Deloitte & Touche LLP   Deloitte & Touche LLP
Global > Canada > Services > Enterprise Risk    
Ensuring the security of health records is a vital concern
How health care organizations can improve the security and privacy of patients’ medical records

For the health care industry, protecting the confidentiality of patient information is a vital concern. Privacy and security both play a role in balancing access to health information on a “need to know” basis in support of informed medical care. Legitimate access by health care providers and the appropriate availability of health information to promote patient safety must be combined with controls that limit access to unauthorized individuals.

“Health information is one of the most sensitive kinds of personal information that Canadians have a need to protect,” says Karina Guy of Deloitte’s Security & Privacy Services group. Health care organizations have a responsibility to ensure that patients’ health records are secure and their right to privacy is protected. At the same time, the implementation of new technologies to integrate health information systems presents challenges for health care organizations.

Health care organizations must respond to privacy legislation
Andreas Faruki, Deloitte’s Identity Management and Privacy Leader in Canada, understands the benefits of having a security and privacy infrastructure that enables robust health information systems. “Health care organizations are starting to realize the challenge of having improved security and privacy technology,” says Faruki. “The right solution can create better health outcomes and preserve patient trust.” Moreover, several provinces now have health information protection legislation that organizations must comply with.

Currently, individuals’ health records are protected through a patchwork of legislation and policies. However, some provinces — Alberta, Saskatchewan, Manitoba and Ontario — have dedicated health privacy legislation that establishes minimum standards for the collection, use, disclosure and safeguarding of health information. Those provinces that do not have stand-alone health privacy laws either capture health information under provincial public sector laws or federal/provincial private sector privacy laws.

There is a need for health care organizations to adopt a more strategic and comprehensive approach to the security and privacy of patient information. Canada Health Infoway, a not-for-profit organization, has developed standards for an electronic health record (EHR). In fall 2005, Infoway will be adding privacy and security standards to this framework. “The idea is that Canadians will have a secure electronic health record that can be used to support informed care, regardless of where an individual requires health services,” says Faruki. This vision is putting pressure on health care organizations to effectively plan for automated security and privacy solutions.

Identity management is crucial for a robust security solution
When Deloitte’s security and privacy practitioners work with health care clients, they understand that a robust identity management program underpins electronic health records systems. This infrastructure is used to support the vast “people directories” — registries housed by various local, provincial and federal health organizations across Canada. Deloitte’s security professionals advise on classifying the security and access rights for health care providers, patients and insurers. They also recommend privacy-enhancing technology to better manage discrete access to health information.

In addition to the challenges of authenticating and authorizing users to ensure they have appropriate access rights, an EHR must have the ability to uniquely and accurately identify each patient. The system must be sophisticated enough to distinguish which information is necessary to display depending on the context of health services. In extreme cases, protected information can be overridden. A doctor treating an apparent at-risk patient could break the “lock” on sealed information that has been withheld from general access in order to safely provide services to the patient.

Identifying information risks in health care technology
Deloitte professionals help health organizations conduct risk assessments of current and planned health system environments. This includes testing health care application integrity and system vulnerability through an ethical hack (intentionally breaking into a computer security system), or by running a program to identify vulnerability in passwords, authentication processes and Internet access.

Risk management exercises include testing business continuity management and disaster recovery processes, which are unique safety and security concerns in health care. If a technology system goes down because of a power failure or a network crash, there must be a process in place to allow immediate recovery of that patient data.

Privacy matters are wide-ranging for health care
Aside from implementing security solutions, Deloitte's Security & Privacy Services team conducts privacy impact assessments and audits for health care organizations, and advises on privacy issues including the use of third-party service providers. Deloitte practitioners also advise on complying with health information management standards and security standards such as ISO 17799. “Health care organizations realize the importance of privacy in the evolution of health care systems,” says Guy. And with good reason — the stakes are very high.
 

  
Deloitte’s Security & Privacy Services group takes a comprehensive approach to health care security and privacy. The design of protection controls includes:
  • creating a robust identity management program
  • developing access rights and role matrices
  • automating security and privacy business rules through technology
  • conducting privacy impact assessments and security threat risk assessments
  • testing application integrity and system vulnerability
  • examining business continuity management and disaster recovery processes
Contact us for more information about this topic.
 
Source: Deloitte & Touche LLP - Canada (English)

Print this page    Email To A Colleague
  Security | Legal | Privacy    

© 2008 Deloitte & Touche LLP and affiliated entities.

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 7,700 people in 57 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu.

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

Bookmark