Political Cyber Security

The daily life and economics of the global citizen depend each time more on a stable, secure, and resilient cyberspace. Even before was elected president, Donald Trump promised to make cybersecurity “an immediate and top priority for [his] administration.” Yet, months into his presidency, Trump and global leaders worldwide have struggled to deal with how policies should use their personal technology.

Cybersecurity has gotten sucked into the inevitable vortex of politicization.

Perhaps things first came into media attention when it was discovered that Hillary Clinton was using a private email server when she was Secretary of State. In response, Clinton has said that her use of personal email was in compliance with federal laws and State Department regulations, and that former secretaries of state had also maintained personal email accounts, though not their own private email servers. In a summary of its investigation into Clinton’s use of private email, the FBI concluded that a username and password for an email account on the server was compromised by an unknown entity, which had logged into the compromised email, read messages, and browsed attachments using a service called Tor. Unique to Hillary’s case is that the FBI had repeatedly noted that if a breach did occur that its agents might not be able to tell, but that there was no evidence previously to indicate that Hillary Clinton’s personal email account was hacked.

More recently, the campaign of the French presidential candidate Emmanuel Macron was hit on May 5th, 2017 with leaked emails and other documents on a file-sharing website. Security analysts are under the impression that the huge leak of emails Macron’s campaign team might have been coordinated by the same group of individuals behind the Democratic National Committee leak that effected Clinton.  In fact, the Macron campaign directly compared the hacking directly to the hacker targeting of Clinton campaign, in a statement that read: “Intervening in the last hour of an official campaign, this operation clearly seeks to destabilize democracy, as already seen in the United States’ last president campaign. We cannot tolerate that the vital interests of democracy are thus endangered.”

However, with the ‘Macron-hack’ emerged as an anonymous poster provided links to documents on Pastebin with the message: “This was passed on to me today so now I am giving it to you, the people.” This serves as an example of how authentic documents can easily be mixed on social media with fakes to perpetuate fake messages that can harm political campaigns. While France’s electoral commission aimed to prevent this hack from influencing the election by warning local media that sanctions can be placed on them if they spread this information, the overall effect this link will have on Macron is unknown.

While we acknowledge that it is difficult to assess the impact of breaches done to a single account on a server, these incidences raise fresh questions about the security of other electronic accounts of politicians.

Politicians are particularly vulnerable to cybersecurity threats for the following reasons:

  • All politicians use different or even multiple platforms (windows, mobile, app, etc.), different email systems (gmail, Hotmail, corporate exchange, yahoo) and different file sharing systems (dropbox, box, icloud) that makes it harder to employ the strictest security standards on each one
  • Politicians work with a lot of individuals for temporary amounts of time, such a volunteers. As such, it is hard to know who you’re working with sometimes.
  • There is also a lack of centralized administration. Cybersecurity tends to ascent traditional political fault lines, making it at best confusing territory for politicians.

Despite which side of the political aisle your ideas land on, there is little debate that cybersecurity continues to be a hot issue.  Nowadays, for politicians, ignoring cyber issues could derail their career. Whether it be governments, individuals, or even campaign trails – the political cybersecurity world has experienced resurgence of threats.

Fortunately, the Blockchain’s alternative approach to storing and sharing information provides a way out of this security mess for four very important reasons:

  1. The decentralized consensus nature of Blockchains makes it almost impossible to break into it.
  2. Its platform agnostic, so it runs on any combination of operating system and underlying processor architecture.
  3. Once configured, it does not need an administrator
  4. Malware cannot break into it

A Blockchain is a register of records prepared in data batches called blocks that use cryptographic validation to link themselves together. Publishing keys on a Blockchain instead would eliminate the risk of false key propagation and enable applications to verify the identity of the people you are communicating with. Similarly, using a public Blockchain like Bitcoin would mean your entire system is decentralized with no single point of failure for attackers to target. As of right now, Estonia is one of the first countries to use Blockchain this way, although other governments are slowly warming up to Blockchain technology.

Moreover, there’s a rising tide for big data analytics to help combat cyber-threats and attackers. Social analytics tools can help be the first line of defense for politicians by combining machine learning, text mining modeling to provide an all-inclusive and amalgamated approach to security threat prediction, detection, and deterrence.
The cyberspace is the underlying infrastructure that holds the key to the modernity in technology. These types of threats are real and actively happening. The types of threats that have impacted politicians in the USA and Europe are real and actively happening. Blockchains and analytic tools will not be the golden ticket to fix everything that’s wrong with cybersecurity for politicians, but they can be a place to start. The Blockchain provides innovations that current systems and politicians could embrace.

