There is no question that the healthcare industry has changed in the last few years by adopting new technologies, particularly in the context of the pandemic (think virtual appointments). Despite the rapid advancement and use of certain digital tools within the health sector, many health organizations and providers continue to use insecure communication technologies such as traditional fax machines and unencrypted emails. Unfortunately, this leaves them vulnerable to unauthorized access and cybersecurity attacks (e.g., ransomware) and can compromise the privacy of their patient’s personal health information.
Fax machines have become a fixture in medical practices since the 1970s. They quickly became the communication medium for most healthcare organizations because of their convenience, reliability, and security. While most industries have replaced fax machines with modern alternatives, the healthcare industry (and, until more recently, the legal sector) has clung on. In fact, one US studyindicates fax machines account for 75% of all medical communication. Another 2019 survey showed that almost 9 out of 10 health institutions still use fax machines, and 4 out of 10 use pagers. These are staggering statistics when we consider today’s digital-first world.
However, what was convenient, reliable, and secure 40 or 50 years ago is not necessarily convenient, reliable, or secure today. While a fax may not be intercepted during transmission, there are weaknesses at the endpoints. For example, paper documents left unattended in a fax machine at either end of transmission are vulnerable to unauthorized access (e.g., snooping). Or, as the Privacy Commissioner of Canada continues to see, faxes go astray, and sometimes user error can send sensitive personal health information to the wrong persons or institutions. Both scenarios are examples of data breaches.
Data breaches, particularly in the health system, should be taken seriously. They can cause significant harm to affected individuals, including potential discrimination, stigmatization, and financial and psychological distress. If individuals lose trust in the health system, they may withhold personal health information, avoid treatment, or hesitate to consult their health providers altogether.
These concerns and issues underly the recently released Joint Resolution of the Federal, Provincial, and Territorial Privacy Commissioners and Ombudspersons with Responsibility for Privacy Oversight entitled “Securing Public Trust in Digital Healthcare” from the Office of the Privacy Commissioner of Canada.
The Joint Resolution calls on government and health industry organizations to phase out the use of insecure communication methods and adopt modern and secure ways of transmitting personal health information. These modern tools include encrypted email services, secure patient portals, electronic referrals, and electronic prescribing. Health providers are also being urged to design, adopt, and implement responsible data governance frameworks that provide safeguards to protect personal health information. These safeguards should include constant monitoring of electronic systems, periodic audits of all sources of risks to privacy and security, and effective incident response plans and mitigation measures in the event of a breach.
The transition will not be easy or quick, with some government officials predicting it will take at least two years to move away from the beloved fax machine due to the large volume of users and associated costs. Those providers and institutions looking to make the switch should look to the Joint Resolution for the relevant considerations in setting up a digital-first practice, including seeking guidance from relevant experts to understand how to evaluate new digital health solutions and using the procurement process to help ensure third-party compliance.
Note: At Wise Health Law, we advise healthcare professionals and organizations on privacy issues. Our blog is not a substitute for legal advice tailored to your situation. Please do not hesitate to contact us as we may be able to help.
To learn more about Wise Health Law and our services, please contact us!