Cyber Security and Privacy Breaches
As a custodian of personal health information (PHI) healthcare organizations and regulated health professionals acting as health information custodians, have a legal duty to ensure that PHI is kept private and is protected against unauthorized access, use, disclosure, duplication, modification, removal, or disposal. Negative consequences arising from a privacy breach can be far-reaching including lawsuits, provincial or territorial privacy commissioner investigations, reputational damage, and financial losses. Cyber security breaches can lead to privacy breaches as well as loss of access to critical information and clinical systems that may result in potential safety issues.
Expected Outcomes
Implement formal strategies to protect the organization’s / HIC’s PHI and other sensitive data and information technology systems and / or infrastructure.
Implement a standardized, industry standard and legislation compliant privacy and cyber security program/practices.
Incorporate learnings from internal privacy and cyber security metrics and key performance indicators, as well as local, provincial and national cybersecurity incidents and data into local protocols as well as staff training
Definitions and Acronyms
Assets (of the organization / HIC) – includes portable and mobile end-user devices, data and information collected, applications and software used by the organization / practitioners, and systems, networks and hardware that support the organization’s / HIC’s information technology infrastructure
Client – includes all persons who receive healthcare and related services including patients, residents and persons in-care
Cross site scripting attack – the attacker injects malicious executable scripts into the code of a trusted application or website
Cyberattack – broader than a data or privacy breach, is a deliberate breach of confidential information by a third party; involves the use of malicious software to seize and encrypt sensitive data; not all cyberattacks involve a data breach
Cyber incident response plan – a formal written plan that directs how organizations are to respond to a cyberattack; plans are often categorized into phases – preparation (cyber resilience); detection and analysis; containment, eradication (response); and recovery (what went well; what can be improved upon)
Cyber resilience - the ability of an organization to respond to and recover from the effects of a cyberattack. An effective cyber resilience strategy relies on several operational activities: business continuity (BC), disaster recovery (DR), incident response and cybersecurity plans
Healthcare organization - organizations engaged in providing, financing, improving, supervising, evaluating, or other healthcare-related activity
HIC – health information custodians; are typically are institutions, facilities and regulated health professions in private practice (e.g., registered dieticians in private practice; optometry clinics; midwifery practice groups)
Malware - software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system
Patch management – process of identifying, acquiring testing and installing software to adjust performance issues and errors (bugs) while keeping the software updated
PHI – personal health information; legislation defined personal health information
Phishing – a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware.
PIA – privacy impact assessment; a process used to determine how a program or service could affect the privacy of an individual or a group of individuals
Privacy breach – unauthenticated access to and / or disclosure confidential information including (but not limited to) breach of personal health information
Ransomware – a type of malicious software designed to block access to a computer system until a sum of money is paid
Service level agreements – is a plain language agreement between the customer / purchaser and vendor / supplier that defines the level of and type of service expected by the consumer / purchaser, the responsiveness that will be provided (technical issues, etc.), and how performance of the vendor / supplier will be measured; such agreements also codify ownership of the data (e.g., essential for personal health information), the vendor / suppliers security standards (e.g., do they meet Canadian standards?) as well as discover recovery expectations for breaches, cyberattacks, etc.
Social engineering tests – tests designed to evaluate staff, volunteers, leadership and Board’s susceptibility to remote attacks, such as phone / text and email attacks; the test attempts to manipulate, influence or deceive the user in order to gain control over the computer system
System downtime – the organization’s or practitioner’s computer or informational technology system (e.g., payroll, electronic health records) is unavailable, offline or not operational due to cyberattack or investigation efforts
Trojan program – a type of malware that downloads onto a computer disguised as a legitimate program
USB – universal serial bus; also known as flash memory drives and thumb sticks; connects computers with peripheral devices
Common Claims Themes and Contributing Factors
- Cyber Threats and Breaches
- Cyber threats
- Attackers making repeated attempts on the same organization, particularly if they were successful on their first attack;
- Phishing attacks resulting in stolen credentials, misdirected funds, virus / malware downloads and comprised PHI;
- Ransomware, virus / malware, hacking and data breaches negatively impacting care delivery for extended periods of time;
- Cross-site scripting attacks that inject malicious code on the organization's website;
- Website hack resulting in breach of past and current client / customer information.
- Breaches uncovered by:
- Anonymous and third-party notification (e.g., universities, clients and families);
- Random and scheduled audits.
- Cyber threats
- Organizations and HICS
- Lack of priority given to privacy and cyber security practices.
- Lack of access to internal and / or external privacy and information security expertise.
