Safeguarding patient data in an era of accelerated virtual care

If there is a silver lining to the pandemic, it’s that virtual care is rapidly becoming a viable and more accessible way to bring healthcare treatment to those who need it most.

According to the Canadian Attitudes on Healthcare and Telemedicine Report released in November 2020, 70 percent of Canadians believe virtual care represents the future, especially as COVID-19 makes it more difficult to access in-person healthcare.

But with the rapid deployment of online healthcare resources comes the increased potential for cybersecurity attacks and expensive privacy breaches. According to the global Center for Internet Security, personal health information is more valuable on the black market than credit card credentials or any other personally identifiable information, with the average cost of a data breach incurred by a healthcare agency at US$355 per patient record.

“Hospitals have been providing some form of virtual interaction with patients in the past, even if it’s through a portal,” said Ira Parghi, a lawyer at Borden Ladner Gervais LLP in Toronto who specializes in information privacy and security issues. But there are a lot of other service providers in healthcare for whom virtual care is “unchartered territory,” she adds.

Parghi said many of these virtual care technologies were rolled out quickly during the pandemic, with little attention to the healthcare providers having to use them.

“When you’re feeling stressed, as many providers are right now, it’s hard because you also need to make sure you’re configuring the technology correctly in the first place, so you’re not accidentally exposing data,” she said. “You also want to make sure your staff feel comfortable with using it properly, so there is a lot to think about.”

Getting staff into cybersecurity courses is one way to help ensure employees keep deploying best practices when using these technologies. But Parghi said it’s important for providers to consider the patient’s perspective in terms of truly understanding what virtual healthcare entails and the inherent risks involved.

To that end, healthcare institutions are encouraged to inform patients ahead of time about the potential risks with virtual care – and to obtain express consent in receiving it. “Now that the widespread rollout has taken place, it’s time to pause and consider potential privacy and security risks and how best to manage and mitigate them.”

To help organizations do just that, the Information and Privacy Commissioner of Ontario recently released new guidelines for virtual care providers, Privacy and Security Considerations for Virtual Healthcare Visits: Guidelines for the Health Sector. The guidelines advise on the steps providers, including frontline physicians and practical nurses, should take in laying the groundwork for enhancing privacy and security in virtual care.

Ontario Health, a government agency focused on making the province’s healthcare system more efficient and patient-centred, said ongoing measures to safeguard privacy include conducting privacy impact assessments and threat risk assessments and developing comprehensive virtual care policies and supporting practices.

“As with face-to-face appointments, patient privacy and health information confidentiality must be protected during a virtual care appointment, and providers must comply with applicable privacy laws,” said Sylvie Gaskin, interim chief privacy officer, Ontario Health. “Patients must be informed they can withdraw their consent at any time while participating in a virtual visit.”

In partnership with the Ministry of Health, Ontario Health also initiated changes to the Ontario Virtual Care Program to support more choices for virtual visit solutions for healthcare providers.

The provincial standard aims to foster confidence that virtual care solutions meet privacy, security and technical requirements. For a virtual solution to be certified, vendors must meet the standard requirements and agree to participate in additional risk-based verification testing with Ontario Health within one year.

Meanwhile, technology providers like Microsoft are advocating for the need to be thoughtful and deliberate in how virtual healthcare technologies are deployed. “There are some places where innovation needs to go quickly, but there are other places where innovation needs to be thoughtful and disciplined as the way forward,” said John Weigelt, national technology officer at Microsoft Canada.

Early on in the pandemic, he said Microsoft decided it would deploy technology solutions during COVID-19 only if they adhered to key privacy principles, such as consent by choice when it comes to data storage and the ability to delete data after its use has been exhausted. “These have really guided all our activities as we move forward and deliver solutions like virtual visits.”

For example, Microsoft provides automated tools that allow customers to get a scorecard reading about how well their security has been implemented. “They can watch it over time, and they can really track their progress in terms of some of these critical items.”