The government agency that oversees the province's electronic health infrastructure, and increasingly the collection and sharing of sensitive patient information, would be unprepared if hit with a major security breach, the province's privacy watchdog has warned.
Smart Systems for Health Agency, or SSHA, says it has never experienced such a breach, but a comprehensive review of its privacy practices by Ontario's Information and Privacy Commissioner found there were "serious gaps" in the organization's ability to monitor electronic security lapses.
"As a result, it is not evident that the SSHA has sufficient capability to detect and isolate incidents, analyze root causes, and respond in a timely manner with an effective plan of action," said the watchdog, which recommended the agency move quickly to fix the situation.
It's one of 82 recommendations listed in the report, which was requested by the Ministry of Health and Long-Term Care as part of a larger operational review launched last year.
Smart Systems' chief executive William Albino, hired two months ago to lead a restructuring at the five-year-old agency, wrote in a letter to the privacy commissioner that he would adopt all recommendations.
"I want to emphasize that I am personally committed to raising our privacy program to the highest possible level," he said.
Other concerns raised by the watchdog include missing and incomplete documentation related to privacy policies and procedures, non-compliance with internal policies and health privacy legislation, and a lack of training for employees and consultants who handle sensitive patient data.
In some scenarios, such as how long patient data should be held and how to dispose of it properly, policies don't even exist.
"It comes down to this: privacy wasn't a top priority," said Ken Anderson, assistant privacy commissioner. "And it has to be the priority."
Privacy experts say the shift toward electronic healthcare or "e-health," including the creation of a province-wide system of electronic medical records, will continue to be hobbled until citizens feel that their personal health information is being kept private, secure, and monitored for misuse.
Gordon Atherley, a retired physician now working as an information technology consultant to the healthcare sector, said the government has failed to provide evidence that the kind of identity crimes plaguing the financial sector – including credit card and mortgage fraud – won't spread to healthcare as more patient records go digital and are shared between different institutions.
"Nobody knows for sure where the information is going, who it's going to, and how much they're caring for it," said Atherley, adding that the potential to tamper with patient records is also a major concern.
He commended the privacy commissioner for exposing weaknesses in Smart Systems' privacy practices, but said the review falls short by blaming the problems squarely on poor management.
"All the evidence outside of Canada suggests there are privacy issues fundamental to information technology that can't all be explained by poor management."
A separate, much broader operational review conducted last summer by Deloitte Consulting also found that Smart Systems' privacy policies were "incomplete" and "not widely understood," and that privacy processes were "ad hoc, undefined or undocumented."
In the area of security, it concluded sensitive information "may not be protected consistently throughout its lifecycle."
"Our brand is not good," Michael Lauber, chairman of Smart Systems, acknowledged to the Star when the Deloitte review was released in January.
Smart Systems was created in 2002 and employs more than 300 people. It has received more than $450 million from Ontario taxpayers as part of its mandate to electronically link and support the province's 150,000 healthcare providers.
An investigation by the Star, published in late 2005, revealed that the agency has spent tens of millions of dollars on e-health infrastructure projects that have been riddled with delays and fail to demonstrate value for the investment.
Since then, a new board and management team have been working to improve the agency's operations and reputation in the healthcare sector.
Autor(en)/Author(s): Tyler Hamilton
Quelle/Source: Toronto Star, 10.04.2007