As many of our patients may be aware - there have been numerous IT security breaches within the Canadian healthcare system in recent years. This blog post is intended to answer some common questions about what Magenta Health is proactively doing to enhance the security of the Personal Health Information we hold.
RECENT HEALTHCARE PRIVACY BREACHES IN CANADA
We’ll start with the background of why it’s important to share this update.
The risk of privacy breaches is a very real threat to the healthcare sector right now. There have been several instances of recent personal info data leaks within the healthcare community. Thankfully, there has not been any incident at Magenta Health (and we’d like to keep it that way).
As a very recent example that is frighteningly close to home, five Southwestern Ontario hospitals had sensitive data leaked online following a cyberattack. Unfortunately, the result was “thousands of patients and staff whose information has been leaked onto the dark web” .
Even closer to home, Michael Garron Hospital lost employee and clinician data in 2023 and had its systems ransomwared in 2019.
Another more concerning incident is the 2019 Lifelabs data breach, in which “…hackers accessed personal information, including health numbers and test results” of approximately 15 million customers across Canada.
-
There are numerous existing administrative, technical, and physical safeguards to protect Personal Health Information, including:
Our systems and processes have been reviewed by accountable individuals, including our Chief Privacy Officer and in-house legal counsel;
All staff & students with access to PHI are required to review and execute confidentiality agreements;
Access to PHI is generally limited to only those requiring access to such PHI through technical means;
Through formal contracts, privacy policies, and service agreements, all third-parties retained by Magenta Health have committed to complying with those conditions and restrictions necessary to ensure Magenta Health's continued compliance with PHIPA;
Strong passwords, two-factor authentication, and multiple logins are required to access various sensitive systems;
Sensitive systems have audit logs to track data access and use;
Network traffic is monitored and managed using security mechanisms such as routers, switches, firewalls, and anti-virus programs;
SSL encryption is used to secure the transmission of PHI over insecure electronic networks;
Whole-disk encryption is used as required to secure physical storage media holding PHI;
Removable physical media (e.g. paper, CDs, DVDs) holding PHI are destroyed following use;
Data, applications, and systems are backed up on a regular basis, including offsite, and can be readily restored as required;
All systems (e.g. operating systems, applications) are regularly patched with security updates;
All physical electronic systems maintained by Magenta Health are secured with a monitored security system;
Security cameras have been deployed throughout Magenta Health's physical spaces;
Physical access to computer servers have been restricted to those staff requiring access; and
Decommissioned equipment used to process or store PHI is securely disposed of;
-
To further enhance the security of your Personal Health Information, here are some examples of larger ongoing work (as of February 2024):
we are in the midst of fully migrating to an online messaging portal to eliminate the use of incoming email
we are developing encrypted email capabilities to eliminate the use of plain text emails
we are migrating our IT systems to a Tier 1 Data Centre to minimize the risk of physical theft
we are working to improve the security of the open source software that we use
-
At Magenta Health - NO.
We are not aware of any material compromise of our systems and we're working to keep it that way.
-
Specific to Magenta Health, we strongly recommend that the email address you have registered on file with us is your personal email (i.e. not an email that is shared with anyone else, or a ‘work’ email). This will help ensure that any medical information, appointment notices, referral content, etc. is not intercepted by any other individual or third-party.
Additional advice from other reputable sources: