Now Launching – CyberRisk Management

COVID-19 and CyberRisk… We’ve Got Your Back!

There is a clarion call out to the world’s innovators and entrepreneurs to join the global fight against the COVID-19 coronavirus. This pathogen has brought the health systems and economies of the world to their knees. It will take the creativity and ingenuity of a generation to set things right.

While you and your teams work around the clock to bring new solutions to market, malicious agents operating in cyberspace will be looking for opportunities to attack you and your customers. Small and medium sized businesses are especially vulnerable. It’s hard to keep your eye on the ball while watching your back. CyberRisk Management is key to your success.

 

CyberRisk Management by Privacy Horizon and Alexio is a turnkey solution supported by a team of certified privacy and security experts. They will worry about privacy and cybersecurity while you focus on building and marketing your solutions.

Don’t be derailed by a major data breach. We’ve got your back!

Find more details on the program here.

In the Era of COVID-19, Its time to be a Privacy Pragmatist

At the turn of the millennium, the late, great, US privacy guru, Dr. Alan Westin, divided consumers into 3 groups. He labeled the first group privacy fundamentalists: the hardliners who feel that they have lost a lot of their privacy and are strongly resistant to any further erosion of it. He labeled the second group the privacy unconcerned: people who have no real concerns about privacy and have far less anxiety about how other people and organizations use their information. The third group was labeled the privacy pragmatists: people who have strong feelings about privacy and are very concerned about the misuse of personal information. However, the pragmatists are often willing to allow others to access and use their personal information where they understand the reasons for its use and see tangible benefits for so doing.

 

In the midst of the COVID-19 pandemic, we need privacy pragmatists. The pragmatist seeks balance. Applying one of Dr. Ann Cavoukian’s privacy-by-design principles, privacy is not a zero-sum game. The pragmatist is looking for a win–win, not a win-lose. In the challenges before us, privacy must be an enabler, not a boat anchor. It’s not a question of public health vs. a strong economy vs. privacy. The question is how do we have all three?

 

For starters, its worth reminding ourselves that most privacy laws have carve-outs for public health emergencies. Its OK to sacrifice some privacy to protect the health, safety and wellbeing of individuals and communities. But this is not a blank check. Its not a license to snoop on your neighbours.

 

Locked up in our homes, its easy to not notice how BIG this is. This isn’t an isolated incident. It affects all seven billion people alive in almost 200 countries. Air traffic is grounded. Borders are closed. We’ve shut down the world economy. This is an epic of biblical proportions. A thousand years from now, this event and how we responded will be remembered.

 

The way out of this will be data driven. Artificial Intelligence, surveillance technologies, testing and contact tracing will be among the tools used by public heath officials and political leaders to manage the pandemic. But it will be easy for politicians and other power brokers to run roughshod over our privacy rights in the name of pandemic management. More than ever, we need pragmatic privacy champions to hold the line on the erosion of privacy rights, but still give our public health officials the room they need to combat the coronavirus.

 

We have a few arrows in our quiver to draw upon as we join the fight against COVID-19. Privacy impact assessment, privacy by design, de-identification of personal information, data minimization and other tools and techniques will enable us to help our public health colleagues harness the data needed to beat this invisible monster.

 

So please become a pragmatic privacy champion. Join with your local team battling the virus. Prepare to be creative. Speak up for privacy!

 

 

 Want to hear more resources and news from Privacy Horizon? Sign up here for PHI Perspectives.

Get in Touch

Any questions? We'd be happy to help.

Privacy in the Pandemic Webinar

 

 

April 30, 2020
12:00 PM – 1:00 PM
Live, Interactive, Online, via Webex

Free to Attend
Limit 20 Registration

Get your copy of the recording here

 

 

 

 

Instructors
Brendan Seaton, Founder & Chief Creative Officer, Privacy Horizon Inc.; Past President, ITAC Health
Patrick Lo, CEO, Privacy Horizon Inc.