For more information on how to protect yourself as a politician, please contact Waël Hassan, PhD.

Bill S-201: The Genetic Non-Discrimination Act

Following a majority vote in the House of Commons passing the bill and a final approval by the Senate, Bill S-201 received royal assent on May 4th. The bill, also referred to as the Genetic Non-Discrimination Act, is a preliminary step towards the amendment of the Canadian Human Rights Act as it aims to prevent discrimination by reasoning of genetic history. Furthermore, enactment of Bill S-201 amends the Canada Labour Code, with intentions to protect employees from involuntary genetic testing or disclosure of genetic testing results.

What Bill S-201 Will Accomplish

With medical technology undergoing rapid change, genetic testing is predicted to be increasingly reliable in illness prediction. The enactment of Bill S-201 protects individuals from revealing results of a genetic test as a precursor to receiving services or entering contracts and agreements. In simpler terms, service providers that require participants to undergo genetic testing will need to re-examine current practices and alter them to align with this new act. Groups that are exempt from Bill S-201’s conditions are health care practitioners, such as physicians and pharmacists, and medical or pharmaceutical researchers in instances where the individual is a participant in a study. With the passage of the Genetic Non-Discrimination Act, goods and service providers such as employers and insurance companies, that require genetic testing results will be in contravention with the Personal Information Protection and Electronic Documents Act (PIPEDA).

Bill S-201 is considered to be an important action taken for human rights and privacy for Canadians – highlighting the significance of privacy protection for sensitive personal information. Given the current advancement of genetic discoveries that are poised to revolutionize the field of medicine and reveal individual likelihoods of developing diseases, common concerns at arise from the public include barriers to receiving insurance coverage, employment and social acceptance. With the adoption of Bill S-201, insurance companies – which have generally mandated individuals to disclose lifestyle and genetic background – are prohibited from doing so as a method to denote policy rates.

Opposition & Support

Opposing stakeholders such as insurance providers have challenged this over fears that this legislation is unfair as it sanctions insurers to payout claims for individuals with genetic predispositions to debilitating and fatal illnesses. During a vote in the House of Commons in March, MPs were urged to reject the bill by Prime Minister Justin Trudeau, who declared the bill unconstitutional. Notably, insurance regulation falls under provincial and territorial jurisdiction with this regulation possibly allowing leeway for the insurance sector to challenge the law in the Supreme Court of Canada, with reasoning that it is unconstitutional due to the division of powers.

Supporters of Bill S-201 have confidence in its ability to prevent genetic discrimination in the private sector and remove obstacles to comprehensive insurance coverage. Currently, restrictions to obtaining individual genetic testing results have been implemented in France while the United Kingdom has adopted an agreement that limits insurance providers in their use of genetic testing. As global concerns of personal privacy emerge, the arena for political discourse on these matters will undoubtedly be dynamic and populated with many stakeholders.

Cyber Review Consultations Report

“The digital economy increasingly shapes and drives the broader economy. For Canadians to prosper and be confident digital innovators, they need to know that the networks that enable their efforts and safeguard their assets and information are secure. I am committed to making Canada a global centre for innovation – one that creates jobs, drives growth across all industries and improves the lives of Canadians. That’s why I am pleased to support Public Safety Canada in this important cyber security consultation.”- The Honourable Navdeep Bains, Minister of Innovation, Science and Economic Development

The number, complexity, and severity of cyber-attacks on companies and individuals in Canada are each on the rise.

On January 17, 2017, Public Safety Canada posted a report on the views of Canadians on the Canadian cyber security environment. The report was based off the findings 2095 submissions that contained 2,399 responses to individual questions across four main topics, as follows:

  • Evolution of the Cyber Threat: 1,728 responses
  • Increasing Economic Significance of Cyber Security: 364 responses
  • Expanding Frontiers of Cyber Security: 190 responses
  • Canada’s Way Forward on Cyber Security: 117 responses

The results established that cyber security in Canada is an extremely multifaceted issue with multiple challenges and a rising range of opportunities. Throughout the consultation, three ideas were consistently raised as being important and relevant to cyber security in Canada: privacycollaboration, and using skilled cyber security personnel.

The report concluded that it is the shared responsibility of governments, the private sector, law enforcement and the public, to address these challenges and seize new opportunities.