- Perceived and / or actual lack of human and financial resources to implement privacy and cyber risk management solutions.
- Outdated practices for passwords and encryption of confidential and PHI.
- Inadequate contracts, and services agreements and data access / sharing agreements.
- Cumbersome, inadequately designed and / or outdated:
- Information security practices (e.g., such as unpatched system enabling hackers to exploit information system vulnerabilities, use of unsupported or unlicensed tools and applications with security vulnerabilities, inadequate data backup strategy resulting in an inability to restore data and lack of consistent server and operating system security patching and upgrading practices);
- Identification and access management protocol;
- Cyber security protocol / program;
- Cyber incident response processes.
- Insufficient and / or inadequate privacy and cyber security:
- Audits;
- Staff training and education.
- Cyber threats / attacks on third party vendors negatively impacting the organization’s / HIC’s business operations and care delivery.
- Inadequately executed privacy and / or cyber incident responses, such as:
- Delayed containment and internal / external notifications;
- Reliance on third-party vendors, with limited technical or practical expertise, to respond to cyber threats;
- Cyber incident responses that lack focus on client and staff safety (e.g., how or access laboratory test results), care delivery (e.g., unexpected system downtime) and clinical outcomes (e.g., no client census data).
- Privacy breaches involving surveillance / security cameras:
- Inappropriately installed or maintained surveillance cameras by the organization or a third party enabling unauthorized persons to access to camera footage (both audio and video footage);
- Installation of surveillance cameras in exam rooms (e.g., pre-operative rooms, exam rooms, operating room) for non-clinical purposes and / or without client consent;
- Lack of visible signage regarding the collection of audio-visual recordings.
- Insufficient or inadequate:
- Technological safeguards to restrict access to PHI retained within electronic records and online portals / dashboards (e.g., clients able to view test results for other clients);
- Audit logging capabilities (user and access audits);
- Encryption and storage controls including (but not limited to) laptops, mobile phones, and USB keys.
- Privacy Breaches
- Inconsistent and inadequate approaches to de-identifying collected PHI for a secondary purpose such as research or teaching.
- Unauthorized access and / or removal of PHI by employees and staff e.g.,
- Snooping (family, friends and celebrities);
- Narcotic diversion;
- Theft and financial gain.
- Office / Clinic Based Practice
- Lack of and / or informal controls and oversight for PHI and cyber security.
- Sharing of passwords with clerical / administrative support workers, including enabling unauthorized access to clinic / hospital / health region-controlled PHI.
- Unsafe cloud computer practices for PHI.
- Inadequate training of staff regarding their roles / responsibility for privacy and cyber security.
Mitigation Strategies
Facility Design, Space and Security
- Implement formal strategies to support the use of strong physical security practices for areas housing the organization’s / HIC’s:
- Information systems and technology assets (e.g., laptops, servers, backup storage and computers / laptops with sensitive information);
- Paper-based confidential and PHI records.
Additional Considerations
- Examples of strong physical security practices:
- Video surveillance;
- Access logs;
- Access cards;
- Regular verification and review of physical access audits (e.g., irregular pattern of access);
- Stringent process following staff member termination and leaves.
Procurement and Contract Management
- Implement industry standard and legislation compliant strategies to reduce privacy and cyber security risks posed by vendors, partners and third-party providers who have access to the organization’s / HIC’s PHI and other sensitive data and information technology systems and / or infrastructure (HIROC, 2017).
Additional Considerations
- Examples of strategies to reduce privacy and cyber security risks posed by vendors, partners and third-party providers:
- Ensure the vendor’s security practices are strong and meet acceptable information / cyber security standards (e.g., NIST, ISO 27001, SOC 2);
- Contractually obligate the vendor to continue to maintain accepted security standards and to provide at their expense an applicable security report or evidence prepared by an independent, reputable firm each term (for a specified consecutive defined period);
- Contractually obligate the vendor to notify the organization / HIC of all security breaches and data breaches within a specified time period from the occurrence date;
- Ensure the vendor’s breach response plans are inclusive and meet the acceptable standards for healthcare organizations / HICs;
- Contractually obligate the vendor to comply with all privacy legislation / regulations;
- Contractually negotiate the right to conduct an on-site visit and conduct other inspections such as review of log files, policies / procedures, etc. to confirm security controls (note: this right is more likely to be exercised with small vendors who do not meet required cyber security standards);
- Where feasible, periodically or annually evaluate vendor agreements to ensure they are appropriate and relevant (HIROC, 2017).