As the world tackles the pandemic, information sharing for public health reasons and privacy protection is an ongoing debate. Join privacy experts Brendan Seaton and Patrick Lo as they explore how the world has changed and how privacy will support a global recovery based on information and evidence. They will discuss what we have learned from past crises such as 9/11, SARS and H1N1; what we are learning today as we work and school our children from home, keeping our social distance, and maintain critical services; and what the future holds as privacy invasive technologies such as artificial intelligence and electronic surveillance drive innovation and change.

Where is privacy in the midst of the pandemic? Is privacy an enabler or inhibitor as we struggle to cope with the challenge? This special session will put you ahead of the curve as you help guide your organization back to the new normal.

Please join us to learn and share with us your insights.

This session will be of particular interest to anyone responsible for privacy in their organization.

 

Get in Touch

Any questions? We'd be happy to help.

Privacy in Cyberspace: the NIST Privacy Framework

Privacy in Cyberspace: the NIST Privacy Framework

Brendan Seaton

Chief Creative Officer, Privacy Horizon Inc.

Written for the HIM&CC

When the National Institute of Standards and Technology (NIST)  published its Cyber Security Framework in 2014, it consolidated and summarized international best practices for managing security on the Internet. The Cybersecurity Framework focused on the management of risk associated with critical infrastructure.

In January of 2020, NIST published a companion standard, the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. Together, the Cybersecurity and Privacy Frameworks provide a comprehensive approach to risk management in cyberspace.

NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurements science, standards, and technology in ways that enhance economic security and improve the quality of life. 1

The NIST Privacy Framework is intended to be widely usable by organizations of all sizes and is agnostic to any particular technology, sector, law, or jurisdiction. It gives us a roadmap to address the privacy implications of emerging technologies such as artificial intelligence, the Internet of Things, cloud computing and blockchain.

NIST recognizes you can’t cookie-cutter your privacy and security programs. The needs of the small rural medical clinic are different than the needs of a major metropolitan teaching hospital. The NIST frameworks are scalable to address the needs of all organizations. The frameworks enable better privacy engineering practices that support privacy by design and helps organizations to protect individual privacy.

The Privacy Framework supports organizations in building customer trust by supporting ethical decision-making in product and service design or deployment. It optimizes the beneficial uses of data while minimizing adverse consequences for individuals and society. It helps to fulfill current compliance obligations, and future-proofs products and services to meet these obligations in a rapidly changing technical and policy environment. The Privacy Framework facilitates communications about privacy practices with individuals, business partners, assessors, and regulators. 2

The Privacy Framework provides a common language for understanding, managing, and communicating privacy risk with internal and external stakeholders. It adapts to any role the organization may play in the data processing ecosystem. It can be used to help identify and prioritize actions for reducing privacy risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. 3

When used as a risk management tool, the Privacy Framework can assist organizations in their efforts to optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals. Privacy risk management is a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may create problems for individuals and how to develop effective solutions to manage such risks. Privacy risk assessments produce the information that can help organizations to weigh the benefits of the data processing against the risks and to determine the appropriate response—sometimes referred to as proportionality. 4

The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinforces how organizations manage privacy risk through the connection between business or mission drivers, organizational roles and responsibilities, and privacy protection activities.

The Core is a set of privacy protection activities and outcomes (a.k.a. privacy and security controls) that allow for communicating prioritized privacy protection activities and outcomes across an organization from the executive level to the implementation/operations level.

A Profile represents an organization’s current privacy activities or desired outcomes. To develop a Profile, an organization can review all of the outcomes and activities in the Core to determine which are most important to focus on based on business or mission drivers, data processing ecosystem role(s), types of data processing, and individuals’ privacy needs.

