Monday, July 30, 2007

Security Issues and and Business Opportunities - Panel

Summary of panel discussion at the IFIPTMA Conference in Moncton.


David Townsend

New knowledge is best created in collaborative environments. The key question is whether government and industry can collaborate successfully in a complex regulatory environment.


Lois Scott- Clinidata

The biggest challenge for private sector companies in health care is to convince public sector that we are trustworthy - the prevailing view is that we would do anything for the big buck. They reality is that this isn't true, we wouldn't survive if we were.

American owned (therefore subject to patriot act), handle health care records for 65 percent of Canadians (?) (or 1.5 million Canadians - this is unclear) and collect and transfer health care information.

Only 1 percent of people opt out of giving their name and information.

Our routine business practices are now under the microscope and so they should be - but right now 95 percent of physician communications are by fax - they shouldn't be.

We see the 'why do you need that information' question coming from young people - older people are more trusting.

People resent being asked to sign releases before seeing the information we have collected on them.

The challenge is how to minimize the privacy and security risk without compromising health care. As the keynote said, you can paralyze the good stuff by trying to secure everything.


In Canada - here is no legislation to inform people about breaches of security - in the U.S. there is - 40 percent of medicaid companes have experienced a security breach in the last year - we don't know that level in Canada.

In the U.S. there are few laws restricting the use of private information, and is mostly self-regulated. In Canada, there is a clear expectation that we will respect each and every privacy law.

Canada - has to be aware that we may become a pawn in the dispute between the strong privacy laws in Europe and weaker laws in the U.S.

Patriot Act - impact on B.C. residents living in B.C., not abroad. In our case - our of our information resides in the province - it doesn't go out. We have to have in our contracts, that the information stays here. It can't be a superior to staff member relationship.

Basically in our contracts we say that the government is the owner of the data.

When you think of all the American-owned businesses in this country, you have to think about what that means - not just customers, but also staff. On the other hand, to survive in business in this country, you need the U.S. - you can't just say we don't want to deal with that.

There is always the concern that private sector will use this data for data mining. Some of this is really good and is not being done - things like detecting influence - but we are not formally doing that right now. Certainly in continuity care we are having real issues. Crisis lines are transferring in, 911 calls...

Are we ready for what's coming? We've always been reactive, not proactive. Regulations and guidelines are often put into place after the fact. You have to speed up or we have to do something different. Eg. some of the wireless technologies - you and I will be wearing a patch, which will relay information through the telephone. How do I know that my mother isn't wearing my patch today?

Patients are going to be custodians of their own health records. Right now, it still belongs to the provider. There has been such poor uptake of single health record that they are looking at the personal health record. Who will house that, how do we protect it, etc. What if they disagree with what's being said? It is going to change the very nature of physician - patient relationships. It's not bad - but we're not ready for it.

I think business development possibilities are attractive because of lobaization, telehealth, etc. - but we have to optimize delivery.


Parry Aftab
Internet privacy and Security Lawyer

CyberTrust project - won't be called that when it goes it, it's just a working name

There have been three major leaps in IT:
- development of the internet - sending data from one place to another
- the web - 1993 first browser - the web took us from needing to know a geek to being able to use it
- Web 2.0 - 2004-5 major growth to mainstream - unil recently, you would go to websites, somebody else's content - but now we have Facebook, MySpace, etc - user-generated content

This changes the internet - the challenge is, you no longer have the CNNs, etc., that you can sue and tell them, 'take this down' - it's not companies any more - 180 million profiles on MySpace - how are you going to comply with anything?

Teen Angels - teens being trained in privacy issues - trained by me (and others) - they are experts - they were comparing the privacy policies of eHarmony and other dating sites - one said, on my Zanga page - and the discussion about profile pages ensued. Why have a profile - well, if you're a little shy, this is a way to make friends. Now I had to find a way to keep them safe on their social networks (vs saying, no social networks).

We are the 'inside watchdog' on FaceBook, Myspacem Zanga, etc...

The Web 2.0 industry doesn't know what they are doing. They are 24 year-olds that are running companies. They don't know how to hire lawyers, etc. They need help on security, compliance, risk management,etc. and policing.

(Story of moving to New Brunswick).

We are creating this program. It will be a service, consulting and compliance centre that will provide outsourcing of risk management directly to our centre. So if Facebook doesn't want to handle this themselves, they can hire us. And we can coordinate with the law enforcement agencies to do this. Weneed to advice them - that's where the certification comes from.


Sandy Bird
UNB

Security breaches - we know they happen, but it's not reported - if nothing is sold, did it happen?

Web 2.0 apps - get exploited - the security is very poor - the audit finds that the machine has been breached - we have to look at logs, etc., long after the fact to find out what has been taken from that machine.

It's difficult to write secure applications - there aren't courses that teach them how to write secure apps. Hackers can use data input, eg. Social networks - there's no secure way of communicating in any of them these days.

Someone was talking about a national identity database - that's what I need, you just need to exploit one system and you have everything!

No comments:

Post a Comment

Your comments will be moderated. Sorry, but it's not a nice world out there.