'Everyone at HHS is trained and educated to safeguard right to privacy'
The Hamilton Health Sciences (HHS) in Ontario has fired eight employees for their role in a privacy breach at the city’s health care system.
The workers inappropriately accessed the personal health information of roughly 4,000 patients, according to HHS.
“We want to sincerely apologize to everyone who is affected by the breach,” says Aaron Levo, vice president for people, culture and communications at HHS. “This incident is not consistent with HHS’ values or those of our staff and physicians at large.”
There is no evidence that HHS patients’ health information was printed, downloaded, or electronically shared with anyone following the incident, according to HHS, which concluded these were “snooping cases.”
HHS works to prevent privacy breaches
HHS also said that it has a number of policies, systems, and processes in place to prevent privacy breaches. These include:
- privacy training for all staff, physicians and learners during their onboarding and annual refresher training
- routine, random audits of access to patient information
- ongoing review of our hospital systems and information-sharing practices to ensure patient privacy is being upheld to the greatest extent possible.
And staff, physicians and learners at HHS are expected to adhere to these policies, the requirements of their regulatory colleges, and provincial privacy legislation.
“Every patient has a right to privacy and everyone at HHS is trained and educated to safeguard this right,” says Levo. “As a continuous improvement organization, HHS consistently looks for ways to improve its practices to further minimize the risk of privacy breaches. The same is expected of every person who works and learns here.”
Recently, the Health Employers Association of British Columbia (HEABC) fell victim to a cyberattack that hit the server that hosted websites and application forms for Health Match BC (HMBC), the BC Care Aide and Community Health Worker Registry and the Locums for Rural BC program.
Cybersecurity culture
Employers should start new employees with cybersecurity training on day one, because new employee regularly show a propensity for higher-risk behaviours compared to veteran employees, reports CybeReady.
No checklist can adequately describe all that must be done to establish an organization’s cybersecurity culture, but there are some obvious steps that must be taken, according to the U.S. Department of Health and Human Services. These include:
Education and training must be frequent and ongoing.
- Those who manage and direct the work of others must set a good example and resist the temptation to indulge in exceptionalism.
- Accountability and taking responsibility for information security must be among the organization’s core values.