This is part of the Government’s commitment to keep Canadians safe in cyberspace and position Canada as an innovative leader in cyber security. This report is just one example of how the Canadian government is striving to take full advantage of the digital economy, while protecting the safety and security of all Canadians.

Quick Facts

  • Canada has more computers per capita than any other country (129 devices per 100 people) and Canadians are the heaviest Internet users in the world, spending more than 40 hours online per person, per month.
  • About 70 per cent of Canadian businesses have been victims of cyber attacks with an average cost of $15,000 per incident.
  • The current global market for cyber security products and services is expected to grow to over $170 billion by 2020, and the job market for cyber professionals is expected to rise by six million in the next four years.

Source: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2017-cybr-rvw-cnslttns-rprt/index-en.aspx

Amendments to the General Regulation (Ontario Regulation 329/04)

The Ministry of Health and Long-Term Care (“ministry”) is proposing amendments to the General Regulation (Ontario Regulation 329/04) under the Personal Health Information Protection Act, 2004 (PHIPA).

The purpose of the amendments has largely to do with clarifying the needs for health information custodian reporting of thefts, losses and unauthorized uses or disclosures of personal health information to the Information and Privacy Commissioner. Should the amendments be approved, the following requirements would have to be met:

“A Health information custodian would be obligated to report annually to the Commissioner the number of times, in the calendar year, the health information custodian had to notify individuals (in accordance with section 12(2) of PHIPA) of theft(s),loss(es) or of unauthorized use(s) or disclosure(s) of personal health information.
• It would be necessary for the report to be submitted to the Commissioner by March 1 of the following calendar year.
• The first report would be due in 2019.
• After submitting the report to the Commissioner, at the Commissioner’s request, a health information custodian would be required to provide the Commissioner with information contained in the notice that was issued to the affected individual(s), and/or any information the custodian relied on in deciding to notify the individual.”

The proposed amendments would also further allow the ministry to continue to validate progress on the implementation of changes proposed in the Health Information Protection Act (Bill 78). These changes were passed in May 2016.

The projected amendments have been posted to the Regulatory Registry website on March 10, 2017 and will be available until May 8, 2017.  The posting can be accessed at: http://www.ontariocanada.com/registry/view.do?postingId=23883&language=en

Bill C-23: Pre-Clearance of Persons and Property

Quick Summary of Bill C-23

It is no secret that Canada and the United States have one of the most important trading relationships in the World. While the American presidential election has taken the spotlight in terms of politic news, ad of late, the Canadian federal government is proposing to rewrite Canada’s electoral laws. On June 17, 2016, the Minister of Public Safety and Emergency Preparedness introduced Bill C-23 “an Act respecting the preclearance of persons and goods in Canada and the United States” (to be known as the “Preclearance Act 2016) in the House of Commons. The main purpose of the Agreement and Bill C-23 is to facilitate and expedite travel between Canada and the United States for goods and services.

Bill C-23 is intended to implement the Agreement on Land, Rail, Marine, and Air Transport Preclearance between the Government of Canada and the Government of the United States of America signed on March 16, 2015 (the “Agreement”). Part 1 of Bill C-23 authorizes United States customs officers to conduct preclearance in Canada of travelers and goods bound for the United States. Preclearance allows the inspection of goods and people before they leave the country of exit. Bill C-23 allows any traveler destined for the United States to revoke from the preclearance process, unless the traveler is detained under Part 1.Under the Bill, Canadian police officers and the officers of the Canada Border Services Agency are sanctioned to support United States preclearance officers in the upholding of their powers and performance of their duties and functions.

Part 2 of Bill C-23 speaks to the performance of Canadian preclearance officers in the United States. Bill C-23 specifies how the Immigration and Refugee Protection Act will apply to travelers bound for Canada who are in preclearance areas and preclearance perimeters in the United States. This spreads the claim of other Canadian legislation that relates to the entry of persons and importation of goods into Canada to those preclearance areas and preclearance perimeters. Bill C-23 allows a traveller bound for Canada to withdraw from the preclearance process, unless the traveller is detained.

Part 3 of Bill C-23 contains amendments to the Criminal Code.

Part 4 of Bill C-23 amends the Customs Act.