Implementation Tiers (“Tiers”) provide a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage NIST recognizes you can’t cookie-cutter your privacy and security programs. The needs of the small rural medical clinic are different than the needs of a major metropolitan teaching hospital. 19 March 2020 • HIM&CC that risk. Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed. 5

The Privacy Framework uses a simple model of “ready”, “set”, and “go” phases to support the creation of a new privacy program or improvement of an existing program. In the “ready” phase, the organization seeks to understand its legal and business environment, risk tolerance and its role in the data processing ecosystem. In the “set” phase, the organization determines its current and target privacy profiles to identify strengths or gaps. In the “go” phase, the organization prioritizes which actions to take to address any gaps, and then adjusts its current privacy practices in order to achieve the target profile.

 

Use of the Privacy Framework will support numerous objectives, including:

• Strengthening accountability for the protection of personal information

• Integrating privacy by design concepts into the system development lifecycle.

• Defining privacy requirements to support procurement and buying decisions.

• Establishing or improving privacy programs.

• Optimizing the beneficial uses of data.

• Development of innovative systems, products and services

 

The NIST Privacy Framework is an important advancement in the state- of-the-art concerning privacy and data protection. Its generic approach to privacy and privacy controls  enables us to appropriately address the implications of innovation and technological change, and respond to the emergence of new individual privacy rights established by changes to privacy and data protection laws around the world.

 

 

1 Source: https://www.nist.gov/about-nist/our-organization/mission-vision-values
2 NIST Privacy Framework, p. i.
3 Ibid. p. 6
4 Ibid. p. 4
5 Ibid. p. 2

 

 

Get in Touch

Any questions? We'd be happy to help.

Cyber Threats to Canadian Health Organizations Due to COVID-19

On March 19, 2020 the Canadian Centre for Cyber Security (Cyber Centre) issued an alert that the COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations involved in the national response to the pandemic. The Cyber Centre recommends that these organizations remain vigilant and take the time to ensure that they are engaged in cyber defense best practices, including increased monitoring of network logs, reminding employees to practice phishing awareness and ensuring that servers and critical systems are patched for all known security vulnerabilities.

The alert provides details about the motivations of sophisticated threat actors, ransomware, critical vulnerabilities and recommendations for mitigation of cyberthreats. Health organizations and vendors providing cloud and information management services to health organizations should review and respond to this alert.

Organizations requiring assistance to respond to the COVID-19 cybersecurity threat can contact Privacy Horizon.

https://www.cyber.gc.ca/en/alerts/cyber-threats-canadian-health-organizations

 

 

 

 

Get in Touch

Any questions? We'd be happy to help.

Hunkering Down at Home

The coronavirus pandemic is forcing all of us to rethink the way we live and work. Odds are right now you are self-isolated, quarantined or sheltered in place. This is likely to be the case for the coming weeks or even months. The fortunate among us have the opportunity to continue our work while hunkered down at home. How should we organize and comport ourselves as we work during these troubled times?

Family First

Nothing is more important than family and close friends. By definition, family is job #1. Start your day by ensuring that your family’s needs are addressed. Pay special attention to the needs of your children, elderly parents, and others with special needs. Plan your meals. Go out to get groceries as required. Schedule time to be with family and break frequently to connect. Make sure they understand that you need to work and you need their cooperation.

Isolate Yourself

To the extent possible you should isolate yourself while working. The ideal situation is a home office. If that is not practical, some small piece of real estate in your home should be designated as your workspace. This is where you will keep your laptop computer, telephone, files, reference books and other materials needed to conduct your work. If you can’t close the door, everyone, even small children, must understand that this is your space and everything in it is out of bounds while you are are working.

Practice Good Hygiene

In addition to good physical hygiene such as washing your hands or wiping down surfaces frequently, you should also practice good technical hygiene. Make sure that:
• Your laptop and other devices have up-to-date malware protection.
• Your software is updated automatically.
• You have installed a firewall and only use secure channels for communication.
• Your passwords and authentication tokens are protected.
• You log off and lock your devices when you break or at end of the day.
• You securely destroy any paper or electronic media that is no longer required for your work.
• You are on the alert to phishing and other social engineering scams. There are bad guys out there who will take advantage of these tragic circumstances.

