Late last year medical-testing company LifeLabs suffered a hack and data breach, potentially exposing 15 million Canadians’ personal medical data. The breach demonstrated the growing need to safeguard sensitive data. As more health information moves into the digital sphere, how are companies working to protect it?
Nova Scotia and British Columbia require health information be stored on servers within Canada. From a security perspective, many data analysts say this does more to make people feel better than to truly protect data (LifeLabs’ data was stored in Canada, after all). But it does ensure that the data is bound by Canadian law.
Keeping different layers of data separate — known as logical separation — can prevent a single hack from accessing all data. Think Research, a digital healthcare platform company, employs this in all its patient data: “The data is useless unless you can access every layer,” says CEO Sachin Aggarwal. “So it’s very robust.”
Encryption is the process of turning data into an unreadable format called ciphertext. The scrambled information can only be un-encrypted with an encryption key. Virtually every major medtech company that handles patient data employs encryption, including major Canadian companies, such as Medchart, which digitizes medical records for release to individuals, lawyers, insurers, clinics and hospitals.
Anonymizing is the process of decoupling personal information such as names, birthdates or health card numbers from patient data. There are plenty of reasons companies may share data with third parties, especially research institutions, but unless it’s necessary to connect the data with a specific person, anonymization is standard practice.
Many companies — such as Cogniciti, which collects information on dementia and brain health — keep information on a strictly need to know basis. Others — such as GenYouIn, which analyzes genetic data to determine response to medications — have a designated employee who monitors compliance.