Next month in Vancouver at the Health IT Summit in Vancouver, panelists will discuss a broad range of topics of interest to Canadian and American healthcare and healthcare IT leaders. One of the panels will be “Securing the 21st Century Data Repository: Best Practices for Solidifying Defensive Measures.” The panel will take place on September 17 at the Summit, which is being sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics, under the corporate umbrella of our mutual parent corporation, the Vendome Group, LLC).
One of the panelists participating on the privacy/security panel will be Christina Von Schindler, the chief privacy officer of the Winnipeg Regional Health Authority. Von Schindler leads a team of Privacy specialists who protect the privacy of patient information. The Winnipeg Regional Health Authority serves residents of the city of Winnipeg as well as the northern community of Churchill, and the rural municipalities of East and West St. Paul, representing a total population of over 700,000. The Region also provides health-care support and specialty referral services to nearly half a million Manitobans who live beyond these boundaries, as well as residents of northwestern Ontario and Nunavut, who often require the services and expertise available within the Region.. Von Schindler spoke recently with HCI Editor-in-Chief Mark Hagland. Below are excerpts from that interview.
What are the core elements of your own job?
I’m the chief privacy officer; the crux of my job is ensuring that the region is observing our obligations under applicable law. We have several types of legislation that govern how we manage confidential information including personal health information. In essence, my role is to write policy and procedure that govern those activities for our 28,000 employees with regards to privacy as well as to provide advisement when needed. And that can be quite complicated for an organization as vast as ours.
Christina von Schindler
What are the key challenges you and your colleagues are facing in protecting privacy and security these days?
I imagine that the challenges we face are very similar to those in the U.S. It’s always a balance between ensuring that there is real-time availability of accurate health information to the persons providing patient care, while preventing breaches, whether intentional or inadvertent. It’s always a balancing act in that regard.
Have you had breaches?
Yes, certainly we have had some; they are fact of life. And a breach can mean a fax ending up at a wrong fax number; it’s also a breach when someone willfully looks at a document they shouldn’t; it’s a breach when a home healthcare worker leaves a file in a car that is stolen.
And it’s a challenge for people to understand the letter of the law, For example, if you have more than one role in the Region that it’s a breach if you access information while doing your job under one ‘hat’or role that you have authorization to access under the conditions of your other role.s. So in an organization where we have 28000 folks, many of whom have direct access to data, we need to be available to them to provide guidance and answers
Do you do trainings for the employees of hospitals in the region?
Yes, we do mandatory training according to the Personal Health Information Act of Manitoba. In Canada, there is federal privacy legislation, but personal health information is the privy of the provinces, though if there is a gap, federal legislation jumps in, but provincial jurisdiction trumps federal jurisdiction. That having been said, the legislation governing these issues is very similar across the different provinces of Canada.
What have your challenges been with BYOD phenomenon? Everyone has them.
You’re right, everybody has those challenges. And you’ll find that we’re all, across the U.S. and Canada, looking forsolutions. And the challenges are that people need to have timely and secure access to the information to do their work, but there really is currently not a single readily available technical solution of providing that security. Therefore to date we have relied predominately only administrative solutions. But this is an active concern, on our priority list of issues to address. We have policies that clearly specify that personal health information is never to be stored on personal electronic devices. Doctors are not to maintain personal health information to on their iPhones, for example. We have security controls for personal devices that access our systems and are currently working on strengthening those controls. But we have no ability to audit everyone/everything.
Can you require hospitals to physically securitize personal devices?