SECURITY: 2014
Personal Health Information Protection Act, 2004
this 5 min. course covers:• changing
landscape of electronic health records
• security threats & obligations
• protections for personal health information (PHI)
Connecting GTA – Coming in 2014
• early adoption of cGTA builds on eCare’s success to further strengthen point of care access to electronic patient information
• security: critical factor in whether patients consent to sharing personal health information (PHI) in cGTA
cGTA changes the security landscape
• health care organizations required to reinforce IT security • planned link (Cerner to cGTA) requires infrastructure incl.
• active directory accounts for credentialed physicians
• merging Cerner account/active directory account to create “single sign-on” from Cerner to cGTA
• strong passwords, change management
Note: physicians without active directory account will be notified; Information Services will support transition
We are in this together …
• patients & families trust we have strong security policies & consistent practices to protect their personal health information (PHI)
Threats to electronic PHI
• weak passwords
• inappropriate chart access
• using another’s login/password• • theft/loss of laptop, unencrypted USB
key/removable storage media
• PHI sent by unencrypted e-mail
• texting personal identifiers
Information security practices
physical, technical & administrative
• work together to protect PHI and information systems
Preventatives work• strong passwords, access & change
controls • network security, secure remote
access• encrypted e-mail between NYGH sites• training, personal accountability• confidentiality agreements• audit trails of access to technical
systems• photo ID
• serious consequences for inappropriate chart access, use or disclosure up to termination of employment, hospital privileges
Strong login passwords mandatory
• on desktops, laptops, mobile devices & removable storage media – do not share, write down or store on equipment
• STRONG: combination of letters, numbers, symbols, minimum of 8 characters &
no dictionary words
Protect yourself – never share login, password
together they serve as your electronic signature
everything done using it will be attributed to you until proven otherwise
always log off PowerChart
Mobile devices, removable storage media
don’t store PHI on laptops/mobile devices unless encrypted (Information & Privacy Commissioner/Ont.)
encryption protects electronic info if lost/stolen
whole disk encryption: on all NYGH laptops NYGH computers enforce encryption if you
download to a mobile device; password you choose will decrypt
Encrypting files
Encrypt a copy, not the original file or else you will have to use a password to open it
WORD DocumentClick “File” > “Protect Document” > “Encrypt with Password”
PDFClick “File” > “Properties” > “Security”. Select “Password Security” from the “Security Methods” drop-down menu. Check off “Require a Password to Open the Document”
Create a strong password and write it down before entering and saving. Send the file and password by separate emails. In the email sending the file, advise that the password will be sent separately.
Secure email
encrypted transmission between NYGH sites: General, Branson, Senior's Health Centre - if intercepted, it cannot be read
without encryption: it's like sending a postcard
Never send personal health or confidential info from or to a personal email account e.g. hotmail, gmail or yahoo - transmission is not encrypted; can be intercepted & read
Working out of NYGH
don't take PHI or confidential info out of hospital unless absolutely necessary
instead, use secure remote access where possible
What you can do
minimize storage of PHI /confidential info on mobile devices, laptops, storage media
back up files to network before leaving
ensure encryption enabled on laptop/mobile device
use secure storage for laptops, mobile devices, removable media, paper records or keep with you at all times
If it doesn’t go as planned… just call me
chief privacy officer
416-756-6448
Security Summary
combine physical, administrative & technical protections
avoid “What’s the risk?” thinking
Encryption protects patients and reputations … still a bargain
Never share login & password
Information & Privacy Commissioner/Ontario (IPC)
Provides oversight of compliance with the Personal Health Information Protection Act. In this role the Commissioner:
• adjudicates access appeals, investigates privacy complaints and may issue public reports
• may enter and inspect premises, records, information management practices and require evidence under oath, affirmation
• has Order making power; may levy fines of up to $250,000.00
IPC Contact: 416-326-3333 www.ipc.on.ca
Thank-youFor more information please contact Rita Reynolds, Chief
Privacy Officer at ext. 6448.