Programs and services
Security Overview - ONE Products
The security of eHealth Ontario’s ONE products is designed to protect the privacy of the most important of all information – our personal health information. We constantly seek to integrate industry best practices into the security of our products.
At the same time, eHealth Ontario partners with clients to ensure the security of the data that is stored and transmitted with our products. Complete security can only be achieved with the collaboration of all users.
The security safeguards that eHealth Ontario has put in place for all its products are:
Access Controls
Strict controls only allow access to authorized users. For highly sensitive systems, strong passwords, secure tokens and other authenticators are required
Physical Safeguards
- Our data centres are purpose-built, physically secured against unauthorized access, and are staffed and monitored around the clock by security personnel
- We require escorted access at all times for non-eHealth Ontario data centre personnel who require access to the data centres
- Data centre security controls have been validated by an independent third party
Administrative Safeguards
- eHealth Ontario regularly reviews and enhances its security policies. Staff and contractors sign that they have read and understood relevant policies
- eHealth Ontario system administrators require two-factor authentication to access IT equipment
- We use contracts to ensure that any third party used to help provide services complies with our security responsibilities
- We conduct regular independent vulnerability assessments
Risk Management
- Risk assessments are conducted as part of product development and client deployments. The results are provided to clients
- We have a risk management program, including an enterprise risk management policy and guidelines
Staff Safeguards
- eHealth Ontario has mandatory security awareness and training programs
- Staff and contractors only have access to personal health information if absolutely required, for instance to fix a computer problem or where required by law. They are legally prohibited from using or disclosing this information
- Staff and contractors sign confidentiality agreements and undergo criminal background checks. The security screening policy requires staff to obtain appropriate clearance for the sensitivity of the information they may access
- Our staff, consultants and suppliers must promptly report any security breaches to eHealth Ontario for investigation
eHealth Ontario Security Program
Our program is based on two International Organization for Standardization (ISO) standards, as recommended by the Government of Canada:
- ISO/IEC 17799:2005 – Code of Practice for Information Security Management, and
- ISO/IEC 27001:2005 – Information Security Management Systems – Requirements
As an agency of the Ontario government, eHealth Ontario is subject to:
- The Freedom of Information and Protection of Privacy Act
- The Personal Health Information Protection Act, 2004
- Oversight by the Information and Privacy Commissioner of Ontario
Client Responsibility
- Clients need to follow privacy and security best practices to fully protect personal health information when using our products. This includes technical safeguards and following appropriate security practices as well as training staff on privacy and security obligations. Our Acceptable Use Policy should be the focal point for staff training programs
- Client obligations for maintaining security are detailed in contracts and Service Level Agreements. eHealth Ontario’s Acceptable Use Policy is included with every client agreement
- Clients will be positioned to achieve their objectives if they implement Information Security Management Systems in accordance with ISO 17799:2005 and ISO 27001:2005