Look After Yourself

Family and work are important, but we must also look after ourselves making sure that we have plenty of sleep, good nutrition and exercise. It’s also very possible that you yourself will succumb to the coronavirus. If you get ill, follow the instructions of your local public health authority. Graciously accept the help of family and friends, taking care to avoid passing the infection onto them. When comes to your health and well-being, a little selfishness is okay. If you look after yourself, you will be better able to help those you love.

 

 

Get in Touch

Any questions? We'd be happy to help.

Privacy Horizon Inc. and Alexio Corporation partner to enhance CyberRisk Management

PHI and Alexio are proud to launch their combined full-service Data Privacy Compliance + Cybersecurity solution, recognizing both elements are required for their healthcare clients. Bundled together, Alexio and PHI are now able to provide clients with a responsive CyberRisk management offering, priced for the North American SME market.

The partnership will address the need for small and medium sized businesses to maintain robust data privacy and cybersecurity management roles in their organizations, through a program based virtual privacy officer and virtual information security officer suite of services. These officer roles, originally created to address the need for heightened oversight of risks in an increasingly digitized world, can now be provided by PHI and Alexio.

The partnership combines the power of Alexio DefenderTM with PHI’s tech-enabled privacy and compliance services under its platform, The PHI FrameworkTM. Both companies also provide robust training programs in their respective areas that ensure organizations understand their obligations under the law, the growing number of risks in digital health and, “learn” how to address them.

“Our complimentary services aligned so well that it became a natural step to combine our efforts in the healthcare marketplace,” explains Anne Genge, CEO of Alexio Corporation. “While we’ve assisted many clients with their privacy concerns, our wheelhouse is cyber-security technology (Alexio DefenderTM).”

“PHI’s internationally recognized team, led by CEO Patrick Lo, has delivered first class privacy and compliance solutions to an impressive and growing list of entrepreneurial organizations in both the private and public sectors,” says PHI’s Chairman Mark Kohler, who is also the Chairman and CEO of the EXELERATE Group of Companies. “We are very pleased to be adding Alexio’s technology offering to the mix, thereby ensuring we now also have a CyberRisk Management capability.”

According to IBM, in their IBM 2019 Cost of a Data Breach Report, an average data breach can cost a large enterprise $8.19 Million USD, or $242 per record, and take approximately 279 days to contain. A proactive privacy program can improve this situation, especially within a small and medium sized business, where “Trust” is an absolute necessity. PHI and Alexio offer a solution to help reduce the risk of data breaches.

“Establishing a comprehensive data privacy and cybersecurity program takes a lot of planning, investment in infrastructure, and the hiring of highly skilled staff, and this is by no means a trivial or a one-time exercise for small and medium sized businesses,” commented Patrick Lo, CEO of PHI.  “That is why I am excited to partner with Alexio in delivering a proactive, practical, cost effective, and timely way to address CyberRisk Management issues, and allow organizations to focus their energies on core offerings for their customers and on growing their revenues.”

About Alexio Corporation:

Alexio Corporation is an award-winning CyberRisk prevention software and training company for healthcare practices and other small to medium sized businesses. Leveraging automation, machine-learning, and multi-layered security threat intelligence, Alexio specializes in delivering enterprise-class cyber-security to smaller networks.

Alexio’s subscription based model means that all businesses, no matter their size can protect patient, client, and consumer data. See https://getalexio.com/about-us-2/ for more information.

About Privacy Horizon Inc.:

Through the advent of The PHI FrameworkTM, PHI provides the tools, training, and other risk management resources needed to enable start-ups, and small and medium sized organizations to build privacy and security into their products and services.

Working primarily in the healthcare and fintech sectors, PHI equips an organization with the infrastructure and capabilities necessary to safeguard the privacy rights of individuals and protect personal information from loss or theft, or from unauthorized access, modification, copying, collection, use, disclosure or retention.