- Adopt an industry standard and legislation compliant protocol for the de-identification of PHI where required (Information and Privacy Commissioner of Ontario, 2016) (Information and Privacy Commissioner of Ontario, 2018).
- Adopt industry standard and legislation compliant clauses for contracts / agreements related to:
- Data sharing;
- Access to confidential and / or PHI;
- Agents and vendors engaged in information technology or providing services;
- Agents and vendors engaged in the collection and destruction of paper and electronic PHI records.
- Adopt industry standard and legislation compliant practices if using and / or purchasing third party-managed cloud services to store PHI; consider involving information technology and legal experts in the decision to use clouds services as well as in the review of the service contracts and service level agreements (HIROC, 2017) (Information and Privacy Commissioner of Ontario, 2016).
Additional Considerations
- Examples of questions healthcare organizations’ / HICs’ should ask a potential cloud services provider:
- Who is the owner of the data being stored with the cloud service provider?
- How would the cloud service provider detect, contain and remediate cyber breaches?
- How is the data stored, transferred and processed?
- Is the data stored or processed outside of Canada and, if so, where?
- How will the vendor support your repatriation of data upon organization’s strategic direction change, termination of contracts or if the cloud service provider goes out of business, is acquired, or is absorbed?
- If the cloud service provider is taken over by another provider, who has rights to the data? What are the terms and conditions?
- What protections (encryption, access control, etc.) are in place to protect the information?
- What is the data destruction schedule and process?
- Are backups of the system or data conducted? If so, understand where the backups are stored, how often the backups are generated and destruction details.
- Does the service provider support single tenant architecture? If only multitenant architecture is supported, how will the organization’s / HIC’s data be protected against unauthorized access?
- What sort of data migration support will be provided if the healthcare organization / HIC wants to migrate to another cloud provider or internal system?
- What type of auditing and logging capabilities are in place and how can they be accessed by the healthcare organization / HIC of the cloud service provider? What cyber and privacy breach incident management protocols are in place?
- Understand the breach notification process and timeframe; healthcare organizations / HICs should be notified of breaches as soon as reasonably possible (HIROC, 2017).
Privacy Program
- Adopt a current evidence-based and legislation compliant (as applicable) written privacy policy regarding the collection, use, classification (where indicated), retention, disclosure and destruction of PHI policy (Beamish & Barrette, 2019) (Office of the Privacy Commissioner of Canada, 2018) (Ontario Hospital Association and Information and Privacy Commissioner of Ontario, 2013) (Center for Internet Security, 2016).
Additional Considerations
- Examples of privacy considerations to address within the PHI policy:
- Internal data integration, planning and analysis;
- External data-based sharing, links and analysis (Beamish & Barrette, 2019) (Office of the Saskatchewan Information and Privacy Commissioner, n.d.) (HIROC, 2018) (Government of Newfoundland and Labrador, 2015)
- Internal and external student / learner education (e.g., lectures, rounds, workshops, presentations);
- Peer review;
- Research;
- Consequence of non-compliance with privacy practices;
- Mandatory reporting / disclosures;
- Permissive reporting / disclosures.
- Undertake privacy impact assessments (as necessary) when implementing new solutions, technology or processes involving PHI to reduce / mitigate risks, reduce the need for redesign and to help demonstrate due diligence in the event of a privacy / security breach, complaint or investigation (Beamish & Barrette, 2019)(Office of the Information and Privacy Commissioner of Alberta, n.d.).
- Adopt a standardized, evidence-based and legislation compliant (as applicable) protocol for the use of mobile and virtual care devices (e.g., laptops, USB keys, tablets, and smart phones) for the collection, use, retention, disclosure and destruction of PHI and other confidential information (Information and Privacy Commissioner of Ontario, 2007); (Office of the Saskatchewan Information and Privacy Commissioner, n.d.) (Office of the Saskatchewan Information and Privacy Commissioner, 2018).
- Implement standardized, evidence-based and legislation compliant (as applicable) strategies to prevent the unauthorized removal of PHI (both hard and soft copies) from the organization’s / HIC’s premises unless authorized and required for the provisions of direct healthcare while under the guise of the organization / HIC (Ontario Hospital Association and Information and Privacy Commissioner of Ontario, 2013) (Office of the Privacy Commissioner of Canada, 2018).
- Adopt a standardized, evidence-based and legislation compliant (as applicable) protocol for the use of audio-visual surveillance for clinical and non-clinical (e.g., security) purposes ( (Information and Privacy Commissioner of Ontario, 2018) (Information and Privacy Commissioner of Ontario, 2015).
