and Portable Devices” by Fred Carter, Information & Privacy Commissioner of Ontario • Personal Health Information Protection Act: The Role of the IPC, Ann Cavoukian, Information and Privacy Commissioner of Ontario

More Related