Some examples of implications the Bill include, high risk passengers being screened before being allowed to proceed. Goods are also x-rayed to identify risks. This preclearance is also to expand to other airports and land/rail/marine locations. The preclearance arrangements under this Bill, essentially increase the American customs presence in Canada. C-23 would give an agent posted at a U.S. airport the right to prevent the resident from boarding a flight to Canada. Under this Bill, with new powers to question, search and detain Canadian citizens, U.S.A border guards are able to erode the standing of Canadian permanent residents by threatening their automatic right to enter or leave Canada. This may be problematic, given new President, Trump’s promising of greater scrutiny of travelers coming into the USA.

The United States and Canada are crucial allies to one another. The United States and Canada must continue to work together to address terrorizations at the border as well as throughout the two countries, while expediting lawful cross-border trade and travel. Canada is the only country in the world with which the United States has signed a new Preclearance agreement that covers all modes of transportation across our shared border. To date, the Trudeau government has reinforced its support for the Agreement and is passing the necessary legislation to implement the Act. The Agreement can only enter into force once both countries have enacted the required implementing legislation (in Canada, Bill C-23).

 

 

To read more about Bill C-23, please visit: link to the bill

 

Careers in Privacy

Have you Considered a Career in Privacy?

Careers in Privacy are here to stay! It is now clearer than ever that data collection and data use is only expanding. Thus, the way that this data is being accessed, used, analyzed, and perhaps even abused-intentionally or not- is also becoming a hot topic. Especially with the rise of electronic data collecting, storage and sharing, privacy and security issues have been arising in nearly every company, operating in almost every industry. This has been met with an extensive amount of privacy laws in many countries.

With so many regulations and compliance issues to be followed, many individuals are entering careers related to data privacy and data security through other career, perhaps more traditional career or academic paths, such as law, rather than through designated cyber-technological or privacy training. Others may enter these careers due to personal interest in protecting people or companies from harm — whether it be financial or reputation. It is without a doubt that privacy is an issue of profound societal importance and is becoming more essential to the business of almost any company.

Below we outline, just some of the many careers one can

Data Protection Officer or Team Member

Today, nearly every financial organization, government agency and healthcare association, and a growing number of mid-to-large size company, has at least one designated data protection officer, and this number is only growing. Likewise, more and more people are working within a team of people working with the Data Protection Officer or a similar professional.

Duties related to this area may include being either primarily or solely responsible for advising on all company activities related to privacy, confidentiality, and security implications. This may or may not also include monitoring services and systems to certify compliance with personal privacy legislation and government policies and practices. You likely will have to develop policies and procedures that ensure that all your company’s sponsored activities obey by all the applicable privacy and confidentiality legislation and requirements in your jurisdiction and align well with the requirements of those abroad if your business does international work (such as with the European Union).

Governmental Policy

Especially in Canada, the United States and Europe, privacy offices exist every level of government. Numerous of these governmental agencies continue to create policies or revise existing policies and regulations related to privacy. Moreover, many government agencies regulate privacy, such as the Federal Trade Commission (FTC) in the United States or The Office of the Privacy Commissioner of Canada (OPC), among others.

Duties may include establishing departmental, federal, provincial or territorial, programs or strategy for the improvement of the management of personal or organizational information; and/or be responsible for monitoring adherence to this policy across various organizations and measuring the achievement of the expected results of the policies put in place in a variety of ways.

Privacy Law

Privacy law is another booming field. Adhering to privacy laws are complicated, as it often involves numerous very complex federal statutes and regulations. Privacy lawyers may often choose to specialize in a particular aspect of privacy such as focusing on financial privacy, employment privacy, European Union privacy, and electronic surveillance. As such, many companies may often rely on a team of privacy lawyers to cover all the privacy issues faced by their organization.

Duties from a privacy lawyer may include to provide legal advice on privacy, advise on restrictions on electronic data collection, communications and the use of tracking or profiling tools (such as cookies) and ensure the company is upholding the current applicable privacy and marketing laws and standards.

Course Instructor

With all the recent career advancements related to privacy, many will wish to undergo specific training. A course instructor trained in privacy, either through career experience or academic means, can help offer courses on privacy.

Duties for course instructors vary on the course, but may include providing a basic overview of the concepts of informational privacy and the Country’s privacy legislation. Courses may also wish to introduce students to differential privacy, and encourage them to move towards the frontier of modern privacy research. Essentially an instructor may help to empower future employees with the skills and knowledge needed for them to help protect businesses and the public against growing security risks and compliance missteps. Similarly, by educating current employees, course instructors are helping to reduce the likelihood that certain businesses will become a victim information security threats.

