What is the difference between privacy and security when it comes to digital healthcare?

People often lump privacy and security together. The reality is that while a digital healthcare platform may be secure, it doesn’t necessarily mean it protects your privacy or is compliant with privacy regulations. So when you come across software/platforms that say they are “end-to-end” encrypted, you might think: ”ok, that is the highest level of security, therefore it should be safe for me to use it and talk about my patient’s personal health information on it.” This may not be the case. When WhatsApp updated their privacy policy, many people fled to Signal and other end-to-end encrypted messengers. However, many don’t necessarily know the nuanced differences between WhatsApp, Telegram, Signal, iMessage, and a whole host of other options out there.

In short:

Security and privacy are not the same thing.

‍

We interviewed healthcare privacy and security experts Patrick Lo (CEO at Privacy Horizon, instructor of multiple privacy and security programs and courses) and Brendan Seaton (CCO at Privacy Horizon, who has trained over 1000 privacy officers and specialists), to unravel this super technical world for us in plain language.

Brendan: “When you are dealing with security, you are asking how you protect the information; when you are dealing with privacy, you are asking how you use the information. For example, as a user you might have full access and authorization on an application , what do you use that data for? Are you using the data in a way that’s consistent with the patient’s consent preferences?

Patrick: “So as we learned, privacy is about the use of data. For example, I am a Hypercare client, I want to request information from you, you [would] facilitate that. But when you are using Signal or WhatsApp, you have no control because of all the data out there, even though they’re secured and protected (which satisfy security), but they are not respecting their user or the patient’s right (the use of data). That’s the big difference. And that’s why they should use Hypercare because the users have control on deletion and ask what information does Hypercare have on them. HIPAA is protecting that.”

Patrick: “The essence of privacy is consent and transparency. That’s why you notice the pop up on websites about cookies. The other part is do you disclose my information to another party? If so, why? So far I haven’t touched what organizations should do, I have talked about the rights of individuals.”

Hypercare: “I have a question. As a user I left conversation traces on WhatsApps, those conversations are kept in WhatsApp’s server and data center, do I have the right to access those information or can I request those conversations to be deleted on their end?”

Patrick: ”You don’t. It’s not a good practice because they don’t give you an option.

When you talk about other obligations in privacy besides transparency, your obligation also includes safeguarding the information that you collected, that’s security. Security is to make sure no internal or external party has access to the data. If you want to have an effective privacy program you need both privacy and security, they are each side of the coin. You can’t satisfy privacy legislation if you don’t protect the data.”

For example, one of the PHIPA privacy requirements is that you need to have someone accountable for your privacy program. So even in a small clinic, you need someone accountable for privacy training and make sure the clinic is compliant. It can be your office manager or a doctor. If a patient files a complaint about their information, who is accountable for that? Likewise, the hospitals have to develop a privacy program, and the doctors and nurses working for hospitals as agents need to follow the policy. ”

Patrick: “This is a high level review of the difference between privacy and security. If you go into details we teach a 30 session course in depth.”

‍

That’s a wrap of the interview, hope you enjoy it as we did!