May 20th, 2021

Great guidance from the privacy and security industry continues to pour in as we learn more about the quickly evolving threats and requirements. In regulatory news the Ontario IPC has released guidance for understanding the recent PHIPA changes in the digital healthcare industry, and the IAPP has released a short guide on the proposed AI legislations in the EU. We have also included some helpful articles focused on combatting the latest trends in ransomware and email compromise attacks. As the ramifications of security breaches continue to grow (the average cost of a ransomware attack is over $300,000 now) it is becoming more crucial to proactively monitor your security through services like PHI Shield.

Digital Health and PHIPA

The IPC has provided guidance on navigating PHIPA while providing digital healthcare. This contains helpful information for any organizations working with Electronic Health Records or providing electronic health services directly to consumers.

New Ransomware Extortion Tactics

A look into the latest triple extortion tactics of ransomware attacks. Previously the ransomware playbook included extorting payment to decrypt your stolen data, while also threatening to leak the data publicly. Hackers have now begun adding a third approach, demanding payment from the customers, users, or any other third parties that would be affected by the breach. In the ransomware cases in healthcare this has led to demands for payment from the attacked clinic, as well as smaller demands for payment from all the clinic’s patients. Healthcare remains the most targeted industry by ransomware.

Office 365 Business Email Compromise

All Office 365 users should keep an eye on this trend in business email compromise attacks. Attackers are taking advantage of malicious apps to gain access to emails, contacts, and files without requiring a login or 2FA. The article includes helpful tips on avoiding and remediating this style of attack.

AI Legislation in the European Union

A short guide to the proposed AI regulation in the EU. While much of the regulation focuses on “high risk AI” there are useful approaches for all AI developers; The impact of AI should be assessed before development and continue until the after it is shut down, AI should be designed in such a way that human oversight is guaranteed, and individuals should understand that they are dealing with an AI system.

Cyber-Insurance Premiums up 50%

Cyber-insurance premiums have increased by up to 50% this year as the telehealth industry becomes more and more vulnerable to ransomware attack. On top of rising premiums, we’re also seeing more stringent requirements, more limited coverage, and higher deductibles.

Get in Touch

Any questions? We'd be happy to help.

• Your Name*
  First Last
• Your Email Address*
• I Would Like to Discuss*
• Message*

The accessibility and management of your personal health records can often be cumbersome. Whether you have struggled to access your records remotely as a result of Covid-19 or you simply wish to exercise a greater degree of control over them, VITALL offers users the ability to aggregate their personal health records and easily access them from their smartphone.

Privacy Horizon is proud to announce that we have partnered with VITALL, using our best-in-class privacy and security expertise to develop a comprehensive program that ensures patients can remotely access their personal health records with comfort and ease. We are excited to support VITALL in their effort to provide users greater accessibility and control over their personal health information.

Read more here.

The onset of Covid-19 has further spurred the rapid adoption of telemedicine. As one of the organizations leading this charge, CloudMD plays an important role in helping bring accessible healthcare to patients across North America. For this reason, we are extremely proud to announce that Privacy Horizon Inc.’s very own Patrick Lo will be joining CloudMD’s Corporate Development & Risk Management Committee to help ensure that CloudMD meets and exceeds the standards set by patients and regulators alike. Telemedicine is poised to become increasingly important and we are thrilled that Privacy Horizon Inc. and CloudMD are able to work together to ensure patient trust while also bringing important innovation to the healthcare industry.

Read more about the CloudMD’s commitment to data protection here.

COVID-19 and CyberRisk… We’ve Got Your Back!

There is a clarion call out to the world’s innovators and entrepreneurs to join the global fight against the COVID-19 coronavirus. This pathogen has brought the health systems and economies of the world to their knees. It will take the creativity and ingenuity of a generation to set things right.

While you and your teams work around the clock to bring new solutions to market, malicious agents operating in cyberspace will be looking for opportunities to attack you and your customers. Small and medium sized businesses are especially vulnerable. It’s hard to keep your eye on the ball while watching your back. CyberRisk Management is key to your success.

CyberRisk Management by Privacy Horizon and Alexio is a turnkey solution supported by a team of certified privacy and security experts. They will worry about privacy and cybersecurity while you focus on building and marketing your solutions.

Don’t be derailed by a major data breach. We’ve got your back!

Find more details on the program here.

At the turn of the millennium, the late, great, US privacy guru, Dr. Alan Westin, divided consumers into 3 groups. He labeled the first group privacy fundamentalists: the hardliners who feel that they have lost a lot of their privacy and are strongly resistant to any further erosion of it. He labeled the second group the privacy unconcerned: people who have no real concerns about privacy and have far less anxiety about how other people and organizations use their information. The third group was labeled the privacy pragmatists: people who have strong feelings about privacy and are very concerned about the misuse of personal information. However, the pragmatists are often willing to allow others to access and use their personal information where they understand the reasons for its use and see tangible benefits for so doing.

In the midst of the COVID-19 pandemic, we need privacy pragmatists. The pragmatist seeks balance. Applying one of Dr. Ann Cavoukian’s privacy-by-design principles, privacy is not a zero-sum game. The pragmatist is looking for a win–win, not a win-lose. In the challenges before us, privacy must be an enabler, not a boat anchor. It’s not a question of public health vs. a strong economy vs. privacy. The question is how do we have all three?

For starters, its worth reminding ourselves that most privacy laws have carve-outs for public health emergencies. Its OK to sacrifice some privacy to protect the health, safety and wellbeing of individuals and communities. But this is not a blank check. Its not a license to snoop on your neighbours.

Locked up in our homes, its easy to not notice how BIG this is. This isn’t an isolated incident. It affects all seven billion people alive in almost 200 countries. Air traffic is grounded. Borders are closed. We’ve shut down the world economy. This is an epic of biblical proportions. A thousand years from now, this event and how we responded will be remembered.

The way out of this will be data driven. Artificial Intelligence, surveillance technologies, testing and contact tracing will be among the tools used by public heath officials and political leaders to manage the pandemic. But it will be easy for politicians and other power brokers to run roughshod over our privacy rights in the name of pandemic management. More than ever, we need pragmatic privacy champions to hold the line on the erosion of privacy rights, but still give our public health officials the room they need to combat the coronavirus.

We have a few arrows in our quiver to draw upon as we join the fight against COVID-19. Privacy impact assessment, privacy by design, de-identification of personal information, data minimization and other tools and techniques will enable us to help our public health colleagues harness the data needed to beat this invisible monster.

So please become a pragmatic privacy champion. Join with your local team battling the virus. Prepare to be creative. Speak up for privacy!

 Want to hear more resources and news from Privacy Horizon? Sign up here for PHI Perspectives.

April 30, 2020
12:00 PM – 1:00 PM
Live, Interactive, Online, via Webex

Free to Attend
Limit 20 Registration

Get your copy of the recording here

Instructors
Brendan Seaton, Founder & Chief Creative Officer, Privacy Horizon Inc.; Past President, ITAC Health
Patrick Lo, CEO, Privacy Horizon Inc.

As the world tackles the pandemic, information sharing for public health reasons and privacy protection is an ongoing debate. Join privacy experts Brendan Seaton and Patrick Lo as they explore how the world has changed and how privacy will support a global recovery based on information and evidence. They will discuss what we have learned from past crises such as 9/11, SARS and H1N1; what we are learning today as we work and school our children from home, keeping our social distance, and maintain critical services; and what the future holds as privacy invasive technologies such as artificial intelligence and electronic surveillance drive innovation and change.

Where is privacy in the midst of the pandemic? Is privacy an enabler or inhibitor as we struggle to cope with the challenge? This special session will put you ahead of the curve as you help guide your organization back to the new normal.

Please join us to learn and share with us your insights.

This session will be of particular interest to anyone responsible for privacy in their organization.

Privacy in Cyberspace: the NIST Privacy Framework

Brendan Seaton

Chief Creative Officer, Privacy Horizon Inc.

Written for the HIM&CC

When the National Institute of Standards and Technology (NIST)  published its Cyber Security Framework in 2014, it consolidated and summarized international best practices for managing security on the Internet. The Cybersecurity Framework focused on the management of risk associated with critical infrastructure.

In January of 2020, NIST published a companion standard, the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. Together, the Cybersecurity and Privacy Frameworks provide a comprehensive approach to risk management in cyberspace.

NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurements science, standards, and technology in ways that enhance economic security and improve the quality of life. 1

The NIST Privacy Framework is intended to be widely usable by organizations of all sizes and is agnostic to any particular technology, sector, law, or jurisdiction. It gives us a roadmap to address the privacy implications of emerging technologies such as artificial intelligence, the Internet of Things, cloud computing and blockchain.

NIST recognizes you can’t cookie-cutter your privacy and security programs. The needs of the small rural medical clinic are different than the needs of a major metropolitan teaching hospital. The NIST frameworks are scalable to address the needs of all organizations. The frameworks enable better privacy engineering practices that support privacy by design and helps organizations to protect individual privacy.

