privacy with advancement in technology and the introduction of social media n.
Skip this Video
Download Presentation
PRIVACY With Advancement in Technology and the Introduction of Social Media

Loading in 2 Seconds...

play fullscreen
1 / 34

PRIVACY With Advancement in Technology and the Introduction of Social Media - PowerPoint PPT Presentation

  • Uploaded on

PRIVACY With Advancement in Technology and the Introduction of Social Media. HRPA North Bay Chapter November 16, 2010. Marc Bouchard CIO/CPO. Agenda. Who I Am IT & Privacy Evolution of Privacy PHIPA Privacy Trap Privacy and Social Media What You Can Do To Protect Your Organization

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'PRIVACY With Advancement in Technology and the Introduction of Social Media' - nen

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
privacy with advancement in technology and the introduction of social media

PRIVACYWith Advancement in Technology and the Introduction of Social Media

HRPA North Bay Chapter

November 16, 2010

Marc Bouchard


  • Who I Am
  • IT & Privacy
  • Evolution of Privacy
  • Privacy Trap
  • Privacy and Social Media
  • What You Can Do To Protect Your Organization
  • Review Some Cases
who i am
Who I Am
  • CIO / CPO for NBGH and NEMHC
  • CIO/ CPO for SAH
  • Chair of NEODIN (60 hospitals)
    • Privacy
  • Chair of CIMS (90 agencies)
  • Privacy from Health Perspectives
  • NE LHIN Security
  • Information Sharing Agreement
it privacy
IT & Privacy

Technology has made it easier to share information.

The need for Privacy has never been greater:

  • increasing electronic exchange of information
  • increased use of technology & portable devices
  • evolution of Social Media
  • increased sensitivity around Privacy
evolution of privacy
Evolution of Privacy
  • Rules about Privacy have been around for a long time
  • Professional College
    • (i.e. Physician, nurse, etc. had rules)
  • Not always well enforced
    • no one's to job to enforce/interpret
    • rules not always very specific
  • With technology advancements
  • Greater expectation around privacy
ontario privacy legislation
Ontario Privacy Legislation






  • In Health Care this led to the introduction of the “Personal Health Information Protection Act” (PHIPA)
  • PHIPA came into effect November 2004
  • Continue to evolve as precedents are established
  • Still very young legislation
  • Must show reasonable effort
  • Must show due diligence

The 10 Principles of Fair Information Practices

  • Accountability
  • Identifying purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosures & Retention
  • Accuracy
  • Openness
  • Individual Access
  • Safeguards
  • Challenging Compliance

Requirements of PHIPA

  • Requires consent for the collection, use and disclosure of Personal Health Information (PHI) with limited exceptions
  • KEPT confidential AND secure
  • A statement of our practices must be made available to the public
  • NBGH/NEMHC must establish clear rules for the use and disclosure of PHI for secondary purposes

Requirements of PHIPA

  • Take reasonable steps to ensure accuracy and security of PHI
  • Establish remedies for breaches
  • Must have a contact person to ensure compliance with PHIPA
  • e.g.. Chief Information Officer & Chief Privacy Officer
  • Must notify Chief Privacy Officer when there has been or suspected breach- initiate investigation

Requirements of PHIPA

  • Patients have a right to…
  • access their own PHI
  • request correction of their own PHI
  • instruct the NBGH not to share any part of their PHI with other health care providers
  • complain to the IPC about NBGH practices pertaining to PHI


  • Implied Consent
  • permits you to conclude from surrounding circumstances that a patient would reasonably agree to the collection, use or disclosure of the patient’s PHI.
    • Required inside health care context
  • Express Consent
  • patients explicitly agree to the collection, use and disclosure of their PHI
    • Required outside health care context


  • Consent is implied for information sharing within the“Circle of Care”on aneed to knowbasis

Circle of Care

  • Health care providers that provide direct patient care
  • Other providers who do not work at NBGH and health care institutions to whom a patient may be transferred to
  • The patient has the right to withdraw consent
  • for information sharing at any time
privacy trap
“Privacy Trap”
  • Most breaches committed by someone with good intention
  • Having access does not give you the right
  • Cannot make assumptions
  • Often individual does not realize they are doing anything wrong
  • Prevent with education
social media1
Social Media

Web Technologies


User Generated Content


Social Interactions


Social Media

social media some numbers
Social Media (Some Numbers)
  • More video is uploaded to in 60 days than all 3 major US networks created in 60 years
  • More than 500 million active users on
  • 28,751,709,706 Tweets and counting
  • Mode of communication for new generation
social media the mobile connection
Social Media (The Mobile Connection)
  • Location based social applications
  • Status updates and more status updates
  • Always connected
social media risk
Social Media (Risk)

Everybody brings their own expertise (and risk biases)

  • Privacy and Security: confidentiality risks
  • Public Affairs: reputation risks
  • Human Resources: business and human safety risks
  • Legal: defamation, intellectual property risks
  • IT: availability risks
social media risk1
Social Media (Risk)
  • When presenting risks, always provide a recommended course of action
  • Without a recommendation, management is just as inclined to think of reasons the risk doesn’t apply to them as they are to think ways of actually addressing the risk
social media bad news
Social Media (Bad News)

Social media tends to amplify security risks!

social media good news
Social Media (Good News)

You’re likely already dealing with these risks today, in some manner

social media security risk
Social Media (Security Risk)
  • Intentional / accidental exposure of confidential information
  • Introduction of viruses and malware into the corporate network
  • Exposure of corporate user credentials on external web sites
social medial security risk
Social Medial (Security Risk)
  • Technology can’t solve your security problems
  • Most risks are introduced by people due to:
    • poor practices
    • lack of knowledge
    • poor judgment
    • making assumptions
  • Good technical controls are also required
social medial 2 approaches
Social Medial (2 Approaches)
  • Allow Social Media (work with)
    • this approach is growing
    • some required for work
    • way of communication for younger generation
    • provide guidelines
  • Social Medial not allowed
    • corporate equipment is for work only
    • not allowed during work hours
what you can do to protect your organization
What You Can Do To Protect Your Organization
  • Good user practices
    • training and awareness
    • enough to be able to say “should have known”
    • set reasonable expectation
  • Processes
    • incident response
    • system review and assessment
    • Privacy Impact Assessment (PIA)
    • Threat Risk Assessment (TRA)
what you can do to protect your organization1
What You Can Do To Protect Your Organization
  • Good Policies
    • Acceptable Use Policies (eg. cell phone cameras)
    • Confidentiality Agreement
    • Privacy Policies
    • Portable Device Policies
  • Due Diligence
  • Audits + Disclosure (phone, e-mail, etc…)
  • Technical Controls
    • anti-malware suite, patching, web filtering / DLP / IPS

Let’s Review Cases

  • Sending information by fax vs. email
  • Occupational Health – employee wants access to own record
  • Discussing case with colleague via Facebook
  • Accessing family/friend/colleague's medical information
  • Presentation “Managing Risk to Enable Social Media Use in Health Care” by Lyndon Dubeau, Cancer Care Ontario
  • Presentation “Protecting PHI on Mobile and Portable Devices” by Fred Carter, Information & Privacy Commissioner of Ontario
  • Personal Health Information Protection Act: The Role of the IPC, Ann Cavoukian, Information and Privacy Commissioner of Ontario