Smart Privacy Auditing – An Ontario Healthcare Case Study

IPCS Smart Privacy Auditing Seminar

On September 13, Dr. Waël Hassan, was a panelist at the Innovation Procurement Case Study Seminar on Smart Privacy Auditing, hosted by Mackenzie Innovation Institute (Mi2) and the Ontario Centres of Excellence (OCE). The seminar attracted leaders from the health care sector, the private information and technology industry, and privacy authorities. The seminar explored the concept of innovative procurement via the avenue of competitive dialogue, in addition to demonstrating the power and benefits of using artificial intelligence to automates the process of auditing all PHI accesses within a given hospital or health network.

What are the benefits of participating in an innovative procurement process, particularly competitive dialogue?

An innovative procurement partnership between Mi2, Mackenzie Health, Michael Garron Hospital, and Markham Stouffville Hospital was supported by the OCE’s REACH grant and sought to identify an innovative approach to auditing that could be applicable to the privacy challenges faced by numerous hospitals with different practices, policies, and information systems. Rather than focus on how the solution should operate, the partners collaboratively identified six outcome-based specifications the procured audit tool would be required to meet.

By identifying key priorities and specifying the outcomes a solution should achieve, Competitive Dialogue establishes a clear and mutual understanding of expectations. This can help the private sector narrow down solution options to a model best-suited for the contracting authority’s unique context. The feedback loop provided by the iterative rounds (if used) enables vendors to clarify any confusion and customize proposals to the contracting authority’s unique needs, staff workflows, and policy contexts.

Competitive Dialogue is an opportunity for transparent communication that gives vendors the opportunity to learn more intimate details of what the contracting authority, in this case Mackenzie Health, needs from a solution. Because hospitals are not tech or security experts, they often struggle to accurately identify and define what solutions they need to solve a particular issue, and thus a traditional procurement process is rarely ideal since there is little to no room for clarification or feedback. This process is more flexible than the traditional procurement process and thereby allows for more creativity and innovative thinking processes during the initial proposal development. Encouraging creativity and creating a competitive environment in which competing vendors may be sounding ideas off each other results in higher quality proposals and final solutions.

 Mackenzie Health Case Study

Mackenzie Health employs over 450 physicians and 2,600 other staff members, processes nearly 55,000 patient medical record accesses every day, and has just one privacy officer to monitor everything. Mackenzie Health’s privacy needs far outweigh its capacity, so they turned to the private sector for an innovative solution.

Section 37(1) of PHIPA outlines the possible uses of personal health information, and these guidelines are based on the purpose underlying the activities. Because the legal framework is centred on purpose, KI Design’s approach is to explain the purpose for accessing a given medical record. The core of this technology is more commonly known as an explanation-based auditing system (EBAS) designed and patented by Dr. Fabbri of Maize Analytics.

To detect unauthorized accesses, the technology has the capability of identifying an intelligible connection between the patient and the employee accessing the patient’s records. AI changes the fundamental question underlying auditing tools from “who is accessing patient records without authorization?” to, “for what purpose are hospital staff accessing patient records?” Asking this question helps the technology break down staff workflows and identify common and unique purposes for accessing any given medical record, which are further categorized as either authorized access or unexplained access, which may then flagged as potentially unauthorized behaviour. The technology is able to filter out the authorized accesses, which are usually 98% to 99% of all accesses, so that the Privacy Officer can focus on the much smaller number of unexplained and flagged accesses.

Why is the private sector interested in health care?

Health care is an extremely complex system operated by the province and service providers. The province is a specialist in governance and regulation, the service providers are specialists in medicine – neither are experts in privacy or security. Companies such as KI Design are interested in filling the expertise gap within the health care sector by working closely in tandem with health care providers and the Information & Privacy Commissioner to adapt privacy and security solutions that are suitable for their working realities. There is irrevocable value added in having a privacy and security expert working directly with hospitals and other health service providers to assist in refining privacy best practices and implementing a privacy tool that will improve privacy and security outcomes without restricting the workflows of health practitioners.

To learn more on how AI solutions improve Audit visit https://phipa.ca/

Building a Social Media Pipeline

A Presentation by Dr. Waël Hassan at Boston University School of Media & Communications

Abstract: Companies who developed Success Criteria, established their Style, decided their Sources, Setup a business process, whilst they survey their results are winning big on social media. The most unknown part of building an enterprise social media service is how to build a social media pipeline. This presentation describes how to do that.