The Privacy Framework supports organizations in building customer trust by supporting ethical decision-making in product and service design or deployment. It optimizes the beneficial uses of data while minimizing adverse consequences for individuals and society. It helps to fulfill current compliance obligations, and future-proofs products and services to meet these obligations in a rapidly changing technical and policy environment. The Privacy Framework facilitates communications about privacy practices with individuals, business partners, assessors, and regulators. 2

The Privacy Framework provides a common language for understanding, managing, and communicating privacy risk with internal and external stakeholders. It adapts to any role the organization may play in the data processing ecosystem. It can be used to help identify and prioritize actions for reducing privacy risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. 3

When used as a risk management tool, the Privacy Framework can assist organizations in their efforts to optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals. Privacy risk management is a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may create problems for individuals and how to develop effective solutions to manage such risks. Privacy risk assessments produce the information that can help organizations to weigh the benefits of the data processing against the risks and to determine the appropriate response—sometimes referred to as proportionality. 4

The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinforces how organizations manage privacy risk through the connection between business or mission drivers, organizational roles and responsibilities, and privacy protection activities.

The Core is a set of privacy protection activities and outcomes (a.k.a. privacy and security controls) that allow for communicating prioritized privacy protection activities and outcomes across an organization from the executive level to the implementation/operations level.

A Profile represents an organization’s current privacy activities or desired outcomes. To develop a Profile, an organization can review all of the outcomes and activities in the Core to determine which are most important to focus on based on business or mission drivers, data processing ecosystem role(s), types of data processing, and individuals’ privacy needs.

Implementation Tiers (“Tiers”) provide a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage NIST recognizes you can’t cookie-cutter your privacy and security programs. The needs of the small rural medical clinic are different than the needs of a major metropolitan teaching hospital. 19 March 2020 • HIM&CC that risk. Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed. 5

The Privacy Framework uses a simple model of “ready”, “set”, and “go” phases to support the creation of a new privacy program or improvement of an existing program. In the “ready” phase, the organization seeks to understand its legal and business environment, risk tolerance and its role in the data processing ecosystem. In the “set” phase, the organization determines its current and target privacy profiles to identify strengths or gaps. In the “go” phase, the organization prioritizes which actions to take to address any gaps, and then adjusts its current privacy practices in order to achieve the target profile.

Use of the Privacy Framework will support numerous objectives, including:

• Strengthening accountability for the protection of personal information

• Integrating privacy by design concepts into the system development lifecycle.

• Defining privacy requirements to support procurement and buying decisions.

• Establishing or improving privacy programs.

• Optimizing the beneficial uses of data.

• Development of innovative systems, products and services

The NIST Privacy Framework is an important advancement in the state- of-the-art concerning privacy and data protection. Its generic approach to privacy and privacy controls  enables us to appropriately address the implications of innovation and technological change, and respond to the emergence of new individual privacy rights established by changes to privacy and data protection laws around the world.

1 Source: https://www.nist.gov/about-nist/our-organization/mission-vision-values
2 NIST Privacy Framework, p. i.
3 Ibid. p. 6
4 Ibid. p. 4
5 Ibid. p. 2

On March 19, 2020 the Canadian Centre for Cyber Security (Cyber Centre) issued an alert that the COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations involved in the national response to the pandemic. The Cyber Centre recommends that these organizations remain vigilant and take the time to ensure that they are engaged in cyber defense best practices, including increased monitoring of network logs, reminding employees to practice phishing awareness and ensuring that servers and critical systems are patched for all known security vulnerabilities.

The alert provides details about the motivations of sophisticated threat actors, ransomware, critical vulnerabilities and recommendations for mitigation of cyberthreats. Health organizations and vendors providing cloud and information management services to health organizations should review and respond to this alert.

Organizations requiring assistance to respond to the COVID-19 cybersecurity threat can contact Privacy Horizon.

https://www.cyber.gc.ca/en/alerts/cyber-threats-canadian-health-organizations

The coronavirus pandemic is forcing all of us to rethink the way we live and work. Odds are right now you are self-isolated, quarantined or sheltered in place. This is likely to be the case for the coming weeks or even months. The fortunate among us have the opportunity to continue our work while hunkered down at home. How should we organize and comport ourselves as we work during these troubled times?

Family First

Nothing is more important than family and close friends. By definition, family is job #1. Start your day by ensuring that your family’s needs are addressed. Pay special attention to the needs of your children, elderly parents, and others with special needs. Plan your meals. Go out to get groceries as required. Schedule time to be with family and break frequently to connect. Make sure they understand that you need to work and you need their cooperation.

Isolate Yourself

To the extent possible you should isolate yourself while working. The ideal situation is a home office. If that is not practical, some small piece of real estate in your home should be designated as your workspace. This is where you will keep your laptop computer, telephone, files, reference books and other materials needed to conduct your work. If you can’t close the door, everyone, even small children, must understand that this is your space and everything in it is out of bounds while you are are working.

