Data privacy in healthcare, and why it matters to you

In 2020, the Finnish private psychotherapy service Vastaamo and its database of over 30,000 users was subjected to a malicious hack. The hackers demanded a ransom of 40 bitcoins (around €450,000 in value) and threatened to publish private patient records…or else. When efforts to extort the company failed, the hackers sent emails to 30,000 Vastaamo members to attempt blackmail. 

This chilling tale is a perfect example of why data privacy and security matters and why companies must implement robust processes and policies to ensure they take excellent care of patient data. Vastaamo’s security practices were found to be completely inadequate, with sensitive data not encrypted or anonymized and password security lacking. 

Vastaamo was fined over €600,000 for violating the provisions of the General Data Protection Regulation (GDPR), making it the biggest criminal case in the history of Finland. But the impact of the breach shook societal trust in Finland’s institutions, violated sensitive systems, and damaged social networks that were supposed to have been properly secured. This is exactly the type of situation that we at Maple strive to protect ourselves and our patients from.

With the ubiquity of computers in our pockets, internet-connected home appliances, and other IoT devices, the sheer number of online services we use every day continues to skyrocket. Nowadays, many routine activities require an email address, online accounts, and an internet connection. 

Our online footprints have expanded far beyond what the average person can control. That level of connectivity might not seem like a big deal on a day-to-day basis, but healthcare data is a particularly sensitive area, and as demonstrated above, can wreak havoc when exploited. We believe that our users should be given control over their information and know we’re doing everything we can to protect it. 

Solving healthcare data challenges

One of our objectives is to give patients control over their data and Personal Health Information (PHI), including the data that’s being shared.

When maintaining personal electronic health records, we take great care to ensure that the way we store, share, and disclose PHI complies with Canadian privacy legislation. We’ve undergone rigorous privacy reviews and consultations when building the Maple platform to ensure compliance relative to record-keeping and physician-patient interactions.

This includes reviews with the Ontario Privacy Commissioner (OPC) to meet new provincial standards, so extensive that Maple has even postponed launches to accommodate newly released standards. Today, these improvements allow our users the ability to choose what information they’re sharing with Maple and with the healthcare professionals they see via our platform. 

In compliance with ethical standards and medical practice, healthcare providers on Maple are the only individuals who can access or view medical data. We enable physicians to do full medical charting in the platform to facilitate continuity of patient care across physicians, and support collaboration on care and treatment plans. 

We also have a system in place to support follow-ups on laboratory results and other critical results from image requisitions, along with a patient care team immediately following up with any critical results. When a non-urgent follow-up is required, patients are informed and they can log into Maple for additional care.

Our electronic health records were built to comply with PIPEDA and applicable provincial health privacy legislation around protecting, storing, and accessing personal information.

All patient records are stored in an encrypted state and are only visible to the treating provider and the patient. To ensure privacy, our administrative team is unable to access or review any personal information except with the explicit consent of the patient.

Further, patients can “hide” records for certain interactions on the platform if they don’t want other providers on the platform to see them. All sharing of patients’ health records with other providers or programs is only performed at the patient’s direction and with their express consent.

Our platform is also subject to strict annual audits to review our Information Security programs against a standard to identify areas where risk could exist – a level of maturity that some newer services won’t be able to match. This level of corporate security and health information technology requires a significant time investment across the board to make sure that all departments at Maple are meeting their security requirements.

The importance of patient data, and processes and policies to protect it

We host all of our production data and infrastructure in Canada on Amazon Web Services (AWS), the global leader in cloud computing. We have redundancies in place to maintain system availability and prevent data loss. In the event of a technical failure, data is automatically served from a backup storage device. 

Here are other processes and policies we’ve implemented to ensure data security.

Industry-standard encryption notes

Data moves from one device to another, this is how internet telecommunications works. To keep data secure in transit, we encrypt it using industry-standard TLS 1.2, ensuring that all data exchanged is kept private. 

And while data is encrypted along the way, it’s also written to encrypted hard drives. To put it in context, if someone were to physically remove that hard drive and plug it into a new computer, it would still be illegible and no data extraction would be possible, ensuring coverage on both ends.  

Frequent testing for security and reliability

In accordance with industry best practices, we engage independent penetration testing teams to test the limits of our security. We essentially “invite” a team of professional hackers to attempt to do their worst so they can provide a full security report. The benefits of this exercise are preventative and allow us to fix issues before actual malicious attempts to breach IT security.

We’ve also established a “bug bounty” program, inviting independent researchers to identify security risks and receive in return a cash reward based on the severity of the issue discovered. 

Security features

But even the most resilient network in the world is still only as strong as its users’ passwords. Password strength is still the number one cause of breached accounts. This is why we employ password strength indicators to keep our users on their toes when creating accounts and multifactor, or two-factor authentication (2FA), to help keep our users’ accounts safe. Even if a password is hacked, the hacker is far less likely to breach the account due to the secondary layer of authentication required.

We also allow vigilant users to independently review their account logins, cross-reference IP addresses, and ensure that they are indeed the only person who has accessed their account, with the ability to flag any suspicious activity to our support team. Moreover, users can receive automated notifications when a log-in occurs on a new or different device so that they’re immediately alerted of suspicious account activity. 

Full ownership of consultations and medical record-keeping

We believe that virtual care platforms must integrate into Canada’s broader healthcare network so they can provide even more benefits to patients. 

For example, at the moment, Canadians often still have to alert their family doctor themselves of a visit they made to a walk-in clinic, and even when their doctor is made aware, the continuity of medical records is still lacking. 

Maple was designed in part to resolve these types of issues and make the healthcare system more connected. Every doctor visit on Maple results in a record that includes the full conversation with the provider, medical advice or notes, prescriptions, requisitions, and other details, all stored and accessible to the user at any time they desire. 

Patients can request faxed summaries of Maple visits to their family doctor or any provider they choose. 

All records created on Maple are securely stored. We don’t conduct automated cleanups or delete them. We strongly believe in granting users the ability to access records when needed. 

How a strong virtual care provider helps your organization

With hackers deploying all kinds of nefarious attack strategies, third-party risk management is becoming a high priority issue. 

Gone are the days of simply installing applications on a personal computer and hosting data inside the corporate office. SaaS tools and technologies with multiple vendors have become the norm and the trustworthiness and safety of vendors is more important than ever. 

Partnering with a strong provider like Maple simplifies the deployment process, in large part due to the strength of our security protocols and our experience handling queries. 

Our superior security program simplifies your IT team’s approval process so that you can feel confident providing Maple as a benefit. 

If you’d like to speak with a member of our team on security or privacy and everything we do to protect patient data, please reach out. We’d be happy to discuss our solutions with you as Canada’s leading virtual care provider.