A data breach from Ontario-based CarePartner resulted in more than 80,000 patient medical records held for ransom, according to CBC news.
It was by chance that attackers found vulnerable software on CarePartner’s network. It hadn’t been updated in 2 years. Nothing was encrypted. They snuck in easily and thousands of people had to suffer for it.
“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” attackers told CBC. “None of the data we have was encrypted.”
Data breaches can destroy your reputation. If you’re a Canadian healthcare organization and you’re thinking of building a website or app that stores, transmits, or collects sensitive health information, you need to know how to protect that information.
In this article, we’ll go over everything you need to know about creating a bulletproof healthcare website/app, including:
You don’t want a breach—a totally preventable one—to come and devastate your company. Let’s prevent that.
In America, sensitive health information is referred to as PHI, or Protected Health Information. Not in Canada. Why? Because there’s no federal legislation that specifically addresses health information.
Instead, we have the Personal Information Protection and Electronic Documents Act (PIPEDA). It governs the collection, use, and disclosure of sensitive data for any private-sector organization.
Types of information include:
Health-care specific privacy and protection laws are left to provinces. In Ontario, for instance, there’s the Personal Health Information Protection Act. Because PHIPA is so similar to PIPEDA, the latter can be dismissed. PHIPA replaces PIPEDA. This is true with any province that has privacy and protection laws substantially similar to PIPEDA.
Other provinces with laws that are substantially similar to PIPEDA include:
Other provinces have health information protection laws that aren’t substantially similar to PIPEDA, which means you’ll have to abide by both. These include:
Two provinces, Prince Edward Island and Nunavut, don’t have health-specific privacy and protection laws. Only PIPEDA is followed.
Because we can’t cover every province’s rules and regulations, you’ll have to do some digging yourself. We’ve listed links to the government websites of every province’s act up above.
In the next section, we’ll cover how to build a PIPEDA compliant website or app.
PIPEDA extends beyond the digital realm where your website inhabits. The information must be stored somewhere, whether that’s in the cloud, on your server or in a data centre. Beyond the web, you need to make sure your computers and hardware aren’t accessible by unauthorized people.
With that out of the way, let’s jump into how to actually make your website safe and secure.
When given sensitive health information, always ask yourself if it’s really necessary to store it. After all, the more you store, the bigger the risk.
The privacy commissioner of Canada states that no information should be collected indiscriminately. The only information gathered should serve an identified purpose.
A reputable web host that meets Canadian privacy and security standards is vital to preventing malware attacks. Many providers will let you know on their website if they are PIPEDA compliant.
In addition, research their Service Level Agreements (SLA) to see what kind of quality you should expect and look for SSAE 16 certifications.
Secure Sockets Layer (SSL) is the padlock you see on the left of the address bar on your browser. Whenever you submit something on a web form, the data being transmitted gets encrypted until it reaches the server. That means no one can intercept the exchange and listen in.
To get an SSL certification, set up a dedicated IP address for your website after finding a web host that suits your needs. This will be a little more expensive than sharing an IP address with multiple websites, but it’s necessary. Then, buy an SSL certificate and have your web host activate and install it for you.
SSL encrypts the data between you and the server, but what about the data that’s stored on the server? We need to encrypt that too. To do that, we use end-to-end encryption.
End-to-end encryption makes it so the only person who sees the data unencrypted is the authorized recipient. So if a patient is sharing something only for a doctor, only the doctor is able to read what they said. Virgil Security provides tools for health companies to implement end-to-end encryption to their website. Here’s a great article by them on how you can implement end-to-end encryption on your website.
Even the most secure servers aren’t invincible. Have a written data breach protocol that you can execute as soon as a breach is detected, so you can contain the problem as fast as possible and minimize potential damages.
Update your website regularly. Make sure you keep all the software you are using up to date so you have all the latest security patches.
If your patient leaves for any reason, you’re required to erase all information pertaining to them.
Control who is authorized to access servers with health information and change passwords every few months or whenever someone is no longer authorized.
Privacy regulations are complicated. The risks are high. And you don’t want to mess this up and go down like CarePartner, with hefty fines and a ruined reputation.
If you’d rather have a third-party deal with creating a website that complies with PIPEDA and provincial laws, we can help. We at Thousand Plus are Toronto-based web development agency that’s helped healthcare companies create a shining website. See more of what we do in healthcare here.
If you have any questions about the blog post or your website/app, shoot us an email at firstname.lastname@example.org and we’ll be happy to answer your questions.
Sign up to our healthcare and technology newsletter and be notified when we release the next article.