Practice Good Hygiene

In addition to good physical hygiene such as washing your hands or wiping down surfaces frequently, you should also practice good technical hygiene. Make sure that:
• Your laptop and other devices have up-to-date malware protection.
• Your software is updated automatically.
• You have installed a firewall and only use secure channels for communication.
• Your passwords and authentication tokens are protected.
• You log off and lock your devices when you break or at end of the day.
• You securely destroy any paper or electronic media that is no longer required for your work.
• You are on the alert to phishing and other social engineering scams. There are bad guys out there who will take advantage of these tragic circumstances.

Look After Yourself

Family and work are important, but we must also look after ourselves making sure that we have plenty of sleep, good nutrition and exercise. It’s also very possible that you yourself will succumb to the coronavirus. If you get ill, follow the instructions of your local public health authority. Graciously accept the help of family and friends, taking care to avoid passing the infection onto them. When comes to your health and well-being, a little selfishness is okay. If you look after yourself, you will be better able to help those you love.

PHI and Alexio are proud to launch their combined full-service Data Privacy Compliance + Cybersecurity solution, recognizing both elements are required for their healthcare clients. Bundled together, Alexio and PHI are now able to provide clients with a responsive CyberRisk management offering, priced for the North American SME market.

The partnership will address the need for small and medium sized businesses to maintain robust data privacy and cybersecurity management roles in their organizations, through a program based virtual privacy officer and virtual information security officer suite of services. These officer roles, originally created to address the need for heightened oversight of risks in an increasingly digitized world, can now be provided by PHI and Alexio.

The partnership combines the power of Alexio Defender^TM with PHI’s tech-enabled privacy and compliance services under its platform, The PHI Framework^TM. Both companies also provide robust training programs in their respective areas that ensure organizations understand their obligations under the law, the growing number of risks in digital health and, “learn” how to address them.

“Our complimentary services aligned so well that it became a natural step to combine our efforts in the healthcare marketplace,” explains Anne Genge, CEO of Alexio Corporation. “While we’ve assisted many clients with their privacy concerns, our wheelhouse is cyber-security technology (Alexio Defender^TM).”

“PHI’s internationally recognized team, led by CEO Patrick Lo, has delivered first class privacy and compliance solutions to an impressive and growing list of entrepreneurial organizations in both the private and public sectors,” says PHI’s Chairman Mark Kohler, who is also the Chairman and CEO of the EXELERATE Group of Companies. “We are very pleased to be adding Alexio’s technology offering to the mix, thereby ensuring we now also have a CyberRisk Management capability.”

According to IBM, in their IBM 2019 Cost of a Data Breach Report, an average data breach can cost a large enterprise $8.19 Million USD, or $242 per record, and take approximately 279 days to contain. A proactive privacy program can improve this situation, especially within a small and medium sized business, where “Trust” is an absolute necessity. PHI and Alexio offer a solution to help reduce the risk of data breaches.

“Establishing a comprehensive data privacy and cybersecurity program takes a lot of planning, investment in infrastructure, and the hiring of highly skilled staff, and this is by no means a trivial or a one-time exercise for small and medium sized businesses,” commented Patrick Lo, CEO of PHI.  “That is why I am excited to partner with Alexio in delivering a proactive, practical, cost effective, and timely way to address CyberRisk Management issues, and allow organizations to focus their energies on core offerings for their customers and on growing their revenues.”

About Alexio Corporation:

Alexio Corporation is an award-winning CyberRisk prevention software and training company for healthcare practices and other small to medium sized businesses. Leveraging automation, machine-learning, and multi-layered security threat intelligence, Alexio specializes in delivering enterprise-class cyber-security to smaller networks.

Alexio’s subscription based model means that all businesses, no matter their size can protect patient, client, and consumer data. See https://getalexio.com/about-us-2/ for more information.

About Privacy Horizon Inc.:

Through the advent of The PHI Framework^TM, PHI provides the tools, training, and other risk management resources needed to enable start-ups, and small and medium sized organizations to build privacy and security into their products and services.

Working primarily in the healthcare and fintech sectors, PHI equips an organization with the infrastructure and capabilities necessary to safeguard the privacy rights of individuals and protect personal information from loss or theft, or from unauthorized access, modification, copying, collection, use, disclosure or retention.

For further information: For more information about Alexio Corporation, please contact: Anne Genge, anne@getalexio.com; Website: https://getalexio.com; Or, Contact: Catherine Chan, Email: Catherine@getalexio.com; Phone: (877) 363-9229; For more information about Privacy Horizon Inc, please contact: Patrick Lo, Patrick.lo@privacyhorizon.com; Website: www.privacyhorizon.com