Cyber Program and Technical Controls / Solutions
- Implement a standardized, industry standard and legislation compliant (as applicable) role-based access management protocol that supports the safe administration of user accounts (e.g., granting, revoking, and managing user access to systems, processes, and network drives), including (but not limited to), appropriate password practices and multi-factor authentication (National Institute of Standards and Technology, 2022) (Center for Internet Security, 2016).
- Implement (and regularly update) industry standard technical solutions and strategies such as firewalls, antivirus / antimalware solutions, network segmentations.
- Adopt administrative and technological solutions to protect the transmission of PHI and other confidential information (e.g., password protection, encryption, secure file transfer protocols) (HIROC, 2017).
- Implement advanced solutions to detect potential system compromise or data theft; consider subscribing to a monitoring service from credible vendors to notify staff/organization of potential anomalies (e.g., intrusion detection, endpoint detection and response)(Center for Internet Security, 2016).
- Undertake risk identification exercises such as penetration testing, continuous vulnerability management, red hat activities, etc. that can help identify potential vulnerabilities early on (ISO, 2022) (Center for Internet Security, 2016) (HITRUST, 2023).
- Implement industry standard and legislation compliant (as applicable) cyber security program that includes (but not limited to) clearly defined accountability for cyber security risk oversight (governance) and operations (management) (Dixit, Quaglietta, Nathan, Dias, & Nguyen, 2023) (HIROC, 2017).
- Adopt a patch management protocol to support the timely and safe application of vendor / third-party issued updates and patches while reducing security vulnerabilities and optimizing software and device performance (Dixit, Quaglietta, Nathan, Dias, & Nguyen, 2023); consider contracting with a credible third party/vendor if internal support and expertise is not available.
- Implement robust and well secured data backup procedures and undertake data recovery tests on a regular basis (i.e., on a quarterly basis).
Incident / Emergency Response
- Adopt an industry standard and legislation compliant incident response protocol to support decision making following a suspected or actual privacy breach or cyber threat that includes (but not limited to) the immediate response, timely investigation, containment, notifications and disclosures (e.g., clients, provincial / territorial privacy office, professional regulatory body/college and insurer) and incident debrief (Information and Privacy Commissioner of Ontario, 2018) (Dixit, Quaglietta, Nathan, Dias, & Nguyen, 2023) (HIROC, 2021).
- Implement formal strategies to ensure all records, information, reports, recommendations and / or decisions and decision making related to privacy breach and cyber threat investigations (internal and external) are maintained, reported to senior leadership / executive, and retained as per the organization’s / HIC’s records retention guidelines.
Team Training and Education
- Implement formal multifaceted and targeted current industry standard strategies to support and enhance organization-wide (e.g., Boards, volunteers, employees, independent contractors and learners) awareness and compliance with privacy and cyber security incident prevention and loss control strategies.
Addition Considerations
- Examples of elements to be included in the targeted training and education:
- Duties and obligations related to the collection, use, classification (where indicated), retention, disclosure and destruction of PHI and other confidential information;
- Consequences associated with non-compliance with internal practices and policies;
- Appropriate use of social media.
- Ensure the privacy and cyber security training and education program considers and / or involves:
- The need to customize the training / education (where indicated) based on the department’ / user’s role, responsibilities and access to sensitive information and / or data;
- Mandatory participation in training / education upon hire or appointment and annually thereafter;
- Privacy and cyber threat simulations and / or tabletop exercises;
- Social engineering tests / emails to identify vulnerable users and the effectiveness of training program (Dixit, Quaglietta, Nathan, Dias, & Nguyen, 2023).
Monitoring and Measuring
- Incorporate learning from local, provincial / territorial and national cybersecurity incidents into local protocols as well as staff training.
- Adopt standardized industry standard privacy and cyber security metrics and key performance indicators (HIROC, 2021) (Moore, 2021).
- References
- Beamish, B., & Barrette, R. (2019, September 10). Introduction to Data Sharing Rules. Retrieved from Information and Privacy Commissioner of Ontario: https://www.ipc.on.ca/wp-content/uploads/2019/09/2019-08-09-datashare-web.pdf
- Carnegie Mellon University. (2020). Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide.
- Center for Internet Security. (2016, https://www.cisecurity.org/controls/cis-controls-list). CIS Critical Security Controls. Retrieved from Center for Internet Security.