 

 

Political Cyber Security

The daily life and economics of the global citizen depend each time more on a stable, secure, and resilient cyberspace. Even before was elected president, Donald Trump promised to make cybersecurity “an immediate and top priority for [his] administration.” Yet, months into his presidency, Trump and global leaders worldwide have struggled to deal with how policies should use their personal technology.

Cybersecurity has gotten sucked into the inevitable vortex of politicization.

Perhaps things first came into media attention when it was discovered that Hillary Clinton was using a private email server when she was Secretary of State. In response, Clinton has said that her use of personal email was in compliance with federal laws and State Department regulations, and that former secretaries of state had also maintained personal email accounts, though not their own private email servers. In a summary of its investigation into Clinton’s use of private email, the FBI concluded that a username and password for an email account on the server was compromised by an unknown entity, which had logged into the compromised email, read messages, and browsed attachments using a service called Tor. Unique to Hillary’s case is that the FBI had repeatedly noted that if a breach did occur that its agents might not be able to tell, but that there was no evidence previously to indicate that Hillary Clinton’s personal email account was hacked.

More recently, the campaign of the French presidential candidate Emmanuel Macron was hit on May 5th, 2017 with leaked emails and other documents on a file-sharing website. Security analysts are under the impression that the huge leak of emails Macron’s campaign team might have been coordinated by the same group of individuals behind the Democratic National Committee leak that effected Clinton.  In fact, the Macron campaign directly compared the hacking directly to the hacker targeting of Clinton campaign, in a statement that read: “Intervening in the last hour of an official campaign, this operation clearly seeks to destabilize democracy, as already seen in the United States’ last president campaign. We cannot tolerate that the vital interests of democracy are thus endangered.”

However, with the ‘Macron-hack’ emerged as an anonymous poster provided links to documents on Pastebin with the message: “This was passed on to me today so now I am giving it to you, the people.” This serves as an example of how authentic documents can easily be mixed on social media with fakes to perpetuate fake messages that can harm political campaigns. While France’s electoral commission aimed to prevent this hack from influencing the election by warning local media that sanctions can be placed on them if they spread this information, the overall effect this link will have on Macron is unknown.

While we acknowledge that it is difficult to assess the impact of breaches done to a single account on a server, these incidences raise fresh questions about the security of other electronic accounts of politicians.

Politicians are particularly vulnerable to cybersecurity threats for the following reasons:

  • All politicians use different or even multiple platforms (windows, mobile, app, etc.), different email systems (gmail, Hotmail, corporate exchange, yahoo) and different file sharing systems (dropbox, box, icloud) that makes it harder to employ the strictest security standards on each one
  • Politicians work with a lot of individuals for temporary amounts of time, such a volunteers. As such, it is hard to know who you’re working with sometimes.
  • There is also a lack of centralized administration. Cybersecurity tends to ascent traditional political fault lines, making it at best confusing territory for politicians.

Despite which side of the political aisle your ideas land on, there is little debate that cybersecurity continues to be a hot issue.  Nowadays, for politicians, ignoring cyber issues could derail their career. Whether it be governments, individuals, or even campaign trails – the political cybersecurity world has experienced resurgence of threats.

Fortunately, the Blockchain’s alternative approach to storing and sharing information provides a way out of this security mess for four very important reasons:

  1. The decentralized consensus nature of Blockchains makes it almost impossible to break into it.
  2. Its platform agnostic, so it runs on any combination of operating system and underlying processor architecture.
  3. Once configured, it does not need an administrator
  4. Malware cannot break into it

A Blockchain is a register of records prepared in data batches called blocks that use cryptographic validation to link themselves together. Publishing keys on a Blockchain instead would eliminate the risk of false key propagation and enable applications to verify the identity of the people you are communicating with. Similarly, using a public Blockchain like Bitcoin would mean your entire system is decentralized with no single point of failure for attackers to target. As of right now, Estonia is one of the first countries to use Blockchain this way, although other governments are slowly warming up to Blockchain technology.

Moreover, there’s a rising tide for big data analytics to help combat cyber-threats and attackers. Social analytics tools can help be the first line of defense for politicians by combining machine learning, text mining modeling to provide an all-inclusive and amalgamated approach to security threat prediction, detection, and deterrence.
The cyberspace is the underlying infrastructure that holds the key to the modernity in technology. These types of threats are real and actively happening. The types of threats that have impacted politicians in the USA and Europe are real and actively happening. Blockchains and analytic tools will not be the golden ticket to fix everything that’s wrong with cybersecurity for politicians, but they can be a place to start. The Blockchain provides innovations that current systems and politicians could embrace.

For more information on how to protect yourself as a politician, please contact Waël Hassan, PhD.