A data breach from Ontario-based CarePartner resulted in more than 80,000 patient medical records held for ransom, according to CBC news.

It was by chance that attackers found vulnerable software on CarePartner’s network. It hadn’t been updated in 2 years. Nothing was encrypted. They snuck in easily and thousands of people had to suffer for it.

“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” attackers told CBC. “None of the data we have was encrypted.”

Data breaches can destroy your reputation. If you’re a Canadian healthcare organization and you’re thinking of building a website or app that stores, transmits, or collects sensitive health information, you need to know how to protect that information.

In this article, we’ll go over everything you need to know about creating a bulletproof healthcare website/app, including:

• The federal and provincial privacy and protection laws you’ll need to follow
  • PIPEDA
  • Provincial privacy laws
• Building a privacy-compliant website
• Maintaining your website once it’s published so you’re kept up-to-date.

You don’t want a breach—a totally preventable one—to come and devastate your company. Let’s prevent that.

What is PIPEDA and who does it affect?

In America, sensitive health information is referred to as PHI, or Protected Health Information. Not in Canada. Why? Because there’s no federal legislation that specifically addresses health information.

Instead, we have the Personal Information Protection and Electronic Documents Act (PIPEDA). It governs the collection, use, and disclosure of sensitive data for any private-sector organization.

Types of information include:

• Age, name, ID numbers, income, ethnic origin, or blood type;
• Opinions, evaluations, comments, social status, or disciplinary actions; and
• Employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

Provincial Privacy and Protection Laws for Healthcare

Health-care specific privacy and protection laws are left to provinces. In Ontario, for instance, there’s the Personal Health Information Protection Act. Because PHIPA is so similar to PIPEDA, the latter can be dismissed. PHIPA replaces PIPEDA. This is true with any province that has privacy and protection laws substantially similar to PIPEDA.

Other provinces with laws that are substantially similar to PIPEDA include:

• British Columbia: E-Health (Personal Health Information Access and Protection of Privacy) Act
• New Brunswick: Personal Health Information Privacy and Access Act
• Newfoundland and Labrador: Personal Health Information Act
• Ontario: Personal Health Information and Protection Act

Other provinces have health information protection laws that aren’t substantially similar to PIPEDA, which means you’ll have to abide by both. These include:

• Alberta (With exceptions): Health Information Act
• Manitoba: Personal Health Information Act
• Northwest Territories: Health Information Act
• Nova Scotia: Personal Health Information Act
• Quebec: Act Respecting The Sharing Of Certain Health Information
• Saskatchewan: Health Information Protection Act
• Yukon: Health Information Privacy and Management Act

Two provinces, Prince Edward Island and Nunavut, don’t have health-specific privacy and protection laws. Only PIPEDA is followed.

Because we can’t cover every province’s rules and regulations, you’ll have to do some digging yourself. We’ve listed links to the government websites of every province’s act up above.

In the next section, we’ll cover how to build a PIPEDA compliant website or app.

How Your Website or App Can be PIPEDA Compliant

PIPEDA extends beyond the digital realm where your website inhabits. The information must be stored somewhere, whether that’s in the cloud, on your server or in a data centre. Beyond the web, you need to make sure your computers and hardware aren’t accessible by unauthorized people.

With that out of the way, let’s jump into how to actually make your website safe and secure.

Only collect as much information as you need

When given sensitive health information, always ask yourself if it’s really necessary to store it. After all, the more you store, the bigger the risk.

The privacy commissioner of Canada states that no information should be collected indiscriminately. The only information gathered should serve an identified purpose.

Choose a PIPEDA compliant web hosting provider

A reputable web host that meets Canadian privacy and security standards is vital to preventing malware attacks. Many providers will let you know on their website if they are PIPEDA compliant.

In addition, research their Service Level Agreements (SLA) to see what kind of quality you should expect and look for SSAE 16 certifications.

Get an SSL certification so your forms are encrypted and secure

Secure Sockets Layer (SSL) is the padlock you see on the left of the address bar on your browser. Whenever you submit something on a web form, the data being transmitted gets encrypted until it reaches the server. That means no one can intercept the exchange and listen in.

To get an SSL certification, set up a dedicated IP address for your website after finding a web host that suits your needs. This will be a little more expensive than sharing an IP address with multiple websites, but it’s necessary. Then, buy an SSL certificate and have your web host activate and install it for you.

End-to-end encryption

SSL encrypts the data between you and the server, but what about the data that’s stored on the server? We need to encrypt that too. To do that, we use end-to-end encryption.

End-to-end encryption makes it so the only person who sees the data unencrypted is the authorized recipient. So if a patient is sharing something only for a doctor, only the doctor is able to read what they said. Virgil Security provides tools for health companies to implement end-to-end encryption to their website. Here’s a great article by them on how you can implement end-to-end encryption on your website.

Have a data breach protocol

Even the most secure servers aren’t invincible. Have a written data breach protocol that you can execute as soon as a breach is detected, so you can contain the problem as fast as possible and minimize potential damages.

How to Maintain Your Website After You’re Done

Keep Your Website/App Up-to-Date

Update your website regularly. Make sure you keep all the software you are using up to date so you have all the latest security patches.

Permanently delete information that no longer fulfills its intended purpose

If your patient leaves for any reason, you’re required to erase all information pertaining to them.

Monitor who has access and change passwords frequently

Control who is authorized to access servers with health information and change passwords every few months or whenever someone is no longer authorized.

Still Confused? Talk to us

Privacy regulations are complicated. The risks are high. And you don’t want to mess this up and go down like CarePartner, with hefty fines and a ruined reputation.

If you’d rather have a third-party deal with creating a website that complies with PIPEDA and provincial laws, we can help. We at Thousand Plus are Toronto-based web development agency that’s helped healthcare companies create a shining website. See more of what we do in healthcare here.

If you have any questions about the blog post or your website/app, shoot us an email at hello@thousand.plus and we’ll be happy to answer your questions.

References:
https://www.priv.gc.ca/media/2038/guide_org_e.pdf
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
https://www.colleaga.org/article/healthcare-privacy-legislation-canada
https://www.priv.gc.ca/media/2038/guide_org_e.pdf
https://www.medicodigital.co.uk/how-to-make-sure-your-healthcare-website-is-gdpr-compliant/
https://blog.canadianwebhosting.com/phipa/