Software Developer

Especially with the increase in internet use and storage, the need for developing accurate, high-quality, innovative, and user-friendly data technology software that allows end users to comply with their privacy policy (or even to create their privacy policy) is increasing. Many privacy regulations necessitate that companies install and use an array of technical controls to protect customer information, whether they are being collected, stored or transmitted.

Typically, software developers must reconcile vague ideas with practical technological solutions and design, implement and test data managing (or other related) software that captures responses, stores personal data and helps to analyze or score results within a wide variety of software platforms.

Many software developers may also be self-employed and try to work with other organizations on developing industry-specific, or even company-specific tools, in a contract-like role. For example, a company may approach a software developer to develop an awareness program, a log management product to advanced threat correlation and analysis services within that organization. In this hypothetical example, the developer may be responsible for developing a software product that is able to handle the logging, correlation, and reporting needs of the company, as well as ad-hoc analysis and forensic investigation potential.

Privacy impacts all of our lives; especially now with personal data, whether it be socio-demographic information, or health records etc,  increasingly being used and stored in electronic form.  Ensure that the appropriate privacy, confidentiality, and security safeguards are necessary to prevent the unauthorized access, use, or disclosure (as much as possible). Thus, data privacy is an area that needs more professionals. We know posit that need for individuals working in privacy is going to continue to grow in 2017 and beyond. While the regulatory landscape for data and the career options for working in a privacy-related field may feel confusing, it is expanding. For those who are itching for a new career or those who feel that they are intrigued by the area of privacy and just want to learn more, data privacy positions offer much prosperity in terms of opportunity.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Evaluating Anonymization Methods

Article 29 Data Protection

The European Commission’s Article 29 Data Protection Working Party provides a useful set of criteria for evaluating anonymization methods in its “Opinion on Anonymization Techniques” (2014):

  • Is it still possible to single out an individual?
  • Is it still possible to link records relating to an individual?
  • Can information be inferred concerning an individual?

 

The first criterion means that it should not be possible to discover information about a specific individual or small group of individuals. For example, if only three individuals in an anonymized hospital dataset share a diagnosis, the dataset fails the test of singling out. The second means that it should not be possible to link different records pertaining to an individual or group. For example, a dataset that includes individuals’ occupations as well as demographic information could potentially be linked to publicly available profiles on LinkedIn, social media, or registers of professionals or government employees. Third, it should not be possible to infer potentially identifying attributes based on other attributes in a dataset. For example, location data collected through smartphones, which has sometimes been released as part of open datasets, usually makes it possible to infer the location of an individual’s home and office.

To evaluate re-identification risk, the Article 29 Working Party also suggests understanding identity as multidimensional, with each clear attribute as a coordinate. Whenever it is possible to analyze a region of this multi-dimensional space that contains only a few points, there is a risk of individuals being re-identified. In other words, any combination of properties that is unique to a particular individual or a very small group of individuals poses a risk of re-identification. Anonymity is protected when it is only possible to analyze sizeable “clusters” of individuals who cannot be distinguished from one another based on their attributes.

Here’s an example of the application of anonymization techniques to prevent the singling out of individuals or small subgroups:

A hospital database is being anonymized so that it can be shared with a medical research institute. Patient names and health card numbers have been deleted from the dataset, and dates of birth and death have been generalized to years of birth and death only. Dates of diagnosis and treatment have been generalized to monthly intervals. Data fields that remain unchanged are diagnosis and treatment procedures. If, say, only three individuals born in 1982 received a particular diagnosis in March 2014, the risk of re-identification is too high. One option is to delete these records. The other is to apply additional anonymization, perhaps by generalizing years of birth to ten-year intervals (e.g., 1980-1989, or alternatively age 30-39).

The key to anonymization lies not in deleting particular types of data, but in preventing the occurrence of subsets of one or a few individuals with a specific set of characteristics. The concept of dimensions of identity provides a starting point towards this goal by helping to break down a dataset and suggest possibilities for anonymization. Dimensions not relevant to a particular purpose can be eliminated from the dataset. Within each of the remaining dimensions, the most specific fields can be deleted, randomized, or generalized. Finally, any very small subsets remaining can be identified and deleted. When this is accomplished, the risk of re-identification approaches zero, as any unique or distinct attributes of individuals have been concealed.

Reference

Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques. 

