June is healthcare privacy month!
Perhaps the most changed industry around the world due to the pandemic is healthcare. As soon as the first lock down was announced in March 2020, all the regular doctor appointments moved to telemedicine immediately:
- Your doctor’s voice over the phone
- Online clinics popped up to supplement the demand to get treatment for less worrisome medical issues
- A lot of general practitioners stopped going to the office regularly
This meant that all our medical records were now accessed electronically from the homes of these medical professionals.
Just like with the work-from-home arrangements, our GPs were not trained on the basics of remote IT working, never mind security, VPN, backups and becoming pray to ransomware. But that’s not all the fallout.
Hospitals had to quickly embrace new protocols and so did their eco-system of third-party suppliers. They had to contend with interruptions in their business models due to: access to the hospital, restrictions, certain service disruptions and change in services importance. All these changes, if not planned or well managed can introduce significant risk.
Good practices took quite a step back for the privacy legislation-abiding clinics and hospitals, making room (as expected) for crisis response and treating COVID patients:
- New protocols were introduced with little “access to records” training
- Malware leading to ransomware started cropping up on the vaccination and hospital websites
- Working from home occurred overnight without appropriate and minimal security training
- New online clinics popped-up amassing patient records without privacy or security practices
- The established service providers to the hospitals and clinics had to live and adapt through constant changes
Fortunately, hospitals mostly, did not back down from following their policies when it came to non-compliance. Just recently we heard of a nurse who was fired due to snooping. This is not an isolated case. Protocols relating to access to patient records when medical professionals work remotely are not always observed. Patient care and the inability of healthcare staff to keep up with the IT changes and new technology is creating new risks. And they are not a priority from a privacy and security perspective, not right now when the economy is struggling.
Hospitals and medical clinics are under the obligation of compliance with very strict privacy legislation. That has not changed. But in the rush and the gravity of the pandemic, privacy and security took a step back to enable healthcare professionals to take care of patients.
It is time for a proper “health check” on the privacy and security practices of the healthcare eco-system:
- Getting a privacy maturity assessment of health records practices
- Reviewing changes and documenting their impact and risks
- Understanding IT systems usage changes and tweaks in processes and protocols
- Keeping the confidentiality of vaccinated patients vs. non
- Connecting the many health agencies involved in the vaccines distribution
At Managed Privacy Canada we are equipped for practical privacy check-ups and tune-ups. Our Practical Privacy Playbook is designed for these types of rapid change situations and intended to minimize risk. Take advantage of the MPC Privacy Playbook today.