It’s easy to get caught up in the details and technicalities of technology: where are the servers located? Is data “end-to-end” encrypted? Is the backup secure? To be fair, these considerations are important and the key technical ways to protect private information stored electronically. However, none of these technical controls address the primary risk to privacy and security in the world of electronic health.
Think back to two of the security breaches that made the news in 2017:
- The WannaCry ransomware attack effected millions of users, including England’s National Health Service (NHS) which experienced significant disruptions in service.1,2
- The 2017 Grant MacEwan phishing attack which saw the university lose approximately 10% of its annual government operating grant to scammers.3
What do these attacks have in common? The human factor. In the case of Grant MacEwan, staff were tricked into paying $11.8M in invoices to a fraudster posing as a supplier the university was working with. Failure to follow policies and procedures related to electronic financial transactions and the changing of vendor banking information has been implicated in the case.3
In the case of the WannaCry attack and the NHS, an analysis has found that failure to follow policy regarding software management and the application of known software patches made the NHS vulnerable to attack.1,2 As one analysis of the situation reported, adherence to security standards designed to address basic cyber vulnerabilities “could have significantly mitigated the impact of the WannaCry attack.”1
What are administrative controls?
Administrative controls include procedures, policies, standards, and rules designed to reduce risk or control a hazard. The concept of an administrative control comes from the occupational health and safety world but can be applied to the worlds of privacy and eHealth. When it comes to eHealth, the hazards in question include privacy breaches due to unauthorized access to private information, or cyberattack that prevents authorized access to information and disrupts care (viruses or ransomware).4 Administrative controls seek to control an identified risk at the level of the employee, but do not eliminate the hazard or risk.
What sorts of administrative controls should business owners or custodians have in place?
The specific controls implemented will depend on the information systems in use and the nature of the private information retained by the practice. There is no one-size-fits-all approach to administrative controls; however, some commonly used policies, procedures and practices include:
- Requiring formal privacy and confidentiality agreements, outlining staff responsibilities, and accountabilities.5
- Outlining staff training required prior to being granted access to electronic systems.5
- Requiring unique user logins and strong passwords.5
- Prohibiting shared logins or sharing passwords.5
- Implementing data access and editing rules based on defined user roles.6
- Identifying approved methods for destruction of devices or data stored on devices (e.g., expunging data from devices no longer in use).5
- Outlining employee termination procedures to ensure access to systems and private information is rescinded upon termination.6
- Requiring routine testing and monitoring of system weaknesses.6
- Identifying individuals responsible for monitoring and maintaining system security measures and their specific responsibilities and accountabilities.5
What’s my risk?
Robust policies and procedures can also help to guide an effective response to a privacy breach by outlining actions, roles and responsibilities.6,7 As identified by the Office of the Information and Privacy Commissioner, “the reasonableness of security arrangements adopted by an organization must be evaluated in light of a number of factors including:
- The sensitivity of the personal information
- The foreseeable risks
- The likelihood of damage occurring
- The medium and format of the record containing the personal information
- The potential harm that could be caused by an incident
- The cost of preventive measures”5
The Privacy Commissioner has published an organizational assessment tool to help businesses to consider their business risks and lists both the minimum standard and additional measures businesses may need to put in place to protect private information. The human resources section of this document discusses several administrative controls to consider. You can find the resource at: https://www.oipc.ab.ca/media/383676/guide_self_assessment_tool_for_securing_personal_information_mar2012.pdf
Is that it?
Administrative controls rely on adherence to policies and procedures to be effective and are not considered to be the best way to manage a hazard. In the world of hazard controls there is a hierarchy of controls ranging from strongest (engineered controls) to weakest (administrative and physical). Engineered controls are the strongest as they structure or alter work in such a way that adherence to safe practices is no longer optional. That system default that requires you to change your password every month and prevents you from reusing an old password? That’s an engineered control.
However, there are some ways to make administrative controls more effective, including:
- Staff training at the time of hire focusing on policies and procedures, the hazards inherent to the systems used, and the consequences of a system breach.
- Signing a confidentiality or privacy agreement and reviewing, revising and re-signing that agreement at set intervals to remind people of their responsibilities, facilitating their adherence with policies and procedures.
- Routine monitoring and feedback about adherence to relevant policy and procedures.
- Monitoring for emerging risks and implementing policies, procedures and other controls targeting these risks.
- Ongoing education about policies, procedures, and practices to mitigate hazards.
Policies and procedures are not all that exciting. Most physiotherapists can think of hundreds of things they would rather do than write (or review) them. However, developing robust policies and procedures, monitoring adherence, and regularly updating them as new risks arise are key ways to protect private information, mitigate the risks of a privacy breach and comply with the Standards of Practice.
- Smart, W. Lessons learned review of the WannaCry Ransomware Cyber Attack. Available at: https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf Accessed March 19, 2018.
- Morse, A. Investigation: WannaCry cyber attack and the NHS. National Audit Office, 2017. Available at: https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/ Accessed March 19, 2018.
- Wakefield, J. MacEwan University loses $11.8 million to scammers in phishing attack. Edmonton Journal. September 1, 2017. Available at: http://edmontonjournal.com/news/local-news/11-8-million-transferred-from-macewan-university-accounts-in-phishing-attack Accessed March 19, 2018.
- Office of the Information and Privacy Commissioner of Alberta. Advisory for Ransomware. Available at: https://www.oipc.ab.ca/media/687741/advisory_ransomware_mar2016.pdf Accessed March 19, 2018.
- Office of the Information and Privacy Commissioner of Alberta, Office of the Information and Privacy Commissioner of British Columbia, Office of the Information and Privacy Commissioner of Canada. Securing Personal Information: A Self-Assessment Tool for Organizations. 2012. Available at https://www.oipc.ab.ca/media/383676/guide_self_assessment_tool_for_securing_personal_information_mar2012.pdf. Accessed March 19, 2018.
- Office of the Information and Privacy Commissioner of Alberta. Causes of Breaches and Breach Prevention Recommendations. 2012. Available at https://www.oipc.ab.ca/media/621642/breach_causes_2012.pdf. Accessed March 19, 2018.
- Office of the Information and Privacy Commissioner of Alberta. Key Steps in Responding to Privacy Breaches. Available at https://www.oipc.ab.ca/media/652724/breach_key_steps_responding_to_breaches_jul2012.pdf. Accessed March 19, 2018.
- Office of the Information and Privacy Commissioner of Alberta. Guidance for Electronic Health Record Systems. 2016. Available at https://www.oipc.ab.ca/media/701721/guide_electronic_health_record_systems_june2016.pdf. Accessed March 19, 2018.