How to Protect Canadian Health Data

Canadian Healthcare and U.S. Cloud Services: Is HIPAA Compliance Good Enough for Canadian Health Data?

Many Canadian healthcare organizations are asking questions about using U.S.-based cloud service providers to manage services such as email and databases. Cloud service providers in the U.S. and public organizations in Canada often ask whether compliance with the Health Insurance Portability and Accountability Act (HIPAA), or with Federal Trade Commission (FTC) recommendations, is relevant in evaluating compliance with Canadian privacy laws. In other words, does legal compliance translate, in full or in part, from the U.S. to Canada?

Among Canadian organizations, public healthcare providers have particularly complex information technology needs. They store large volumes of personal data that need to be easily accessible, yet also protected by strong privacy safeguards. They need private and secure means for communication and data sharing. In addition, they often de-identify or anonymize data for use in research and system planning. Cloud services appear to be a promising option to meet some of these needs. They offer to eliminate the expense of maintaining secure servers, and deliver easy but secure data access and improved features. Cloud services are also typically more interoperable than local systems. It seems a cost-effective and convenient solution.

Numerous Canadian healthcare organizations are, in fact, choosing to make use of cloud services to manage email, databases, and other systems. This is a decision that needs to be examined carefully from the perspective of privacy and security. Most cloud service providers are based in the U.S. It can be difficult to assess whether these companies are in compliance with Canadian privacy laws and standards. Organizations often ask whether compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), or with Federal Trade Commission (FTC) recommendations, is relevant in evaluating compliance with Canadian privacy laws. In other words, does legal compliance translate, in full or in part, from one jurisdiction to another?

HIPAA vs. PHIPA

Both in Canada and in the U.S., healthcare is recognized as a sector that requires specific privacy legislation. In the U.S., healthcare privacy is regulated by the Health Insurance Portability and Accountability Act (HIPAA). In Canada, most provinces have dedicated healthcare privacy legislation.

Does HIPAA compliance have any relevance to Canadian healthcare organizations? It is difficult to compare HIPAA with Canadian healthcare privacy laws such as Ontario’s Personal Health Information Protection Act (PHIPA) and Alberta’s Health Information Act (HIA) because they are written in different language. Canadian privacy laws generally focus on objectives rather than methods, and use general terms: for example, Ontario’s PHIPA states that Health Information Custodians (HICs) must take “reasonable steps” to protect personal health information against theft, loss, and unauthorized use and disclosure, as well as unauthorized copying, modification, or disposal. HIPAA, on the other hand, describes specific required physical and electronic safeguards for health information, such as facility access controls, workstation security, electronic information access control and authentication, and transmission security.

HIPAA compliance does indicate alignment with certain industry standards for privacy and security, but HIPAA differs from Canadian healthcare privacy laws on a number of specific points. For example, Ontario’s PHIPA has several requirements that are not included in HIPAA:

  1. Information technology service providers to HICs must “notify the custodian of any breach of the restrictions on its use and disclosure of personal health information or unauthorized access.”

This means that email or cloud storage providers serving healthcare organizations in Ontario are obligated to notify them of any security breaches or other instances of unauthorized access or disclosure. HIPAA does not require IT service providers to notify healthcare clients of breaches. While a notification requirement could be included in a contract with an American service provider, many U.S. service providers are reluctant to agree to notify their clients of breaches because of fears of liability and loss of reputation.

  1. Information technology service providers to HICS must “make available to the public, information about the services provided to the custodian; any directives, guidelines and policies of the provider that apply to the services provided; and a general description of the safeguards that have been implemented.”

IT service providers to Ontario healthcare organizations should provide a plain language description to be published online and in print about the services they will be providing, the privacy and security directives, guidelines, and policies to which they have agreed, and the information safeguards they employ.

  1. Information technology service providers to HICs must agree to comply with PHIPA.
“HIPAA Compliant” Applications

Do health applications advertised as “HIPAA-compliant” offer some legal assurance? Often, the answer is no. HIPAA does not apply to technological applications as such. Rather, it governs personal health information managed by covered entities such as hospitals, physicians, pharmacies, and health insurance companies. Health applications managed by covered entities are subject to HIPAA rules. Consumer health applications managed by private businesses or independent developers are not.

What developers of consumer health applications likely mean, when they advertise themselves as “HIPAA-compliant,” is that their solution aligns with HIPAA standards, and that they are willing to sign Business Associate Agreements (BAA) with healthcare organizations.  A BAA makes a service provider to a healthcare organization directly liable under HIPAA rules. Canadian healthcare organizations can obtain some legal protection by signing a BAA with a U.S.-based information service provider.