 

For further information: For more information about Alexio Corporation, please contact: Anne Genge, anne@getalexio.com; Website: https://getalexio.com; Or, Contact: Catherine Chan, Email: Catherine@getalexio.com; Phone: (877) 363-9229; For more information about Privacy Horizon Inc, please contact: Patrick Lo, Patrick.lo@privacyhorizon.com; Website: www.privacyhorizon.com

ePrivacy Program in Partnership with McMaster University

Privacy Horizon’s Certificate Program on ePrivacy in Healthcare offered through the NIHI and McMaster University will be returning for the Fall semester of 2020.

McMaster ePrivacy Program

Instructors:

Patrick Lo: CEO, Privacy Horizon

Brendan Seaton: Chief Creative Officer, Privacy Horizon

 

Health care is undergoing a revolution driven by advances in information and communication technologies. Precision medicine, consumer health, virtual care, the Internet of things and other innovations are changing the very nature of health care, driving improvements in efficiency, effectiveness and healthcare outcomes. However, with each new innovation come new risks to the privacy and security of personal health information.

Privacy is not a zero-sum game. We don’t have to give up improvements in health care in order to protect privacy. We can have both! Privacy should be an enabler, not a barrier, to healthcare innovation.

This 20-sesson (30 Hours) program is for anyone who is responsible for managing the privacy function in their organization, or is interested in being part of the organization’s privacy management team or are app developers, consultants and service providers of products for health care. Organized into three modules, the program provides the guidance needed to manage privacy throughout the information lifecycle. This program focuses on the health sector and the special requirements for ensuring the privacy of personal health information.

This program will cover critical privacy legislation, conducting a privacy risk assessment, assessing what privacy and security features to build into your products and services, implementing an affordable privacy management program and handling a privacy breach.

Module 1 – Privacy Fundamentals, provides the foundation for a deep and comprehensive understanding of privacy. It addresses privacy principles, individual privacy rights, responsibilities of health care providers and organizations, Canadian and International privacy laws, and information governance.

Module 2 – Privacy by Design (PbD), will help you build privacy into the design of your programs, services and products. It addresses PbD principles, privacy and security standards and guidelines, PbD and emerging technologies, in building security into your healthcare solutions.

Module 3 – Managing Privacy Risk, teaches you how to identify, assess and manage privacy risk. It covers risk management principles, Privacy Impact Assessment, Threat and Risk Assessment, monitoring and audit, managing privacy breaches and complaints and privacy training.

On completion of this program you will have a comprehensive view of privacy and what it takes to implement privacy successfully in your organization.

Upon completion you will be awarded a McMaster University – NIHI ePrivacy Certificate of Completion. A Certificate of Completion is a non-academic certificate acknowledging that the recipient has completed a minimum of 30 hours of education and has successfully completed the Opening and Closing Questionnaires that assesses the individual’s learning.

Intended Audience

  • Anyone responsible for information privacy in public or private sector organizations
  • Chief Privacy Officers
  • Chief Information Security Officers
  • Chief Technology Officers
  • Chief Information Officers
  • Risk managers
  • Privacy/Freedom of information coordinators
  • Healthcare providers and managers charged with protecting privacy under health sector privacy legislation
  • App developers building iOS and Android apps, wearable technologies and other consumer-oriented solutions
  • Consultants, integrators and solution providers who need to offer privacy and security compliance products and services to consumers, and private and public sector organizations
  • Technical architects and developers who design and build cloud, mobile, social media and IOT solutions
  • Educators
  • HR professionals

Expected Outcomes

Participants will have a comprehensive understanding of:

  • National and international privacy laws
  • Foundational privacy principles
  • Privacy and information governance
  • Privacy by design
  • Information security requirements for privacy protection
  • How to build a privacy program
  • Privacy risk assessment
  • Privacy breach management

Cybersecurity Management Program in Partnership with McMaster University

Privacy Horizon’s Certificate Program on Cybersecurity Management offered through the NIHI and McMaster University will be returning for the Fall semester of 2020.

