In a recent decision involving a stolen laptop computer containing the personal health information (PHI) of thousands of hospital patients, the Information and Privacy Commissioner of Ontario ordered a hospital to take a number of steps to prevent such a security breach from happening again.
It is noteworthy that one such measure required was the encryption of any personally identifiable data removed from the hospital on a laptop or other remote computing device. Significantly, the commissioner concluded that:
- password protection did not provide adequate protection against unauthorized access;
- a ‘multi-layered’ approach should be adopted to guard against unauthorized access; and
- the onus is on an organization to justify not using encryption on portable devices which contain PHI.
A researcher at Toronto’s Hospital for Sick Children (SickKids) took a laptop computer from the hospital, with the intention of analyzing the research data stored on it at home. However, prior to going home, the physician parked his vehicle in a downtown Toronto parking lot, leaving the laptop inside. The vehicle was broken into and the laptop was stolen.
The PHI stored on the laptop included the name and hospital number of each patient, as well as clinical information relating to medical conditions (e.g., testing dates, diagnoses, answers to interviews, drug therapy and HIV status). The only security measure on the laptop was a login password.
The Commissioner concluded that a single-level password for unencrypted PHI was not a sufficient step to ensure protection against theft, loss or unauthorized use or disclosure, as is required under the Ontario Personal Health Information Protection Act (PHIPA). The Commissioner stated that, "For health information custodians, the encryption of PHI on vulnerable computing devices, particularly laptops, should now be viewed as the rule, not the exception." (Interestingly, the commissioner also stated that, to the extent that PHI on a mobile computing device had been encrypted to protect it from unauthorized access, she would not consider the theft or loss of that device to be a loss or theft of PHI. Encrypted data does not relate to identifiable individuals, and the custodian would not be required to notify individuals if the information was lost or stolen.)
Alternatively, such organizations should refrain from travelling with PHI, and instead access it remotely through secure servers where necessary. Given the importance of the security of PHI, SickKids was also obliged to ensure that it establishes a comprehensive corporate policy, and that staff are informed and educated about this policy.
PHIPA also contains such a requirement to notify affected individuals in the event their information is stolen, lost or accessed by unauthorized persons. In this case, the Commissioner stated that the organization complied with the notification requirement by notifying the patients individually (either verbally at the next visit or in writing to active patients), by issuing a press release and by posting information on its website.
SickKids was ordered to implement policies and procedures that prohibit the removal of identifiable PHI from hospital premises, to the extent possible and without hindering the provision of health care. To the extent that PHI in identifiable form must be removed, it must be encrypted, or otherwise de-identified. The Commissioner noted that SickKids intended to use unique identifiers that cannot be traced back to a particular patient without the use of a legend to ‘crack’ the code, and was seeking proposals from vendors relating to encryption software that can be used effectively on endpoint devices.