HIPAA definitely does not apply to consumer health applications, such as mobile apps and wearable devices that collect health information for an individual’s use (e.g., monitoring one’s exercise habits or diet), but do not share this information with a healthcare provider. Healthcare providers who wish to recommend these applications to patients should be aware that Canadians have few legal avenues to enforce their privacy rights with respect to consumer applications.

 

This point is problematic when it comes to large U.S.-based IT service providers. It is doubtful whether American companies would agree to assess and monitor compliance with Canadian laws. The possibility of having to maintain compliance with multiple sets of laws from different jurisdictions is a liability which many companies are not willing to take on.

Do you have the right IT Strategy?→

The U.S. National Security Caveat

The state of privacy in the U.S. cannot be understood apart from its national security legislation. Many Canadians hold privacy concerns about U.S. national security agencies’ broad access to data held by major internet companies. The USA PATRIOT Act and the U.S. National Security Agency’s PRISM project are frequently cited as privacy violations. It is often noted that this legislation permits more extensive surveillance of foreign citizens than of U.S. citizens. Yet the U.S. Cybersecurity Information Sharing Act (CISA), passed in 2015, may be even more problematic. CISA’s stated goal is to develop procedures for the federal government to share classified and declassified information on cybersecurity threats with private companies, lower levels of government, and the public. In practice, this could legally justify the existence of a catch-all database recording internet traffic, accessible to multiple levels of government and corporations. Several privacy provisions included in the draft bill were removed shortly before the bill was passed.

It is largely because of concerns about surveillance that two Canadian provinces, British Columbia and Nova Scotia, have passed laws prohibiting public bodies, such healthcare and educational institutions, from storing personal information outside of Canada. While other provinces do not explicitly prohibit this practice, it is clear that from a privacy perspective it is not ideal for Canadians’ personal information to be managed by U.S. companies.

The current reality is that U.S.-based cloud service providers are generally not in compliance with Canadian legal requirements and have no plans to achieve compliance. Canadian organizations considering using American cloud services should carefully consider how to ensure legal compliance and enforce contracts. If Canadian organizations choose to utilize U.S.-based service providers, they will need to retain enough power and control to monitor legal compliance and effect changes needed to bring systems into alignment with Canadian laws.

KI Design works with companies to achieve cross-border privacy compliance →

How to Protect Canadian Health Data

For healthcare organizations in provinces that permit the use of U.S.-based cloud services, contractual and technical safeguards can mitigate some of the privacy risks.

  1. Sign a Business Associate Agreement

The HIPAA Privacy Rule recognizes that most healthcare providers employ third party service providers, including information service providers. HIPAA allows healthcare providers to disclose protected health information to these “business associates” if the providers “obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”[1] These assurances are to be documented in a contract or agreement, commonly known as a Business Associate Agreement (BAA). Business associates that have signed a BAA are directly liable under HIPAA rules.

The U.S. Department of Health and Human Services website lists requirements for a BAA, and offers a list of sample provisions.[2] Ki Design’s experts in international privacy law can help your organization to draft a specialized BAA to protect Canadian health information managed by U.S.-based cloud service providers.

  1. Segregate data assets and support

Whether your organization chooses to procure cloud application services (software as a service – SaaS), cloud platform services (PaaS), or cloud infrastructure services (IaaS), personal health data need to be segregated from other cloud customers’ data at all three levels: application, platform, and infrastructure. Healthcare organizations should also choose cloud service providers with support services located in Canada or the U.S., and support technicians’ access to health data should be segregated.

  1. Choose database-level encryption

When healthcare organizations employ cloud services, it is essential that health data be encrypted at the database level, before data leave the source computer. Database-level encryption tools may be built into the original database, or may function as a separate engine, producing an encrypted version of the database.

Using cloud services, and especially cloud services based in another country, to manage personal health data brings certain technical and legal risks. However, legal agreements and strong technical safeguards can mitigate some of the most significant risks. Contact Ki Design for a consultation on how your organization can use cloud services safely.

 

For more information on how Ki Design can help your organization can use cloud services safely, please visit: https://kidesign.io/ or send us an email.

[1] http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/

[2] http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

For more information on how Ki Design can help your organization can use cloud services safely, please visit: https://kidesign.io/