 

McMaster Certificate Program for Cybersecurity Management

Course Instructors:

Patrick Lo: CEO, Privacy Horizon Inc.

Brendan Seaton: Chief Creative Officer, Privacy Horizon Inc.

Public and private sector organizations in Canada and around the world are under increasing pressure to protect themselves, sensitive information, client information and critical infrastructure from cyber attacks. Threats to information system assets come from state actors, organized crime and hacktivists who now routinely attack our electoral, financial, healthcare and public utility systems.

The purpose of this program is to provide practical cybersecurity management strategies and recommendations to help minimize the occurrence or impact of cyber-related losses. Our focus is on risk management and how to use the various tools and resources to build awareness and cyber resilience.

This program is based on the National Institute of Standards and Technology (NIST) Cybersecurity framework (CSF).

This program is for non-technical senior staff who need a general understanding of cybersecurity practices to protect critical information assets and who need to work with their organization’s IT and cybersecurity experts.

Upon completion you will be awarded a McMaster University – NIHI Certificate of Attendance in Cybersecurity Management. A certificate of attendance is a non-academic certificate acknowledging that the recipient has completed a minimum of 10 hours of education/training in the subject area.

Topics covered:

  • Introduction to cybersecurity
  • Cybersecurity management program
  • Cybersecurity risk management
  • Asset management
  • Threat assessment
  • Technical and physical safeguards
  • Administrative safeguards
  • Monitoring and audit
  • Cybersecurity incident management
  • Cybersecurity recovery planning

Learning Objectives

  • To equip participants with the knowledge and skills needed to implement an effective cybersecurity program in their organization.
  • To enable participants to apply cybersecurity best practices for asset management, threat assessment and risk management.
  • To help participants implement effective administrative, technical and physical safeguards to combat cybersecurity threats.

Expected Outcomes

You will have a comprehensive understanding of:

  • The NIST Cybersecurity Framework
  • The elements of an effective cybersecurity program
  • Methods to detect and respond to cybersecurity threats
  • Administrative, technical and physical safeguards
  • Cybersecurity risk management
  • Cybersecurity breach management

Intended Audience

  • Chief Executive Officers
  • Chief Operating Officers
  • Chief Privacy Officers
  • Chief Information Security Officers
  • Chief Information Officers
  • Project Managers
  • Risk Managers
  • Business Analysts
  • Privacy/Freedom of Information Coordinators
  • Business Managers/Supervisors
  • HR Professionals
  • Educators
  • Healthcare providers and managers charged with protecting privacy under health sector privacy legislation
  • Consultants, integrators, and solution providers who need to offer privacy and security compliance products and services to consumers, and private and public sector organizations
  • Anyone responsible for information privacy in public or private sector organizations

UTEST Privacy Fundamentals Series – Starting July 16th

Starting on July 16th Privacy Horizon will be partnering with University of Toronto’s UTEST program to provide privacy fundamentals to early-stage health technology companies.

Privacy always emerges as a question to be answered by app developers and organizations in the healthcare space. Privacy and security controls are often mandatory requirements for health sector procurement. How can healthcare app developers and professionals address the privacy concerns of patients, healthcare providers, clients and service providers while staying lean and agile in their development practices?

In the Privacy Fundamentals Series we’ll be covering how healthcare providers evaluate the apps they are considering using in their workplace or recommending for patient use. We’ll show how your customers understand the risks of the of information that is collected, stored, transmitted and added to other systems.  You’ll learn how to recognize vulnerabilities and avoid breaches, and how to be be proactive, not reactive to security threats.

 

The series consist of three PHI sponsored lunch and learn sessions:

Session 1: Privacy Fundamentals: What does privacy mean to you and your company?

Session 2: Privacy by Design: What privacy and security features need to be built into your app, device or service?
Session 3: Minimum Viable Privacy: What is the minimum set of privacy and security controls needed to function in the healthcare marketplace?

 

The first session will be hosted on July 16th between 12pm and 1:30pm at the Banting Institute. We look forward to seeing to seeing you there!