- Dixit, A., Quaglietta, J., Nathan, K., Dias, L., & Nguyen, D. (2023). Cybersecurity: Guiding Principles and Risk Management Advise for Healthcare Boards, Senior Leaders and Risk Managers. Healthcare Quarterly, 25(4), 35- 40. Retrieved from https://www.hiroc.com/system/files/resource/files/2023-02/08-HQ-Vol25-No4-Dixit.pdf
- Government of Newfoundland and Labrador. (2015). Information Sharing Agreement (ISA) Guide Under the Access to Information and Protection of Privacy Act. Retrieved from Government of Newfoundland and Labrador: https://www.gov.nl.ca/atipp/files/ISA-Guide.pdf
- HIROC. (2017, November https://www.hiroc.com/system/files/resource/files/2018-10/Cyber-Guide.pdf). Cyber Risk Management: A Guide for Healthcare Providers and Administrators. Retrieved from HIROC.
- HIROC. (2018). Contracts - Data Sharing Agreements PHI to Third Parties. Retrieved from HIROC: https://oipc.sk.ca/assets/best-practices-for-information-sharing-agreements.pdf
- HIROC. (2021, January). Risk Profile: Regulatory - Privacy. Retrieved from HIROC: https://www.hiroc.com/resources/risk-profiles/regulatory-privacy
- HIROC. (2023, January https://www.hiroc.com/system/files/resource/files/2023-01/Comms%20Guide%20-%20Cyber%20Crisis_1.pdf). Planning for Cyber Security Incidents: A Crisis Communication Guide. Retrieved from HIROC.
- HITRUST. (2023, April 4). HITRUST CSF Framework. Retrieved from HITRUST: https://hitrustalliance.net/product-tool/hitrust-csf/
- Information and Privacy Commissioner of Ontario. (2007, May). Encrypting personal health information on mobile devices. Retrieved from Information and Privacy Commissioner of Ontario: https://www.ipc.on.ca/wp-content/uploads/Resources/fact-12-e.pdf
- Information and Privacy Commissioner of Ontario. (2015, October). Guidelines for the Use of Video Surveillance. Retrieved from Information and Privacy Commissioner of Ontario: https://www.ipc.on.ca/wp-content/uploads/Resources/2015_Guidelines_Surveillance.pdf
- Information and Privacy Commissioner of Ontario. (2016, March). Thinking About Clouds? Privacy, security, and compliance considerations for Ontario's public sector institutions. Retrieved from Information and Privacy Commissioner of Ontario: https://www.ipc.on.ca/wp-content/uploads/2016/08/thinking-about-clouds-1.pdf
- Information and Privacy Commissioner of Ontario. (2018, December 18). Health Information and Privacy - PHIPA Decision 78. Retrieved from Information and Privacy Commissioner of Ontario: https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/360791/index.do
- ISO. (2022). ISO/IEC 27001 Information security management system. Retrieved from ISO: https://www.iso.org/standard/27001
- Moore, S. (2021, September 15). 4 Metrics that Prove Your Cybersecurity Program Works. Retrieved from Gartner: https://www.gartner.com/en/articles/4-metrics-that-prove-your-cybersecurity-program-works
- National Institute of Standards and Technology. (2022, March 3). NIST Special Publication 800-63: Digital Identity Guidelines Frequently Asked Questions. Retrieved from NIST.
- Office of the Information and Privacy Commissioner of Alberta. (n.d.). Privacy Impact Assessments. Retrieved from Office of the Information and Privacy Commissioner of Alberta: https://oipc.ab.ca/privacy-impact-assessments/
- Office of the Privacy Commissioner of Canada. (2018, January). Summary of privacy laws in Canada. Retrieved from Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/
- Office of the Saskatchewan Information and Privacy Commissioner. (2018, January). Helpful Tips: Mobile Device Security. Retrieved from Office of the Saskatchewan Information and Privacy Commissioner: https://oipc.sk.ca/assets/helpful-tips-mobile-device-security.pdf
- Office of the Saskatchewan Information and Privacy Commissioner. (n.d.). Best Practices for Information Sharing Agreements. Retrieved from Office of the Saskatchewan Information and Privacy Commissioner: https://oipc.sk.ca/assets/best-practices-for-information-sharing-agreements.pdf
- Ontario Hospital Association and Information and Privacy Commissioner of Ontario. (2013). Preventing/Reducing Unauthorized Access to Personal Health Information. Retrieved from Ontario Hospital Association: https://www.oha.com/Legislative%20and%20Legal%20Issues%20Documents1/Preventing%20or%20Reducing%20Unauthorized%20Access%20to%20Personal%20Health%20Information%20(2013)%20(PUBLICATIONS).pdf