Privacy & Security
Panel identifies threats from faxes, snooping, cyber-attacks
March 3, 2023
Ontario intends to eliminate 80 percent of the faxing done in the healthcare system over the next five years, says Michael Hillmer, ADM, Digital and Analytics Strategy Division, Ministry of Health. That level of faxing is made up of clinicians using the error-prone technology for prescriptions, referrals, lab and diagnostic imaging orders.
“If you can have easy-to-use apps, you can phase out faxes over this period of time,” he said, in a panel discussion at the Ontario Information and Privacy Commission’s conference titled “Building Trust in Digital Healthcare.” The session was held in Toronto at the end of January.
In her preliminary remarks, privacy commissioner Patricia Kosseim observed that 50 percent of the complaints about healthcare privacy breaches made to her organization in 2021 stemmed from misdirected faxes. Her agency recently completed a report which concluded that faxes have no place in Ontario’s healthcare system.
At the same time, she acknowledged that faxes are difficult to eradicate from the system because they are so deeply entrenched in everyday use by clinicians. “Axing the fax is not so easy,” she said.
Kosseim emphasized that the IPC is ready and willing to work with organizations to get rid of faxes. Faxed documents are often sent to the wrong place; even when they’re sent to the right place, they can be read by the wrong people.
Kosseim said the Ontario IPC is also working to reduce snooping of electronic records that occurs within healthcare centres and cyber-attacks that come from without. Both forms of intrusion prey on the health records of patients and ultimately reduce patient trust in the healthcare system.
“Without trust, patients will not be forthcoming about their conditions,” said Kosseim. And of course, if they’re not truthful about their problems, caregivers will not be able to treat them effectively.
What’s more, if patients don’t trust the system, some won’t seek help in the first place. And others won’t participate in research studies, which undermines the ability to create future therapies.
“Trust takes years to build and seconds to break,” she noted.
Wendy Lawrence, chief risk, legal and privacy officer, St. Joseph’s Healthcare Hamilton, commented on her organization’s efforts to improve the security of patient information and to enhance patient trust.
St. Joe’s was reacting to a review by the Information and Privacy Commission, which had noticed an unusually high number of reported incidents in the hospital’s 2020 annual statistical report. All health information custodians in Ontario are required by law to submit these reports to the IPC annually.
Statistical reports submitted by St. Joseph’s Healthcare Hamilton to the IPC for the year 2020, showed 1,006 unauthorized disclosures of personal health information (PHI), with 981 of those disclosures due to misdirected faxes.
Given the large number reported, the IPC opened a file to gather more information about these incidents. In response to the IPC’s request for additional information regarding the circumstances of the misdirected faxes, the hospital conducted a comprehensive review of all the reported instances of misdirected faxes.
The introduction of a centralized fax incident reporting tool at St. Joe’s had resulted in an increase in the number of fax-related mishaps reported and enabled the hospital to identify the cause of misdirected faxes.
As a result of the hospital’s review, it explained that the number of misdirected faxes was over-reported to the IPC in 2020. To clarify, it advised that there were 708 incidents in total and that 563 resulted from primary healthcare provider contact information being changed and not updated in its system. Another 124 instances of the misdirected faxes were caused by hospital error.
In response to the review, the hospital made great strides in reducing not only the risk of sending faxes to the wrong individuals, but it also curbed its use of this outdated and insecure communication technology.
It has since put in place an “e-referral first” policy for referrals from primary care providers and is actively working with other health system partners in the region to reduce overall use of faxes in favor of more secure electronic solutions for transmitting personal health information.
“E-referrals were piloted in two, high-volume areas of the hospital,” said Lawrence. “We now have a policy to use e-referral first, unless it can’t be done for a particular patient.”
She said, “We’re now partnering with two other hospitals for all DI referrals, where e-referrals must be used.”
She added that e-referrals are now being used, as well, for patient transfers with a long-term care partner, and that this project is being expanded to include other long-term care centres.
