Cloud Computing Trends: Digital Health Risks

December is Cloud Privacy Month

Virtual health care raises unique Privacy and Security concerns because it depends on cloud and other technologies, communication infrastructures, and protocols, and people who need to be well trained in the proper use of this technology. The new pandemic world has raised cybersecurity risks that were not as prevalent in an analog world and for the longest time, doctors and health care practitioners have been lagging behind other industries in the uptake of electronic records and their ecosystem.

The Office of the Privacy Commissioner of Ontario has prepared guidance to support the healthcare system and all its participants, including patients.

It starts with Accountability: Healthcare providers should develop and implement a virtual health care policy. The policy should address when, how, and the specific purposes for which health care may be provided virtually, any conditions or restrictions in doing so, and what administrative, technical, and physical safeguards will be in place. The policy should explicitly state that employees and other agents will have access to only the minimum amount of personal health information necessary to perform their duties. This needs to be backed up by continuous training and awareness surrounding the obligations of all involved and aligning the technology to monitor and detect any non-compliance as well as any unwanted intrusions.

In full transparency, healthcare providers should notify their patients about their virtual health care policy.

Healthcare employees, third parties, and other partners must participate in ongoing privacy and security training, including training on their organization’s virtual health care policies and the specific circumstances that arise in the virtual health care context. If remote work is involved, healthcare employers should give specific direction and guidance to staff to mitigate the associated privacy and security risks of unauthorized collection, use, and disclosure of personal health information.

The technical safeguards below are recommended by Ontario’s IPC:

• use only organization-approved email, messaging, or video conferencing accounts, software, and related equipment
• use firewalls and protections against software threats
• regularly update applications with the latest security and anti-virus
• encrypt data on all mobile and portable storage devices, both in transit and at rest
• maintain, monitor, and review audit logs
• use and maintain strong passwords
• review and set default settings to the most privacy-protective setting
• verify and authenticate a patient’s identity before engaging in an email exchange, chat, or video conference

Introducing new technology or connecting old and new technology requires a privacy risk review in the form of a Privacy Impact Assessment. At MPC we have the expertise and the professionals to support the assessment of your choice of cloud providers, through an integrated Privacy and Security Risk Assessment and offering Canada’s first free online collaborative Privacy Impact Assessment tool, which you can use to measure the data risk in various parts of your organization. Visit to take privacy-as-a-service for a spin.

Facebook: @ManagedPrivacy
Instagram: @managedprivacycanada
Twitter: @managedprivacy
LinkedIn: @ Managed Privacy Canada

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Sign up for our Newsletter