When it comes to patient privacy breaches, Lawrence said the hospital adapted methods and practices from clinicians who are investigating cases of medical error. “We’re not there to blame, we’re there to learn,” she said.
Moreover, the hospital is not just looking for breaches of privacy, it is also investigating near misses – just as clinicians study near misses in medical procedures.
In this way, she said, reported breaches “turn into a learning experience that provides value for the entire community.”
On the topic of snooping of electronic patient records by people inside a medical organization, Hillmer noted that Ontario has created what’s called an Administrative Monetary Penalty or AMP. It enables an independent arbitrator to adjudicate and set a fine.
It’s in response to the danger that unauthorized access to records has for the healthcare system at large. “What will happen if people are maliciously snooping,” asked Hillmer? “It reduces trust and the flow of information.”
He added, “We believe Ontario is the first [jurisdiction in Canada] to put it into privacy legislation. Now we have to enact it.”
Hillmer says the AMP can be used to deal with intrusions more quickly than the courts – which can take years to act. However, he noted that care must be taken to avoid an information “chill”, where people are afraid to handle files at all, lest they make a mistake.
“Things can happen because we’re human, like leaving a chart in a stairwell,” he said. If there appears to be an unforgiving legal system at work, “people will retrench and stop sharing information,” which can be just as bad as the snooping.
“There has to be a balance,” said Hillmer, “where we acknowledge that sometimes mistakes are made.”
For her part, Nyranne Martin, general counsel and chief privacy officer, The Ottawa Hospital, commented on an AI-based tool that’s being used at the hospital to detect misuse of patient records. She emphasized, however, that the “overwhelming majority of healthcare providers earn and keep the public’s trust.”
There are rare occasions where unauthorized intrusions occur.
She said that AI is being piloted at the hospital to detect instances of these intrusions without having to rely on random audits. Instead, the AI system is continually monitoring the electronic record system and detects use of the system that appears to be unwarranted.
“Instead of finding a needle in a haystack, the needle pops out at you,” she said.
So for example, when your records are being opened in the hospital, and the person opening them appears to be your neighbour and not your attending physician or nurse, the system will flag it.
“If you’re not in the person’s circle of care, you might get a message from the privacy commissioner,” said Martin. And you might then have to justify why you were opening the records.
However, Martin said that a new way of looking at intrusions has evolved at The Ottawa Hospital, one that has been championed by the Quality side.
“We avoid targeting individuals when whole teams are involved,” she said. “You want to have a systems view of how people operate in an imperfect environment.”
She compared this to a highway in which everyone appears to be speeding. “Who do you chase?” Is just one person culpable when a whole group is breaking the rules?
And unless a transgression is severe and malicious, she said, it’s better to “coach and console” that person. “We want to punish only in extreme cases.” That approach tends to build trust with healthcare providers as well as with patients.
Finally, the panel dealt with the issue of cyber-attacks. “The threats are becoming more complex, it’s not getting any easier,” said Eric Ward, assistant privacy commissioner and moderator.
Arianne Siegal, general counsel and chief privacy officer, Ontario MD, observed that protecting oneself from hacks is an issue for Ontario’s 25,000 community physicians – who are essentially operating as small businesses. These doctors are focused on providing care for their patients, but in a world where they’re required to use electronic medical records, they’re also acting as I.T. professionals and privacy officers, as well as managing their offices.
In response, OntarioMD worked with Ontario Health to create a set of free, online tools that are available 24/7. The resources are available to physicians and allied professionals and provide training in best practices based on real-world cases. They teach clinicians how to protect themselves and their practices from hacks and intrusions.
Hillmer noted the difficult situation for doctor’s offices and small hospitals that the growing number of cyber incidents creates. “Small centres will never have the resources to mount a strong defence. But we can’t let them not have them.” Pointing to a step in the right direction, Sylvie Gaskin, chief privacy officer at Ontario Health, described a recent partnership between Ontario Health and the Ministry of Health to develop operational centres that can assist the smaller players build their cyber resiliency.